Courtesy of Zoom.us
Zoom Video Communications, Inc., added security measures to its basic (free) plan default settings May 9 in an effort to curtail gate-crashing of online conferences.
Passwords will now be required for Zoom sessions and waiting rooms will be automatically enabled for personal meeting IDs (user IDs), and use of screen sharing will be limited to the host by default.
Zoom CEO Eric Yuan told CNN on April 5 that during the COVID crisis the company grew too fast, but Zoom users’ connections were encrypted.
“We should have enforced some passwords, waiting rooms and double-checked every source’s settings, but over the past one or two weeks we already took action to fix those missteps,” Yuan said.
According to an April 2 article in the Washington Post, Zoom’s recent dramatic growth revealed security flaws that could leave user’s computers exposed to breaches.
One of these security flaws led to the phenomenon of zoombombing where unwanted guests infiltrate an online Zoom meeting.
These intruders expose users to benign interruptions such as advertisements and jokes, but there are also cases of racism, use of obscenities and pornographic images.
“The most important thing is to make sure you send invitations only to people that you want to attend your class,” said Frank Rosales, SJCC Helpdesk IT technician. “Once a bomber gets that link, they have access to your session.”
Brenda Siegel, who is running for lieutenant governor of Vermont, said in a Twitter video posted May 3 that she hoped Zoom would require registration and waiting rooms and restricted screen sharing.
“On Wednesday our campaign went to a Lieutenant Governors Forum, and we were zoombombed,” Siegel said. “The zoombombers took over the screen and drew a swastika. As a Jewish woman, after that, that was all I could see.”
Users at San Jose City College have also experienced zoombombing, although of a more benign nature than Siegel’s.
SJCC instructor Shelley Giacalone wrote in an email that she was cohosting a class via Zoom on April 22 with over 60 students logged in to the session at the time of the zoombombing.
“During the last 20 minutes of an almost two-hour session, we heard a recorded male voice talking about some video we should watch,” Giacalone said. “We did not see anyone on video, just heard the advertisement.”
Giacalone wrote that both instructors approved each participant for the session, but as they were co-hosting, they did not necessarily know their cohosts’ students’ names.
During the zoombombing incident, a student recommended that she mute everyone in the session so they would not hear the voice anymore, and that solved the problem.
“If there was an instructor hosting a class meeting and they were zoombombed, they could also cancel that meeting and just send out another invitation, so basically start a new meeting,” Rosales said. “It’s a lot more effort on the instructors now because they have to cancel that one and generate a new Zoom meeting.“
The Intercept news site wrote in a March 31 article that a major security flaw is Zoom’s lack of end-to-end encryption, which video services such as FaceTime already employ.
Zoom claimed on its website to be using end-to-end encryption, but it was using transport encryption, or TLS, which is the same standard that many HTTPS sites use, according to the Intercept.
“So when you have a Zoom meeting, the video and audio content will stay private from anyone spying on your Wi-Fi, but it won’t stay private from the company,” the Intercept wrote.
Zoom introduced version 5.0 of its software on April 27, nearly 45 days after the shelter-in-place order, to beef up its security. However, the upgrade is optional for current users until the end of May.
The new encryption protocol will now block Zoom from eavesdropping on any Zoom meetings.
“After May 30, all Zoom clients on older versions (of Zoom) will receive a forced upgrade when trying to join meetings as GCM (Galois/counter mode) encryption will be fully enabled across the Zoom platform,” according to the Zoom website.
An investigation into Zoom by the Connecticut attorney general is still ongoing, as is a lawsuit against the company by investors and shareholders who accuse Zoom of failing to disclose security flaws.