Written by Wang Eng Eng
As people around the world work or learn from home, Zoom has become the go to video meeting platform for many users during the COVID lockdown. The site has seen an increase from 10 million to 200 million daily users in three months. This sudden explosion in user numbers, however, also exposed flaws in their privacy and security features as more incidents of “Zoombombing” surfaced online, which is when uninvited guests join a video call to interrupt or harass.
One Facebook user (screen shot below) shared her experience with home-based learning in Singapore and was shocked to see pornographic images on her daughter’s HBL video.
The Ministry of Education, Mr Aaron Loh, Divisional Director, Educational Technology Division, responded to our email queries and said that MOE is currently investigating both breaches and working with Zoom to enhance security measures. In the meantime, as a precautionary measure MOE will suspend the use of Zoom until security issues are ironed out.
It still begs the question, how did ” Zoombombing” happen in the first place?
Tech360.tv speaks with cyber security professional, Devesh Logendran, to find how “Zoombombing” takes place and if we are enabling these zoom raiders.
Q:How do Zoombombers access our screens?
Devesh: It’s actually not difficult. A lot of these trolls or raiders, as we call them, are young people who are mischievous by nature. So they would use automated scripts to generate meeting ID’s and join these meetings to pull pranks. These scripts would pull URL from twitter or on event sites because they would have password embedded in the URL.
Users who do not password protect their meetings allow these trolls to enter. Some users also share these links online and I can find them with a simple google search.
These security risks can also be due to Zoom’s initial default meeting settings for free users which were not password protected. But that has changed.
If you look at a bug bounty site for Zoom, you can find other security flaws that one can hack into. You can see that an attacker is able to hack any zoom account as long they have your email.
Q:What other common mistakes are we making here?
Devesh: A lot of users think they have taken extra steps to set up their meeting with a generated ID and password. But then they share the link with the password embedded for easier access. The link looks like this https://us04web.zoom.us/j/198315695?pwd=RzlDVkRSa1ZoRHdzelVCUHI1MFRMQT09
A tip is to look out for pwd= this means your password is embedded in the link. So it might be good not to do so.
Q: There’s been a lot of talk about Zoom not offering end to end encryption, does it matter to me as a user?
Devesh: Well, to the average user it wouldn’t matter unless you have top secret information. This would matter if you are working for the government, which means sensitive information that transpires during Zoom meetings can be decrypted and accessed.
Q: Finally, what are your top tips for staying safe on Zoom?
Devesh: I would recommend not sharing meeting links with embedded passwords. Don’t use personal meeting ID and generate a meeting ID instead.
Enable waiting room so you can screen out suspicious participants.
Disable screen sharing except for the host.( Click on share screen icon and access sharing option)
Disable annotations for participants and file feature. This would prevent undesirable activity.
But what I would really like to see in Zoom is a limit to the number of participants in a meeting. Right now, some accounts can allow up to 500-1000 people. These limits would really help prevent more “Zoombombers” from taking advantage of the system.