Zoom: Is it secure, can it be hacked, and how do you use it safely?

Sign up to our free weekly IndyTech newsletter delivered straight to your inbox

Sign up to our free IndyTech newsletter

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy notice

A relatively obscure video conferencing app has found itself the go-to way for people and businesses to connect while under lockdown.

In the space of just a few weeks, Zoom has seen its user numbers sky-rocket as hospitals, schools and even governments make use of its free service to host virtual meetings and remain operational.

The huge surge in popularity has brought with it a new level of scrutiny, with the US-based firm now forced to juggle lawsuits and federal warnings alongside the massive strain on its servers brought about by new users.

Questions have inevitably been raised about how safe Zoom actually is and whether it can be trusted.

Zoom’s website and security white paper state that security is “the highest priority in the operations of its suite of products and services”. It boasts “Firewall compatibility”, “role-based user security” and “end-to-end chat encryption”.

The question is how well these buzz words stand up to actual security threats in the real world. A recent report by investigative news outlet The Intercept claimed that Zoom is guilty of “misleading marketing”, as it does not provide end-to-end encryption to protect the privacy of its users during video meetings. (Text chats do appear to be end-to-end encrypted.)

A separate investigation by Vice alleged that Zoom is “leaking personal information of at least thousands of users”, by treating their personal email addresses as if they all belong to the same company. This apparently allows strangers to start video calls using a person’s email address and photo.

Zoom has also admitted to sharing user data with Facebook through its ‘Login with Facebook’ feature for iPhone and iPad users, however this this has since been discontinued.

Cyber security specialist Jake Moore, who works for antivirus firm ESET, recommends using other end-to-end encrypted video platforms to ensure privacy.

“For social and light business meetings they are fine as long as users realise what data is being shared by Zoom to third parties,” he says. “I certainly wouldn’t recommend using free software for sensitive or private meetings.”

Nearly all online apps and services are vulnerable to being compromised through attacks like phishing, whereby login information is elicited through duplicitous websites and emails. The open nature of Zoom means it is particularly vulnerable to other types of sabotage.

One attack method has become so widespread that it has led to a new term being coined: ‘Zoom-bombing’. This is where strangers join conference calls and hijack them by broadcasting pornographic images, shouting profanities, or issuing threats to the people involved in the call.

Multiple reports have been filed to the FBI, including incidents that happened during online school lessons. To prevent it from happening, users are urged to make meetings or classrooms private and password-protected.

The question to ask, according to some experts, is not whether Zoom can be hacked, but whether it is even worth it for cyber criminals to target it.

“Many controversies now exist around Zoom’s security and privacy, though it is extremely far from dominating the plethora of emerging security risks,” Ilia Kolochonko, founder and CEO of web security firm ImmuniWeb, tells The Independent.

“Few attackers will ever bother to intercept Zoom communications, even fewer will extract any value from the alleged data sharing with Facebook.”

While there will always be risks with any online app, there are ways to ensure the maximum level of security by adjusting the platform’s settings.

To avoid being ‘Zoom-bombed’, users should avoid sharing the link or meeting ID on social media or other public websites.

This was done by Prime Minister Boris Johnson when he shared a screenshot of his virtual cabinet meeting on Twitter, though fortunately the meeting was password protected.

Along with using a strong meeting password, users should also set screen sharing to “host only” where possible.