In light of the recent coronavirus pandemic, many people have been forced to work at home. When it comes to interpersonal meetings, companies had to find a solution that would allow them to teleconference for cheap. Zoom was one solution that was adopted and recommended the world over, to the point where Zoom is being used for both business and education.
Unfortunately, Zoom isn’t very secure. Security researchers proved this by developing a tool that can harvest information from Zoom meetings.
What Does the Tool Do?
When someone creates a new Zoom meeting, it’s given a unique ID. The host can then share this ID with the people they want to create a meeting with. Attendees then enter the ID on their side to enter the room.
Security researchers developed zWarDial, a tool that scans these IDs for information. The tool managed to find a legitimate meeting ID 14 percent of the time, which is pretty impressive given how Zoom IDs are between nine and eleven digits long.
The tool found around 100 meetings per hour that didn’t have a password lock on them. From these meetings, the tool could glean information about them. This information includes who started the meeting and what the topic of the meeting was.
Why Is this Bad?
This flaw is bad for two reasons: Zoom-bombing and espionage.
Zoom-bombing is when an individual or a group raids an open Zoom meeting. Zoom-bombers often yell obscene comments at the attendees and show offensive images via Zoom’s screen-share feature.
Because this tool specifically finds meetings that have no password on them, Zoom-bombers can take the ID from the tool and use it to invade the meeting without being stopped.
Not everyone is concerned with causing trouble, however. By using the host details and meeting topic, malicious agents can glean information leaks from the company hosting the meeting. If the agent wanted to know more, they could try sneaking into the unprotected meeting to get more information.
Adding Security to Meetings
Fortunately, the tool was created by a security researcher called Trent Lo. As such, while this flaw is quite scary, it was discovered by someone who wants to show and alert others to the problem, rather than benefit from it.
Lo went on to say that, because the tool could only glean information from non-password-protected meetings, the best way to defeat the attack was to put a password on every Zoom teleconference. This stopped zWarDial from grabbing details.
In response to the development of zWarDial, Zoom said the following:
Zoom strongly encourages users to implement passwords for all of their meetings to ensure uninvited users are not able to join.
“Passwords for new meetings have been enabled by default since late last year, unless account owners or admins opted out. We are looking into unique edge cases to determine whether, under certain circumstances, users unaffiliated with an account owner or administrator may not have had passwords switched on by default at the time that change was made.
As such, even if it’s convenient to share a meeting link with no password, always set one to avoid people invading your teleconference.
Keeping Safe on Zoom
Zoom has exploded in popularity after the coronavirus outbreak, but its security has much to be desired. This is proven by zWarDial, a tool created by researchers that can harvest information from unprotected meeting rooms. By setting a password, you can protect your own meetings from this attack. Alternatively, you can make use of other video conferencing tools with better security.
