Security Advice for Zoom Videoconferencing

Written by: Sean Cox, Esq.

The COVID-19 pandemic and the widespread shelter in place orders have, temporarily at least, changed how humans interact. Luckily, there are more options today than ever before which allow many to maintain a modicum of normalcy. Companies, schools, churches, families, and friends have turned to video conferencing solutions to stay in touch in these difficult times. One application, Zoom, has seen astronomical increase in popularity. In March this year, Zoom saw a significant increase in users (from just 10 million users at the end of 2019 to more than 200 million users).

Likely due to its sudden growth, Zoom has experienced growing pains and has received much criticism for its security holes. Users went into a frenzy over a report published in April that claimed more than 50,000 Zoom accounts had been hacked and sold on the Dark Web. Zoom advisor Alex Stamos, however, said that the credentials were likely stolen through malicious codes installed on victims’ computers or elsewhere on the Internet. There have been reports of unwanted trolls joining school or church sessions and disrupting the sessions with obscene language and hate speech. In the wake of security threats, India banned the use of Zoom for government remote meetings in April. The New York school system has also banned the video conferencing app based on security concerns.

Zoom has heard the criticism and responded by educating its members on security features, making the features easier to locate, and introducing new features. Zoom claims that it is working with cyber-security firm Luta Security to identify and eliminate security loopholes. The Silicon Valley startup also has a bug bounty program under which it rewards ethical hackers who find security flaws in its operations. The following are just a few of the features that we recommend considering for any meeting:

• Do not use personal meeting ID (PMI) to host public events. The PMI is unique to the user and is used again for many meetings. In the event you are hosting a public meeting where the event ID will be open to the public or people you may not know well, it is recommended to generate a single-use meeting ID and distribute that ID. Do not share your personal ID publicly.
• Enable the waiting room feature. The Host should enable this feature which requires the Host to permit each user to enter the Zoom meeting after the user attempts to connect.
• Require that users be signed into Zoom. Zoom allows users to participate in a conference even if they have not signed up for an account. This flexibility is great, but it also allows bad actors to join and remain anonymous. Requiring all users to be signed in can prevent this and is unlikely to prevent wanted users from attending because free Zoom accounts are available.
• Make it mandatory for attendees to use a passcode to join. Apply the feature to your personal meeting IDs, so only users with a valid passcode will be able to contact you.
• Once all your attendees arrive, lock your meeting.
• Disable private chat.
• Use Zoom’s security features to prevent your attendees from annotating during a screen share. Decide whether you want to disable the feature temporarily or for the entire meeting.
• Appoint a trusted attendee as a co-host.
• Remove unwanted participants. Prevent them from rejoining once removed.
• Stay on top of Zoom updates.
• Lastly, there are options available to the Host that will help prevent any disturbance even if an unwanted guest makes it into the meeting: disabling screen sharing for all but the host; muting other users; disabling group chat; disabling file sharing; and kicking out bothersome guests.

Hopefully, the world will return to normal soon, but video conferencing will continue in importance. These security tips will remain relevant long after the pandemic is just a memory.