Zoom is an American video-conferencing and online meeting software whose popularity grew rapidly during the coronavirus pandemic when companies switched to remote work. To be precise, in the first quarter of 2020, Zoom's usage increased by 67%.
Such exponential growth has led to closer inspection of Zoom’s security. Thousands of its users reported privacy breaches and security incidents. Some have even become victims of so-called zoombombing, an attack during which an intruder appears in video calls or sends offensive imagery. In the face of all these issues, companies like Google, SpaceX, and NASA all banned their employees from using Zoom for work. Here's a short video explaining the reasons behind it:
However, Zoom security has improved over the past few years. Zoom developers have fixed a few of its major security issues.
Zoom had many security issues in the past. The platform is still far from perfect, but Zoom has managed to fix some of its biggest flaws. So using Zoom is relatively safe if you take all the necessary precautions mentioned below and implement all the recent updates.
While Zoom has already tackled some of its most serious security and privacy issues, it has a few remaining vulnerabilities, as reported by Tom's Guide.
Around half a million Zoom usernames and passwords are up for sale in criminal online marketplaces. This resulted from credential-stuffing attacks when hackers reused previously leaked credentials to hack new accounts. Criminals are also reportedly trading compromised Zoom accounts on the dark web.
This is not Zoom's fault, but you should by no means use passwords that you use for other accounts for Zoom. Also, make sure to change Zoom passwords if they get compromised and use strong ones. And remember that no service is fully protected against potential future data breaches or leaks.
Zoom uses end-to-end encryption, but its encryption algorithm is pretty weak. Researchers at the Citizen Lab claim that Zoom uses the AES-128 algorithm instead of AES-256. Zoom generates and holds all the encryption keys, meaning it can decrypt your data anytime.
Moreover, Zoom uses a modified version of the algorithm, allowing it to see patterns from original files. This means that someone can still see the original message. However, Zoom promised to upgrade its encryption algorithm.
Employers can also use Zoom to spy on employees and breach their privacy. Zoom's attention-tracking feature notifies a host if a user clicks away from a Zoom window for more than 30 seconds. Admins can join calls without the consent of their participants and prior notification, too.
Researchers indicated that Zoom's anti-tampering mechanisms are poorly protected from tampering. As a result, they can be disabled or even replaced with malicious ones to hijack the application by a third party.
Zoom bombing is also an active issue. Anyone who knows your meeting number can infiltrate your meeting with images or annoying sounds. You can also find open Zoom meetings and wardrive into them by checking Zoom meeting IDs. However, to prevent these issues, you shouldn't share your meeting number with anyone except the call participants, and you should protect your meetings with passwords.
Zoom is notorious for collecting users' data, such as audio recordings, messages, and personal credentials. The app used to send users' email addresses and usernames to LinkedIn. There are also widespread concerns that students' and pupils' private data could have been leaked too because educational institutions use Zoom for online classes.
Zoom has already fixed some of its previous flaws.
Zoom fixed the account hijacking issue. Previously, hackers could hijack users' Zoom accounts by knowing their email addresses. Fortunately, this flaw hadn't been disclosed before Zoom developers could fix it.
Zoom no longer displays meeting IDs on your screen so that you won't accidentally expose them in a screenshot or other way.
Zoom has been accused of generating keys in China, a country famous for its surveillance and privacy violations. If so, this means that their servers can be monitored by the Chinese government, no matter whether you are making calls in the US or Europe. Zoom admitted that it had routed calls via Chinese servers by mistake.
Last April, Zoom CEO Eric S. Yuan reported in a blog post that Zoom had fixed this issue.
The Citizen Lab researcher team disclosed Zoom's waiting room flaw and advised users against using it. Zoom developers have reportedly fixed the flaw.
By sleeping UNC path to a remote server, hackers could access Zoom users' Windows accounts. They could also use the same method to flood Zoom chat rooms with malicious files. Zoom claims that it has already fixed this issue.
Zoom's iOS application automatically sent the analytics data of users' devices to Facebook, even if users didn't have a Facebook account. The company didn't inform them about it either. After discovering this issue, Zoom updated its iOS apps to fix it.
Zoom used hacker-like methods to bypass macOS security precautions. Researchers claimed that the application was installed without the user's final consent, and it used a highly misleading prompt to gain root privileges. Hackers could even exploit this technique to gain control over someone's device. Zoom representatives claimed they used such tactics to simplify Zoom's installation process. However, later they removed this technique.
Here are a few tips to make Zoom safer:
Zoom is compatible with a VPN because VPN provides an additional layer of protection. NordVPN will provide much-needed high-quality encryption and protect your traffic from snoopers and interceptors.
NordVPN also has the Threat Protection function. It helps you identify malware-ridden files, stops you from landing on malicious websites, and blocks trackers and intrusive ads on the spot.
Want to read more like this?
Get the latest news and tips from NordVPN