Zoom security concerns are explained by Zoom officials and a Western cyber security professional
By Drew Jelinek
While Zoom has become the go-to option for Western students and professors working at home during the COVID-19 stay-at-home order, concerns of security have led some to question whether the video conferencing platform is secure.The most common problem discussed online are instances of Zoom-bombing, when individuals access meetings they’re not supposed to.
On March 30, the FBI released a warning that highlighted two instances of Zoom-bombings that occurred during Zoom meetings at schools in Massachusetts, which in one meeting lead to a teacher’s address being leaked to the class and in another meeting, Nazi imagery was shared. Along with the incident report, the FBI provided a short list of ways to avoid Zoom-bombing, including using a password and waiting room.
Instances of Zoom-bombing have led some companies, and even countries, to ban the use of the platform altogether. Some students at Western have also expressed similar concerns with using the platform. Among them is fourth-year student Peal Morris, who has two classes that meet completely on Zoom.
“I’m a little nervous because I have one class that doesn’t have a waiting room, but I haven’t noticed anything weird and none of my other classmates have either,” Morris said. “The class without a waiting room doesn’t have a password either, just the meeting URL.”
While hesitant, Morris still feels comfortable using the platform, but hopes that professors learn how to use the platform better.
Western’s director of cyber security programs Erik Fretheim, says it’s a matter of using the platform correctly. “You need to use it with a password and use it with a waiting room so that it’s not going to interfere with what you’re wanting it to do. Either one of those takes care of Zoom-bombing and makes it go away.”
While managing all cyber security programs at Western, Fretheim is also teaching two classes this quarter; secure software development and the senior design program for cyber security. In both classes Fretheim is utilizing Zoom to meet with his students for collaborations and lectures.
Fretheim has been using Zoom for about four years, and said that he’s never had any problems with it, adding “It’s got a few issues involved with it, but obviously they’re not stopping me from using it.”
On April 15, Zoom CEO Eric Yuan hosted a Zoom webinar in which he stated that Zoom will make password protection and waiting rooms enabled by default but mentioned that users need to also know how to use these features.
During the same webinar, Zoom’s chief technology officer Brendan Ittelson gave additional tips. “One of the things we really recommend is to be prepared for the meeting, make sure you have the right settings, and even you know, if you have a large meeting, practice,” Ittelson said.
Western’s ATUS also created a page about Zoom to help students and professors, along with a link to its 11-page handbook that details tips on how to use Zoom features. The 11-page Web Conferencing with Zoom handbook also links to another more specific six page document focused entirely on security. On this page, the ATUS lays out which settings should and should not be enabled, and also provides a list of resources that faculty can reach out to if they have issues.
In addition to these guides, Justina Brown, the director for the Center for Instructional Innovation and Assessment, has been sending out weekly emails to faculty containing online workshops for each day of the week, covering different topics for faculty to increase their online teaching efficiency.
Aside from Zoom-bombers, on April 14, the cyber security company Cyble confirmed that over 500,000 Zoom account credentials were being sold on the darknet, a part of the internet mainly used to conduct illegal activity, and in this case used to acquire stolen account credentials.
Alex Stamos, Zoom cyber consultant and director of the Stanford Internet Observatory, commented on the account breaches during the April 15 Zoom webinar.
Stamos attributed the account hijacks to users reusing passwords that they used on other platforms. Stamos said Zoom was able to confirm via two third party intelligent firms that the 500,000 accounts that were affected all came from previous known password breaches. Stamos added that during his time at Facebook, there would be 500,000 of the same sort of breaches everyday.
Stamos stressed the number one thing people should do to avoid Zoom or any other accounts from being compromised is to get a password manager, which will randomize account passwords and make it impossible for your accounts to be attacked in this manner.
In agreement with Zoom’s position, Fretheim also emphasized the importance of exercising safe password practices, saying that everytime a password is reused, the chances of it getting compromised increases.
“It’s not that anyone stole the password from Zoom or anything, it’s poor password practices on part of the users,” Fretheim said.
In addition to Zoom-bombings and password leaks, there have been other security issues that have led people online to believe that Zoom is too insecure to use. On March 30, software engineer Fekux Seele posted on Twitter showing that Zoom’s Mac installer had scripts which enabled Zoom to install without final confirmation.
Without claiming fault, CEO Eric Yuan acknowledged his concern in a tweet the next day, saying, “Your point is well taken and we will continue to improve.” The installer for MacOS was changed on April 2 to not include the scripts.
Stamos commented that these sort of security issues are typical for a company dealing with rapid growth.
“Zoom has gone from a very successful company that served enterprises and enterprise communication to becoming a critical part of people’s lives,” Stamos said. “I honestly can’t think of an example like this in the past. There’s never been a company that’s had to scale a platform this quickly, especially as for something as heavy as video.”
Fretheim, who had similar thoughts, said, “These problems are typical for an internet company trying to deal with growth. The fact that they were shown an issue and dealt with it within a day reflects well.”
Familiar with both Zoom and its competition, Fretheim wants students and faculty to not be so quick to jump to Zoom alternatives with the thought that they won’t have issues with other platforms as well.