Zoom has been getting a lot of backlash recently with reports of numerous privacy and security vulnerabilities. My take is that Zoom has a lot of room for improvement on both fronts—but no mainstream videoconferencing tool would stand up particularly well to the kind of stress and scrutiny that Zoom is currently bearing.
Zoom does have some sloppy and irresponsible design flaws. But so do Skype, Microsoft Teams, and WebEx. The main difference is that Zoom did a great job of marketing itself as the gold standard for videoconferencing, which led to the platform receiving a disproportionate share of the COVID-19 response market and a correspondingly disproportionate amount of malicious attention and security research.
I would not necessarily go as far as the NASA did last week in banning the use of Zoom, but I would strongly encourage organizations using Zoom to take the following security precautions:
- Check for updates to the Zoom desktop client at least once a week and apply them as soon as they become available. Zoom is rapidly pushing out fixes for the flaws that have been identified, and there is no reason to believe that the rate of discovery and patching will slow down any time soon.
- Switch your account defaults to disable audio, video, and automatic meeting entry for all meeting attendees by default. With these settings in place, attendees will have to wait in a “waiting room” until the meeting organizer lets them into the meeting. Once in the meeting they can manage their audio and video settings themselves.
- Avoid posting Zoom meeting links in any public place (e.g. a website, Facebook, Twitter). For any public meeting that is publicly advertised, limit who is allowed to share content and control audio to presenters only. As before, configure the meeting to defaults to mute and disable video for all attendees.
- Turn on mandatory two-factor authentication for all Zoom accounts. Security researchers have been finding large numbers of Zoom account credentials for sale at very cheap rates on the dark web, and the rate and sophistication of Zoom-focused phishing attacks is rapidly increasing.
For more details on these controls (and the ongoing controversies), see: