Zoom isn’t that scary.

Look beyond the hype and understand the settings

Photo by Allie Smith on Unsplash

There have been lots of alarming headlines in the news in the last few weeks about Zoom. They warn us that Zoom “has a dark side” and an “FBI warning”, there are “privacy concerns”, and people are “hijacking streams” and “Zoom-bombing” meetings.

Yikes! So people will spy on my meetings, steal my data, and maybe control my computer’s camera and microphone? It sounds like it—until you learn more.

If you glance at the headlines, or skim the articles, you may be understandably concerned about whether it’s safe to use Zoom. The truth is a bit more complex — and it takes more reading to fully understand each criticism.

I’ll review the major criticisms covered by the media so you can make an informed decision about using Zoom.

Security

“Hijacking streams” sounds pretty scary. “Zoombombing” is another term for this. Both of them refer to uninvited guests wreaking havoc in your meeting with disruptive, juvenile behavior: harassing attendees, displaying porn images to the group, drawing penises on the whiteboard — you get the idea. Zoombombing can obviously be shocking, embarrassing, and frustrating. But calling it a “security” problem is not accurate.

There’s only one reason those delinquents were able to Zoombomb your meeting: you left the door wide open. You didn’t set up any controls to restrict access.

Now, you could perhaps criticize Zoom for designing their application in a way that makes it too easy to configure meetings that “leave the door open”. But preventing Zoombombing is totally under your control.

The NPR headline warning that “Zoom Has A Dark Side — And An FBI Warning” sounds pretty ominous. So what does the FBI warning say? It says that they have received reports of uninvited Zoom meeting guests harassing attendees, and they suggest that you configure meetings to prevent open access: use the waiting room feature, and require a password.

Zoom also changed default settings so that users don’t unintentionally create open meetings. They notified users that starting April 4, 2020, they’ve “chosen to enable passwords on your meetings and turn on Waiting Rooms by default as additional security enhancements to protect your privacy”. So this change will help prevent users from inadvertently creating open meetings.

Mac vulnerability

Another story creating juicy headlines recently is that Zoom has a flaw in its Macintosh application that allows a user to “hijack a Zoom user’s Mac computer and access the webcam and microphone”, which was discovered by a researcher.

Wow, so anyone can just spy on you if you have a Mac running Zoom??

No, not exactly. Most articles fail to mention that to take advantage of this flaw, the attacker needs access to your physical computer—but the reader is left with the assumption that a remote attacker can hijack your camera and microphone. However, this is a local attack, so they need to be sitting at your computer to do this.

The researcher discovered another flaw, which allowed a local attacker to run any code by messing around with the Zoom install process.

Now these are certainly significant flaws, and the application should not have been built the way it was. Kudos to the researcher who found this. At the same time, this is not likely to be a vulnerability that is of significant concern for most users who have password-protected their computers.

In addition, this was corrected in version 4.6.9 which was released on April 2, 2020.

End-to-End Encryption

Zoom has received criticism for claiming that they have “End-to-End Encryption”, but then later admitting that they don’t have it in the industry-accepted sense of the term.

True end-to-end encryption means that the video and audio data is encrypted on the entire route from your computer to the other participants’ computers, and only the participants’ computers have the secret key that is used to encrypt and decrypt the data.

In Zoom’s implementation, they maintain the keys on their servers. This means that theoretically, Zoom could decrypt your traffic and access your video and audio data. In response to the concerns, they have said that they will offer a feature that allows the user to host the keys in their own environment.

Perhaps most importantly, Zoom reassured the public in their blog that traffic is encrypted for the entire transit, with certain conditions (emphasis added):

To be clear, in a meeting where all of the participants are using Zoom clients, and the meeting is not being recorded, we encrypt all video, audio, screen sharing, and chat content at the sending client, and do not decrypt it at any point before it reaches the receiving clients.

Privacy

Another frequent headline is that Zoom “shares data with third parties like Facebook without adequately notifying users”. Scary! But wait, what data are they sharing?

It turns out that when you logged in through the Zoom app on iOS, the app was sending Facebook your time zone, city, what type of phone you have, which cell carrier you have, and what time you opened the app. Not very sensitive data, for most people.

Yes, when you look at this from a general data privacy perspective, to be 100% certain about privacy, the app shouldn’t send that data. However, I would argue that many other apps, and browsers, leak similar data.

In any case, this is another situation of headlines making things sound worse than they are. This was fixed on March 27, 2020.

The reality is that when you investigate the details, Zoom is not nearly as scary as the headlines may suggest.

If you take a couple simple precautions, you will be fine. No technology solution is perfect, and all technologies are susceptible to some degree of vulnerability, but the situation is not as dire as you might gather from the press.

Securing your meetings

Here’s how you can keep your Zoom meetings secure:

Always use a waiting room.

Zoom has now made this the default selection in your advanced settings.

You will see this option when creating a meeting, under the “Advanced” section: verify that “Enable waiting room” is checked. The waiting room allows you to manually admit each attendee, so you can verify that they are authorized to attend.

Verify that “Enable Waiting Room” is checked under ‘Advanced Options’

Don’t worry if you inadvertently admit someone to the meeting who shouldn’t be there—you can always kick them out. Just click “Participants”, and next to the person’s name click “More”, then “Remove”.

Eject someone from your meeting.

Lock your meetings if they are small.

If your meeting is rather small, and you know that everyone is in attendance, you can then lock the meeting. This will prevent others from attending the meeting. Starting with version 4.6.10, click the “Security” button in the toolbar, and select “Lock Meeting”:

Lock the meeting when everyone is present.

Use a generated Meeting ID and password for larger meetings.

If your meeting will have more than a few participants, use a generated Meeting ID, use a password, and use the waiting room. This reduces the likelihood of unintended visitors. However, someone can still forward the link and password to someone else, so you still need to admit each person from the waiting room.

For larger meetings, use a generated meeting ID, password and waiting room.

Personal Meeting ID

The Personal Meeting ID is a 10-digit ID that you choose and will always have reserved just for your meetings. This means you can always give out the same link to your meeting. I chose my phone number, so I always know what the meeting ID is.

This makes it easy to set up a meeting — all I have to do is send the same link to people. I don’t need to go to “Create meeting” each time. Even better, if someone has Zoom installed, I can just say, “Join the meeting at 2:00. The Meeting ID is the same as my phone number.”

This adds a lot of convenience and efficiency for you, and reduces the barriers for attendees.

You may wonder, “won’t people be able to Zoombomb me if I always use the same link?” No, this isn’t a problem if you do the following:

• Ensure that “Waiting Room” is turned on in your advanced settings. (Zoom has set the default to “on”, but verify this just to be safe.)
• Turn off “Join before host” in your advanced settings. (In my testing I found that this is probably not necessary if you are using waiting rooms, but it’s not a bad idea to turn it off.)
• Lock the meeting once it’s in progress. Remember that this is not crucial — you have already configured the Waiting Room, so no one can get in without you admitting them. Locking the meeting just prevents the distraction of a notification that someone has entered the waiting room.

Summary

Getting beyond the hype in the media and understanding the details will help you decide whether Zoom is right for you. And if you decide to use Zoom, you now are aware of the few settings that will keep your meetings secure and private.

References

Zoom issues: People hijacking streams, possible security flaws (USA Today)

Response to Video-On Concern (July 8, 2019) (Zoom)

ZOOM MEETINGS AREN’T END-TO-END ENCRYPTED, DESPITE MISLEADING MARKETING (The Intercept)

A Must For Millions, Zoom Has A Dark Side — And An FBI Warning (NPR)

FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic, (FBI.gov)

“Zoom faces a privacy and security backlash as it surges in popularity” (The Verge)

Privacy concerns are swarming around Zoom just as it’s becoming everyone’s new favorite videoconferencing app (Business Insider)

New Updates for MacOS (Zoom)