What Does Zoombombing Tell Us About Video App Security?

As if we didn’t have enough to contend with in 2020, Zoombombing emerged as the latest cybersecurity threat last month.

For the uninitiated, Zoombombing refers to uninvited users interrupting Zoom meetings in order to troll participants, usually by using its screen-sharing feature to share explicit videos or images.

The wider implications of this, however, are apparent.

During this pandemic, businesses and workers are already on edge—their video conferencing software is about the last thing they want to think about as we attempt to navigate our way through these unpredictable times.

Zoom has responded by promising enhanced security for its platform in an effort to improve its standing, including one of its own shareholders, who launched a class action lawsuit against the company in early April.

But what does Zoombombing tell us about the security of Zoom and its competitors? What should businesses and individuals expect from a security standpoint and why does it matter?

Let’s have a look as today we rundown what Zoombombing is, whether Zoom’s response is adequate, and what expectations organizations should have of providers of video conferencing technology.

What Is Zoombombing?

Zoombombing is when an uninvited person joins a Zoom meeting, trolling participants by sharing their own videos.

By default, Zoom allows participants to share their screens, so once you’re in, it’s fairly simple.

Add to the mix that with public Zoom meetings you only need a meeting ID to join, and you’ve got a recipe for trouble. The FBI warned members of the public and businesses about Zoombombing in late March.

Strictly speaking, the practice isn’t a cybersecurity issue, but more of a an issue of cyber hygiene—in other words, users aren’t doing enough to stop these intrusions, but Zoom’s settings haven’t made it easy to do so for the average user.

Why Zoom?

Why always Zoom? Why is Zoom always in the news for one reason or another? Why is Zoom the center of this latest controversy?

The answer to that is quite simple; it’s the most popular video conferencing software out there right now.

Businesses, schools, governments, and other organizations have downloaded the app to help ease their transition to remote work, and its ease-of-use has proved to be an extremely appealing factor to many users.

Driven by necessity as a result of COVID-19, Zoom’s daily active user count increased 378% from a year earlier as of March 22, while monthly active users were up 186%. The DAU and MAU counts grew by about 340% and 160%, respectively, when compared with data from the end of December 2019

In other words, a heck of a lot of people are using it, and the app is seemingly at the core of the remote work functions of organizations all over the world.

Zoom’s Cybersecurity Issues

Aside from its popularity, Zoom has also been in the limelight for reasons that are a cause for concern to many—primarily because of criticisms of their cybersecurity and data privacy policies.

Since its takeoff this year, it’s come under scrutiny for the following:

• Questionable privacy policy
• Attendee attention-tracking
• Misleading end-to-end encryption claims
• Unauthorized data mining

You can add Zoombombing to that list, too.

Of course, don’t attribute to malice what can be explained by incompetence—Zoom’s astronomical rise in recent months has taken even its most ambitious backers by surprise, and they’ve been scrambling to improve their security flaws ever since.

For a lot of people, however, that’s simply not good enough when they’re using these platforms day in, day out, often talking about sensitive business and handling and sharing important data through them.

79% of Americans are somewhat or very concerned about how companies use their collected data, and 81% feel they have no control over it

The Response

In an effort to stem the criticism, and to Zoom’s credit, the company has taken strides in attempting to assuage fears by promising a more secure platform for its users. CEO Eric Yuan even wrote an open letter apologizing for Zoom’s lack of security.

In response to criticism of the app, Zoom announced a 90-day plan in which they would put their efforts into fixing security and privacy issues, freezing development on their other features to do so.

Zoom’s shortcomings, naturally, were pounced on by its chief competitors: Microsoft and Google with their Teams and Meet services respectively, and made no hesitations in touting the cybersecurity credentials on their own apps.

While Zoom has been working overtime to make improvements, the circumstances have nonetheless made users wary about their protections when using these apps.

What Should Be Expected From Videoconferencing Apps

Zoom was rightly given backlash for its unfounded claim that it offered users end-to-end encryption.

It does however prompt the question of what security and privacy features should be expected.

Encryption & Data Privacy

Data from video conferences is often stored so it can be used later. Leading providers of services will store this data in centers, usually in your local global region.

Zoom had previously been routing user data through China, a concern for many users, but has since stopped the practice.

A Blind report found that 35% of professionals are worried their information may have been compromised on Zoom. Because of this, 12% of users said they stopped using the video conferencing platform altogether

While most consumers understand that data collection is a necessary evil, so to speak, be sure that your provider is keeping the data they’re collecting from you on your home country’s soil.

Teams, Meet, and Zoom do not offer end-to-end encryption found in popular apps like WhatsApp, but encrypt data in transit.

How You Can Improve Your Videoconferencing Security?

It’s important for you to check out your video conferencing platform’s security and data privacy standards when you use them for business.

It’s also important that you take your own precautions, in order to maximize your security and minimize the chances of a breach or intrusion.

These should include: 

• Reading and understanding privacy settings—they may offer you the option to opt out of sharing data
• Making sure to use MFA, or at least a strong password—Teams as an example utilizes MFA for its software
• Making calls private—public calls are the primary reason for Zoombombing; consider requiring users to enter a password to join the call

Bottom Line

Zoom’s rise and subsequent scrutiny has demonstrated how important users find the topics of data security and data privacy.

Zoom has been making steadfast improvements to its cybersecurity practices, but users should nevertheless show vigilance when assessing whether any platform is up to standard.

This is more pertinent than ever considering the volume of people performing remote work and the large number of businesses establishing remote work policies that will continue to be in place long after COVID-19 is gone.

Takeaways

• Video app security varies greatly among leading providers
• Businesses should carefully consider the platform they’re using and whether its data security and privacy policies are substantial enough
• Long-term remote work makes these considerations all the more important, as organizations look to safeguard their communications and information

In light of recent events, many organizations have found themselves playing catchup with their cybersecurity, trying to implement makeshift solutions to make up lost ground while their workforces are working remotely for the immediate future.

To find out more about how you can ensure your business’ cybersecurity is in good shape for now and for the future, download our eBook, “What Makes a Good Cybersecurity Defense for a Modern SMB?”.