Using Zoom safely

Since moving into Alert Levels 3 and 4, more New Zealanders than ever have been exploring new ways of connecting online. The use of cloud-based video software like Zoom, Houseparty and Tiktok have increased dramatically.

11 May 2020

As we change the way we work and play to online, we all need to think about whether the services that we’re using are secure, fit for the information we’re sharing and that we understand the risks that we might encounter.

As with all online services and software, how safe it is and what you can use it for depends on your specific circumstances.

What is Zoom?

Zoom is cloud-based video software which is used for hosting online meetings using video, audio and screen-sharing. This type of software has become popular recently as New Zealanders adopt new technology to manage remote meetings or host social gatherings online.

You may have heard of Zoom in news articles recently about issues around software vulnerabilities, lists of passwords available and outsiders accessing meetings, known as ‘Zoom-bombing’. Given these issues, is it safe to use Zoom?

How to use Zoom safely

While CERT NZ can’t assess Zoom for every use, there are some things you can think about to help you stay safe while you’re using it. If you or your organisation has concerns about any of the points raised here, you should do your own risk assessment to make sure it is safe for you and your data.

Whether you’re using or hosting a Zoom meeting, you should always do the following tips.

Use the most up-to-date version, whether you use Zoom software, in a web browser or the mobile app

This means making sure the Zoom software you downloaded comes from the Zoom website and is for the most up-to-date version.

If you are using the web application, there is no software to download however you should keep your browser software up-to-date.

If you are using the mobile application, only download it from your phone’s official mobile application store and keep it up-to-date.

Use a unique and strong password

Make sure the password you use is long and only used on your Zoom account.

Use two-factor authentication

Turn on two-factor authentication (2FA) for your Zoom account so an attacker can’t guess your password and access your account, contacts, and meetings. This is available for the browser version but not yet for desktop or mobile applications.

Turn on two-factor authentication for Zoom External Link

When hosting a meeting, set it up securely

If you are hosting a meeting, you can do the following:

  • use instant or scheduled meetings rather than your personal meeting ID
  • send the meeting invite directly to participants, rather than posting the details publicly
  • use the waiting room feature in Zoom to control who can instantly join a meeting
  • manually lock the meeting after it starts
  • check who is on the call before starting. Requiring everyone to use video is a good way to make sure everyone on the call is meant to be there
  • limit screen sharing and conversations to non-sensitive information.

 Issues identified with Zoom

Recent weaknesses have been disclosed about Zoom that you should be aware of. We list them by feature and include actions to mitigate them.

Zoom-bombing: outsiders accessing your meeting

If someone has your meeting ID, they can access your meeting and share any files or audio they want. This usually results in people joining meetings and sharing loud noises and inappropriate photos.

  • Send your meeting invitation directly to participants rather than sharing it publicly.
  • Don’t use your personal meeting ID
  • Require a password to enter the meeting
  • Use the ‘waiting room’ feature
  • Turn off file share – this limits the number of things unwanted guests can do.

How to secure your meeting using these features External Link

Recorded meeting features

If you’re recording a meeting, you can choose to save it locally on your computer or you can save it to online on Zoom. For recordings saved to Zoom, the URL addresses for the recordings can be guessed - if the meeting has no password or a weak password, anyone could re-watch your recording if they guessed the URL.

There was a software update that now requires recorded meetings to have a password and requires a user to pass a CAPTCHA to view them, however these passwords can still be manually guessed.

  • Don’t record meetings unless you need to
  • If you need to save a meeting, save it locally to your computer
  • Use strong passwords

Software vulnerabilities

Some software vulnerabilities (where the code allows someone to do something unintended) have been identified. Zoom has now resolved these with the latest software version.

  • Always update software when there’s a new version available. This includes your operating system, your browser and applications, like Zoom.

Zoom usernames and passwords for sale

There are reports of several thousand usernames and passwords for Zoom accounts for sale online. It doesn’t appear Zoom has had a data breach, this list is from previous data breaches where email addresses and passwords for different systems have been leaked online. These usernames and passwords have been reused on people’s Zoom accounts. Thankfully this is a small proportion of users and shows why having unique passwords for every account is important.

  • Use unique, strong passwords for each account online.
  • If your Zoom password is one you use on other accounts, change it to a unique password.
Zoom and your data

Zoom is safe to use for most general meetings online. If you have confidential information to discuss, do a risk analysis to decide if it’s right to use for your situation. Below are some points to consider as part of your decision, before sharing your information and files over Zoom:

  • Using Zoom on VPN: If your staff use a VPN to access your network, this will mean all traffic will go through that VPN connection. Ask your staff to disconnect from the VPN first. This will prevent Zoom meetings putting a large amount of stress on your VPN and causing the quality of the meeting and VPN to decrease.
  • Data privacy: There is still ongoing discussion around Zoom’s privacy policy and how they use or sell data they collect from users. There are also still open concerns around how the mobile application tracks user’s actions due to excessive app permissions.
  • Data passing through different areas: Since Zoom is a cloud-based tool, meeting data is transferred between multiple geographies in order to operate. You can only control this by paying for a paid account.
  • Public sector advice: The NCSC have provided their review of Zoom for the use in the public sector.