As Zoom use explodes, so do Zoom problems. Here’s my security checklist

Zoom is the hit software product of the coronavirus, and it’s easy to see why. We all need to connect right now, and Zoom is really easy to use.

That’s also the problem.

Whenever a technology is easy to use, it’s often easy to exploit. And Zoom is finding that out the hard way.  If you haven’t heard the word “Zoombombing” by now, you will.  Creeps barge into virtual Zooms uninvited and do awful things, largely because Zoom makes it so easy to set up and join meetings.   Teachers are finding unwanted digital visitors show up posting porn in front of students; a virtual meeting of Black women was interrupted by an invader screaming racism.  It’s awful. Meanwhile, the firm has made some major missteps on its own. It was sharing users’ information with Facebook without their knowledge; it was matching anonymized users with their LinkedIn profiles; it has a spooky “attention monitoring” feature for bosses.  (A list of even more horribles is here.)

Zoom is providing a lifeline for millions of people right now, many of them students using the service for free, so I don’t think we should be *too* hard on it. I also don’t think you should avoid it because of all these missteps.  But you should proceed with care when using Zoom, and I’ll give you my advice in a moment.

But first I want to explain the problem a bit. Zoom usage is..zooming. CEO Eric Yuan said in a blog post this week that his company never expected to suddenly be the world’s platform for communicating, and a flood of new consumer use cases have exposed the service’s flaws. How big is that flood?

“As of the end of December last year, the maximum number of daily meeting participants, both free and paid, conducted on Zoom was approximately 10 million. In March this year, we reached more than 200 million daily meeting participants, both free and paid,” he wrote.

Here’s why that matters to you: Yuan has admirably said he’s stopped all feature development for 90 days and is putting all his resources into fixing security and privacy issues.  That’s good, but so far, it hasn’t worked. Moving forward, I’d be very skeptical of Zoom’s claims while it deals with the sudden usage crunch and criticism.

In other words, don’t plan on Zoom taking care of your safety. Do it yourself, by checking many settings manually.

For example, Zoom has claimed publicly (here, to security journalist Brian Krebs, and here, in an FBI warning) that meetings are password-protected by default — only users with the password can enter. That defies my personal experience, and empirical evidence. My inbox is littered right now with meeting invitations, not a one requiring a password. And my own meetings, which I hosted, didn’t require a password until I manually set that option.

That matters because, without a password, it’s not all that hard to barge into open Zoom meetings. All you need is a meeting ID, usually a 9-digit number.

These can be guessed, or someone could just stumble around looking for random open meetings. Zoom says it stops would-be bombers from brute-forcing their way into meetings by guessing a series of numbers in sequential order, but researchers say they’ve defeated this measure. Krebs talked to a researcher who created a tool that went looking for open Zoom meetings and found 14 percent of all meetings right now were not password-protected.

When I reviewed Zoom’s password settings, I found the options very confusing. Ultimately, there is a single setting that meeting hosts can toggle which requires passwords on all new meetings — it’s under Settings / “Require a password when scheduling new meetings.”  But there are several other places that user can toggle security settings.  A host can simply require that users authenticate by logging into Zoom, rather than require a password.  A host can require a password for only a single meeting. Hosts can require passwords only for users who dial in. Teachers can set a password for a virtual classroom. Meanwhile, a host can limit a meeting to a pre-selected list of members with certain email addresses.

All these options all might make an IT manager at a large company happy. But it strikes me that Zoom doesn’t have a unified vision for authentication of participants, just a bunch of features. For newbies, this is a disaster.  Zoom is begging for misuse by teachers who are trying to make 25 excited kids sit still long enough to share the stories they wrote that day.  Don’t forget, everyone who hosts a Zoom meeting right now is also performing tech support, dealing with panicked Facebook messages and emails from participants who can’t get in for some reason. That’s also a recipe for relaxing all controls, making things easier for Zoombombers.  

So here’s my quick and dirty advice for using Zoom in schools, or anywhere.

Know where the eject button is at all times. Just presume something bad might happen.  A stranger could get into your Zoom, or a kid might show something inappropriate.  And be ready. You have many options, from most drastic to least: X the room. Close Zoom immediately. It’s brutal but it will end the problem. People can rejoin, it’s not the end of the world.    Next: Make the user leave.  Hosts can boot individual users by selecting “remove.”  (People you remove cannot get back into the meeting). Hosts can also mute users or turn off (“stop”) their video at any time.  It’s also possible to mute all participants from the participants panel on the right. Finally, there’s an “attendee-on-hold” option puts users in time out for a short while, a bit less dramatic than “remove.” That feature must be toggled on from the administrative options menu.

Stop video and remove are in this menu, reached by clicking the three dots next to the attendee’s image. Be able to select these options quickly if something goes wrong.

 

 

Use Gallery View. It’s easier to see what everyone is doing in “Gallery View” rather than Speaker View, so use that option.

 

Don’t start early.  Class shouldn’t begin without the teacher in the room. Disable “Allow participants to join the meeting before the host arrives.”

Use the “waiting room” option to control who enters the meeting. Participants can be added one by one or as a group.

Lock the door. Once all participants are logged in, the host can choose “Lock Meeting” to keep anyone else from joining.  This sounds like a good idea, but if you have laggards, or someone drops out of the meeting because of an Internet hiccup, it can be a pain. So use with care. While we are in this lower-right-hand corner, it’s not a bad idea to mute participants under entering, either.

 

Limit, or ban, screen sharing. The feature causing the most trouble so far has been prank, disgusting screen sharing. Zoom says it now turns off screen sharing by default for anyone other than hosts. Double-check that. Here are elaborate steps for turning screen sharing on and off from Zoom, but fooling with that setting sounds like trouble to me.

Require passwords, but manage them.  Zoom allows you to email a link with the password attached to the URL (see below). That means anyone with the link to enter the room. That makes them less safe, but it’s a trade-off. It’s still safer than no-password meetings — random guessers can’t crash in.  And requiring people to manually enter passwords might cause more headaches for hosts. (What’s the password?). This is where Zoom’s security paradigm could use more work.

 

So you know: This is what a Zoom meeting invite looks like without an attached password:

https://us04web.zoom.us/j/3043XXXX1

And this is what a link looks like *with* an attached passsord,

https://us04web.zoom.us/j/3043XXXX1?pwd=V2x2VmxJZUFDXXXXXXXXWTIxSWJkQT09

NEVER post a Zoom meeting ID in a public place, such as social media. Discourage members from fowarding emails with meeting IDs, though that’s obviously tough to stop

Don’t ever hold a meeting with your “Personal Meeting ID.” That’s a static number, like a constantly running meeting, and it’ll be easy for hackers to exploit. I don’t know why this is a feature. Let Zoom generate unique IDs for meetings.

Stop the note-passing. Hosts, especially teachers, can disable chat between participants. That’s probably a good idea in some situations

Group chat options are a little tricky to find, too. You get to them by expanding the chat menu.

Zoom offers a lot more teacher-specific instructions on this page, but be warned: It’s not perfect. The link for “password-protect the classroom” when I visited was broken.

 

About Bob Sullivan 1443 Articles
BOB SULLIVAN is a veteran journalist and the author of four books, including the 2008 New York Times Best-Seller, Gotcha Capitalism, and the 2010 New York Times Best Seller, Stop Getting Ripped Off! His latest, The Plateau Effect, was published in 2013, and as a paperback, called Getting Unstuck in 2014. He has won the Society of Professional Journalists prestigious Public Service award, a Peabody award, and The Consumer Federation of America Betty Furness award, and been given Consumer Action’s Consumer Excellence Award.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.