CySecK Advisory – Usage of Zoom for online meetings

CySecK Advisory – Usage of Zoom for online meetings
Published on: 17-April-2020

Advisory Summary

Multiple security and privacy issues have been identified on Zoom online meeting / webinar platform. Based on these issues, the following are recommended.

  1. Government officers / offices are advised not to use Zoom for online meetings.
  2. Private individuals / enterprises are recommended to avoid Zoom for any meetings discussing confidential / secret matters. If you have purchased Zoom licenses, you can continue using it for the duration of investment for non-secret meetings.
  3. Private individuals / enterprises using Zoom should review the settings on the platform and follow the best practices.
  4. Advise all users to update the Zoom client on their systems to the latest version.

Key recommended settings

The below are key settings recommended to be configured on the Zoom platform.

  1. Use the waiting room feature of Zoom so that host(s) need to explicitly let in attendees after they login and before they enter the meeting.
  2. Configure the settings so that calls begin with video and audio muted by default and only the host(s) can control who will be allowed to speak / share video.
  3. Insist on people signing up to Zoom account with recognisable name, so that intruders can be identified easily.
  4. Set the chat setting so that participants can only message the host.
  5. Set new meeting id and password for each meeting.
  6. Disable join before host.
  7. Allow screen sharing by host only.
  8. Disable “Allow removed participants to re-join”.
  9. Lock meeting room once all attendees have joined.
  10. Inform all attendees if the meeting is recorded.
  11. Ensure Zoom client used is always kept updated to the latest version.

Ministry of Home Affairs has provided a comprehensive list of suggested settings for secure usage of the platform at http://164.100.117.97/WriteReadData/userfiles/comprehensive-advisory-Zoom-%20meeting%20platfom-20200412-(2).pdf

References

  1. CERT-In advisory regarding vulnerabilities on Zoom – https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES02&VLCODE=CIAD-2020-0011
  2. CERT-In advisory regarding secure settings for Zoom – https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES02&VLCODE=CIAD-2020-0010
  3. CERT-In advisory regarding generic best practices while web conferencing – https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES02&VLCODE=CIAD-2020-0020
  4. Multiple security vulnerabilities identified on Zoom client for Windows and MacOS – https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES02&VLCODE=CIAD-2020-0011
  5. Concerns related to Zoom’s iOS app – https://www.msn.com/en-gb/money/technology/video-calling-app-zooms-ios-version-is-sharing-user-data-with-facebook/ar-BB11LEvv
  6. Weak encryption of Zoom communication – https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/
  7. Other concerns related to Zoom – https://theintercept.com/2020/04/03/zooms-encryption-is-not-suited-for-secrets-and-has-surprising-links-to-china-researchers-discover/?fbclid=IwAR3GdjDfhoEhtEmaWQOBmwpcVHNraW4falDl-AQBMxxxplEYH3amoYY0T18
  8. Recommended settings for secure usage of Zoom – https://twitter.com/BostonJoan/status/1243923595874783232