Tightening Up Your Zoom Security

April 8th, 2020

During this Covid-19 crisis nearly all of us, including our school-aged kids while distance learning, have gotten a taste of the video conferencing app, Zoom.

A tremendous chunk of civilization simply needs a chat system that works and Zoom has admitted its rapid growth in user numbers has left many people using the platform without the security and privacy they need. Zoom has evolved from hosting 10 million daily users as of December last year – according to a recent company blog – to now, managing 200 million. 

But despite Zoom's recent steps to address its security and privacy, issues still remain. The firm’s privacy policy details extensive data collection and "Zoom bombing" is possible if your meeting or chat isn’t properly secured. Some security risks are less obvious - for example, under certain circumstances, meeting attendees might be able to read your private messages.

Zoom is already being investigated by the U.S. attorney general, and a lawsuit has been launched against the firm after it emerged data was being sent to Facebook, according to Vice News

If you can't switch more sensitive chats to a different platform, here are some steps you can take to secure Zoom as much as possible. 

Keep Zoom Updated 

As with any similar platform, Zoom suffers from security vulnerabilities, but so far, it has responded quickly and provided fixes. For example, the issues that could allow an attacker to take over a Mac's microphone or camera, and a Windows issue that could allow a hacker to steal login information were both fixed on April 1.

As with all of your systems and apps, one of the important steps you can take is to make sure you keep any installed version of the Zoom mobile or desktop app up to date. This ensures those issues are fixed, and your risk of compromise is lower. 

Use passwords to protect your meeting–and never share your meeting ID

Zoom bombing, where uninvited guests crash your meeting or chat, relies on gaining access through a meeting that is not password protected. People often post the Zoom meeting number online, and without any protection, bombers can enter and wreak havoc.

Try not to use the personal meeting ID - instead, let Zoom generate a random ID for your meeting. And never share the link or meeting ID on public platforms.

Two good ideas are enabling the options “Require a password when scheduling new meetings”; and “Require a password for instant meetings."

Meanwhile, disable the option “Embed password in meeting link for one-click join” and then enable “Require password for participants joining by phone.”

For further security, in the Admin > Advanced section: Enable “Hide billing information from administrators; and consider changing the length of the Host Key to 10 numbers to make it harder to guess. 

Share the password securely 

When using Zoom, securely sharing the password can be a challenge. In any case, don't put the password on the public internet - which, of course, renders the whole idea of having a password useless. 

Other basic security best practices include not sharing data such as ID or passwords, or pictures of your Zoom meetings publicly. 

For businesses, the best idea is to connect to Zoom via single sign on if your company provides this type of authentication. Business Zoom users can also enable “Sign in with two-factor authentication” and enable this for “All users in your account.”

Use waiting rooms

An additional way to stop Zoom bombers from entering your chat or meeting is the use of waiting rooms. This allows the host to screen everyone entering the meeting to ensure no one uninvited can get in. 

Further, use the waiting room functionality as a host and double up with a meeting password for designated guests. To avoid an even more embarrassing Zoom bombing experience, set the screen sharing to ‘host only’ and disable file transfer.

Manage participants 

A Zoom host can manage the meeting participants. In order to do that, you should ensure you are the only host. You can also control the camera and mute options. Hosts can ensure participants can't share their screen without approval, as well. Additionally, if anyone invited has been troubling you, adjust your settings to disable ‘allow removed participants to rejoin’ the meeting.” 

Take control of your privacy

Remember, services are free for a reason. If you are using the free version, there is certain data you might have to give up. A good rule of thumb to remember is "what happens in Zoom doesn't stay in Zoom." Control your own privacy as you do with all online tools.

Beware of phishing 

Another security risk for Zoom users is phishing, when attackers lead people to a malicious site to download malware or enter details. 

You should always be careful when clicking on any meeting invite links. In a pinch, it may be tempting to just click on a link in the latest email, but it is always worth the wait to check. 

If you're suspicious of a link, copy the ID from the link provided and enter it in the official application to join.

Update April 4 at 03:15 PT

Zoom has just added new security measures that will be available to all users by default from April 5. In response to heavy criticism of its service, all users will now have to use passwords and waiting rooms as Zoom looks to prevent “Zoom bombers” from disrupting meetings and chats. 

“On April 5, 2020, Zoom will enable the Waiting Room feature and two meeting password settings for all Basic users and Pro users with a single license, including K-12 education accounts who have the 40-minute limit temporarily waived,” Zoom said in an announcement.