Vulnerabilities and Privacy Issues with Zoom| IT Security

As the University pushes ahead with our work-from-home and home-based-learning initiatives amid the COVID-19 situation, there has been an increase in the use of Zoom to facilitate online communications over the past weeks. Unfortunately, the use of this platform has unraveled security vulnerabilities and privacy issues, which have no fixes at this moment. In view of that, please observe these recommendations should you continue to use Zoom:

 

  1. Guard against “Zoom-bombing”

Zoom-bombing is when someone gains unauthorised access to a Zoom meeting to eavesdrop on the call or to harass the participants. To prevent this, do ensure that the “Require meeting password” setting is always enabled, and set a random 6-digit password.

 

  1. Download and install the latest Zoom client from official sources

Cybercriminals are riding on the sudden popularity of Zoom to create malware masquerading as Zoom installers and to build phishing sites using Zoom-related domains. Download and install the latest official Zoom client only from https://nus-sg.zoom.us, Apple App Store or Google Play. Do not click on any suspicious links from emails or websites.

 

  1. Do not click on suspicious links in Zoom chats

Older versions of the Zoom Windows client have a security vulnerability in its chat feature that allow attackers to steal the Windows credentials of users who click on a malicious link. Please ensure that you are using the latest version 4.6.9 (19253.0401). Even then, always be vigilant and do not click on any suspicious links.

 

  1. Do not share your Personal Meeting ID (PMI)

Each Zoom user is given a permanent PMI that is associated with their accounts. If you divulge your PMI to someone, they will always be able to check if there is a meeting in progress and potentially join in if a password is not configured. Instead of sharing your PMI, create a new meeting each time and only share it with the meeting attendees.

 

  1. Do not discuss or share sensitive/confidential information

All data transmitted during video and audio calls between the user and the service is encrypted. This is similar to online banking, and prevents eavesdropping when you are using unsecured WIFI. However, during certain Zoom calls, the data is not encrypted end-to-end, meaning that Zoom can potentially gain access to your video and audio calls.  Please refrain from discussing sensitive or confidential topics using Zoom.

 

  1. Vulnerabilities in older versions of the Zoom Mac OS client

An attacker with physical access to your Mac can exploit security vulnerabilities in older versions of the Zoom Mac OS client to gain administrative privileges to your system, or unauthorised access to your microphone and camera to perform hidden recordings without your knowledge. Please ensure that you are using the latest version 4.6.9 (19273.0402) to prevent this from happening.

 

Zoom has assured us that they are dedicating resources to better identify, address, and fix issues proactively. While that is happening, let us turn to secure alternatives officially supported by NUS, like Microsoft Teams and Skype For Business.

 

To get more information on using Microsoft Teams, please visit https://wiki.nus.edu.sg/display/cit/Getting+Started+with+Teams

 

Let’s all stay healthy, and cyber-safe together.

 

Reference sources:

https://threatpost.com/two-zoom-zero-day-flaws-uncovered/154337/

https://theintercept.com/2020/03/31/zoom-meeting-encryption/