Zoom hacking saga shows why cyber hygiene is so important

Conventional wisdom dictates that good things don't come easily, and if they do, users should be wary.

Web conference tool Zoom was recently thrust into the spotlight over the ease of trolling and alleged privacy violations on its platform, raising concerns about the security of similar tools that offer "frictionless" access.

San Francisco-based Zoom's tool is popular for two reasons:

* People want to connect remotely with colleagues, business partners and friends in the midst of the Covid-19 outbreak; and

* It is free and easy to use. People don't need to log in to access a meeting. It offers unlimited free online conferencing that can accommodate up to 100 participants.

Zoom's popularity surged almost overnight, with its user base growing from 10 million users in December last year to 200 million last month.

United States agencies handling the coronavirus response spent a collective US$1.3 million (S$1.85 million) on Zoom technologies last month. The British government hosts critical Cabinet meetings over Zoom. In Singapore, media briefings by the Government also take place over Zoom.

Rivals have made moves to catch up. For instance, Skype's new Meet Now allows hosts to create and share a free meeting. Those who do not have the Skype software installed can still join a meeting over the Web.

For the current Covid-19 lockdown, Webex has also removed the 40-minute limit on free online meetings and increased the number of participants from 50 to 100.


As with any platform, Zoom's popularity in recent weeks has seen corresponding upticks in trolling, in what has come to be known as "Zoombombing".

Trolls have reportedly gatecrashed meetings around the world, including in Singapore, and posted obscene images and offensive comments.

The firm has also attracted at least three lawsuits over its admittedly incomplete end-to-end encryption, security flaws that allow hackers to access users' webcams, and non-consensual transfer of users' data to Facebook.

Thousands of recordings of Zoom video calls were found to be left unprotected and accessible on the Web.

Researchers also discovered that Zoom not only uses easy-to-decrypt hosting technologies, but also sends the encryption keys to China, whose government can ask for the keys.

Understandably, the authorities in Taiwan, Malaysia and Germany as well as schools across the United States and companies such as Google are concerned and have banned the use of Zoom.

To repair its damaged reputation, Zoom's chief executive Eric Yuan earlier this month announced a 90-day freeze on releasing new features, to let the company focus on fixing privacy and security issues.

Until recently, Zoom users on its free tiers and cheapest paid ones have not had to key in a password to enter an online conference. The mandatory password feature was turned on only on April 5.

Also recently turned on was a feature that requires people joining meetings to wait in new virtual waiting rooms before being granted access by the host.

Mr Yuan's links to China could have exacerbated users' fears. He was born in Shandong province and attended university there before going to the United States in the 1990s. Although he now lives in California, much of Zoom's research and development takes place in China, where it has 700 employees.


Other similar tools are not off the hook.

"Some of the security issues brought up against Zoom also exist in other conferencing software," said cyber-security expert Aloysius Cheang of London's Centre for Strategic Cyberspace + International Studies.

Even paid services like Microsoft's Skype for Business, Cisco's Webex and Google's Hangouts Meet have not made both password entry and waiting room features mandatory, he said.

While fixing flaws exploited by hackers is often a "whack-a-mole" endeavour to be undertaken by software makers, users too can do their part to be safe.

The same precautions apply to all conferencing software:

1 For one-off meetings, use a random identity for extra security. Don't use your personal meeting identification (PMI) unless you have meetings with the same people regularly. Once a participant has the link to your PMI, he can join the meeting at any time - unless you lock the meeting or use the waiting room feature to admit participants individually.

2 Enable the waiting room feature, if there is one. This allows you, as the host, to see the people attempting to join the meeting before allowing them access. Even so, it may be difficult to tell if a conference joiner called "Tim Cook" is who he says he is.

3 Require a meeting password to be entered to join an invite-only meeting. This will ensure that only those invited can join the meeting.

4 Disable the option for others to join the meeting before the host does. Also, disable screen sharing for non-hosts and the remote control function.

5 Lock a meeting once it starts. This can be done during the meeting by clicking on "manage participants" at the bottom of the screen on Zoom, for instance.

While security and convenience are a fine balancing act for firms, users should not have to trade their privacy for convenience.

Zoom's saga serves as a reminder that cyber hygiene is just as important as physical hygiene during this Covid-19 pandemic.

Join ST's Telegram channel and get the latest breaking news delivered to you.

A version of this article appeared in the print edition of The Straits Times on April 10, 2020, with the headline Zoom hacking saga shows why cyber hygiene is so important. Subscribe