INSIGHTS FROM ENGINEERS
How to Use Zoom Securely
A question that I have been receiving quite a bit is using Zoom video conferencing safe. To answer that question you have to understand security a little bit. As a company that focuses on security, my first answer is this: nothing is ever a hundred percent secure. Anyone who tells you otherwise is lying to you. There is always the human element and there will always lie a hole in the security plan. I can tell you that the security complaints against Zoom have been there since before the Covid-19 came to town.
How Zoom is Connected
In security terms, Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection. The encryption that Zoom uses to protect meetings is TLS, the same technology that web servers use to secure HTTPS websites. This means that the connection between the Zoom app running on a user’s computer or phone and Zoom’s server is encrypted in the same way the connection between your web browser and a webpage is encrypted.
Zoom has sent conflicting signals about its encryption approach. Zoom had marketed one of its features as making meetings “end-to-end encrypted.” That would mean video call data is encrypted at all times in transit, such that not even Zoom could access it. The company has since admitted that this is not the case, and now uses the word “encrypted” instead of “end-to-end encrypted” when meetings have the setting enabled. They have since apologized for using the words end to end encryption.
Zoom’s Security Capabilities and Limitations
How to use Zoom Securely:
Log in only using Zoom apps.
Zoom can add comprehensive encryption, but only if everyone in a meeting is logged in through one of the Zoom apps. If someone joins a Zoom meeting through a regular phone call, for example, Zoom can’t extend its encryption to the legacy telephony network. Also Zoom’s system does not meet the criteria of being end-to-end encrypted because of key management—the logistics of generating, using, and storing the keys that encrypt and decrypt data. Zoom says that they don’t decrypt the data at any point, however that doesn’t mean that they couldn’t.
The fact is that implementing end-to-end encryption with the kinds of features Zoom offers is very difficult. A free Zoom account can host calls with up to 100 participants. Enterprise Plus tier users can have up to 1,000 people on the line. It took Apple years to get end-to-end encryption to work with 32 participants on FaceTime. Google’s enterprise-focused Hangouts Meet platform, which doesn’t offer end-to-end encryption, can only handle up to 250 participants per call. So please take that into consideration. For most users in most situations, Zoom’s current security seems adequate. However government, healthcare, or any other private or protected information should look for another method.
TEN TIPS: What You Can Do To Improve Your Security on Zoom
To help safe guard your zoom meetings or any software that you use you need to educate yourself on the software and how it operates. Here are some basics to help you navigate Zoom if this is a platform that you are using:
- Have a strong password and change it often for your account
- Password protect your meetings
- Always update and run the latest build. In order to check, open the desktop application, click on your profile in the top-right, and select “Check for updates.”
- You should not use your personal meeting ID if possible, as this could pave the way for pranksters or attackers that know it to disrupt online sessions. Choose a randomly generated ID for meetings when creating a new event.
- Do not share your personal ID publicly.
- Do not allow others to join a meeting before you, as the host, have arrived. You can enforce this setting for a group under Account Settings.
- When creating a new event, you should choose to only allow signed-in users to participate.
- Avoid file sharing. It is an easy way for malicious files to be passed onto users.
- Once a session has begun, head over to the (Manage Participants) tab, click (More), and choose to (lock) your meeting as soon as every expected participant has arrived. This will prevent others from joining even if meeting IDs or access details have been leaked.
- If you find that someone is disrupting a meeting, you can kick them out under the (Participants) tab. Hover over the name, click (More), and remove them. You can also make sure they cannot rejoin by disabling (Allow Removed Participants to Rejoin) under the (Settings: Meetings – Basic) tab.
Those are just some security basics that can help you have a more secure experience running Zoom and how to use zoom securely. There are many other video conferencing solution and collaboration tools to choose from on the market. Always educate yourself and always follow a good security posture.
One other thing to add is that a vulnerability has been identifies specifically with Zoom. Even if the software has been uninstalled from the system, it has opened a vulnerability to operating systems that allow a malicious user from accessing your camera/audio device. Please update your operating system to the latest security update around this issue. We can post information regarding this specific update on our website.
“Zoom can add comprehensive encryption, but only if everyone in a meeting is logged in through one of the Zoom apps.”– Todd Ellis, CTO, Secure Networkers