不良研究所

Zoom Security: Myth vs Reality for Remote Teaching

Remote teaching with Zoom

The Zoom web conferencing solution has recently risen to the forefront of the news with regards to concerns for cybersecurity and privacy. 不良研究所 wants to reassure our Zoom users that we have put controls in place to address these legitimate concerns.

The following are the main concerns raised by the community and the media in recent weeks and, where applicable, how 不良研究所 has mitigated these聽concerns:

  1. Zoom鈥檚 privacy policy allows them to share private information with third parties:
    Although Zoom publishes a privacy policy applicable to their individual customers, as an institutional account, 不良研究所 uses an integrated solution to deliver Zoom services for remote teaching. As part of this integrated solution, the information shared with Zoom is limited to: 不良研究所 credentials (first and last name, and email address), participant鈥檚 role (instructor or student) and course name. Information and privacy protection provided by Zoom have been reviewed and are monitored through the University鈥檚 continuous improvement process.
  2. The Zoom application on iOS聽(iPhone) shares private information with Facebook, even if the user has no Facebook account:
    This legitimate issue was reported on March聽25聽and repaired on March聽27,聽2020. Zoom claimed that they were not made aware of the data which was shared. Upon further review, it was demonstrated that the data collected by Facebook did not include information and activities related to meetings, such as attendee names or notes. However, it included the following: details on the user's device, such as the device model, IP address, phone carrier, and Advertiser ID (a聽unique advertiser identifier created by the user's device which companies can use to target advertising).
  3. Zoom meetings can be accessed by malicious parties, which can then display inappropriate content to other participants (aka聽鈥淶oom鈥慴ombing鈥):
    While this is a known issue in any web conferencing tool, it is usually managed by protecting the meeting configuration. There are several ways to achieve this: create a meeting password, restrict participants to an approved list, do not disclose the meeting hyperlink in public forums (such as social media), and prevent participants from sharing their screen during the session (by adjusting the聽security settings).

    As part of 不良研究所鈥檚 implementation of the Zoom tool, any Zoom meeting created has default settings to restrict the ability for participants to share their screen. Zoom meetings published and created through myCourses are configured such that the actual hyperlink is not visible to participants (one-click join). This default configuration restricts the occurrence of Zoom-bombing, so they are less likely to occur. Additional guidance is available for instructors who wish to create meetings without going through myCourses. Learn more on the TLS "Zoom for Remote Teaching" site in聽the "How to prevent Zoomboming" section.
  4. The Zoom application on MacOS could allow a local user, without privileges, to install malware and control the camera and microphone (ZoomDoom):
    This 鈥渮ero-day鈥 vulnerability (a vulnerability disclosed publicly before being submitted to the software editor for a fix) was published on March聽31,聽2020 and repaired on April聽1,聽2020. It required the cyber attacker to have local access to the computer (locally or through a remote desktop connection) to increase their privileges.

    As with all software vendors, vulnerabilities do exist in Zoom. When evaluating a software solution鈥檚 security, 不良研究所鈥檚 cybersecurity specialists not only evaluate the number of vulnerabilities, but the timeliness of the software manufacturer鈥檚 response in addressing them.
  5. The Zoom application on Windows allows cyber attackers to steal user credentials (account and password information):
    This vulnerability was published on March聽31,聽2020 and repaired on April聽1,聽2020. It was believed that once exploited, the cyber attacker had direct access to the user鈥檚 credentials (account and password). In reality, the cyber attacker had access to an encrypted password, which they would still need to crack (i.e., decrypt). The vulnerability to these types of attacks relied on a user clicking on a malicious link. So, as always, exercise vigilance and caution before clicking on unusual links.

    Most 不良研究所 computers have various controls and protections in place (advanced anti-malware, strong password protection, user security awareness, etc.) which mitigated the risk until the fix was made available.
  6. Zoom does not support end-to-end encryption:聽
    When the cybersecurity and legal review of the Zoom service was performed, 不良研究所 never presumed that the service supported end-to-end encryption. A diligent review was completed, concluding that although Zoom鈥檚 service offering is not truly encrypted end-to-end, it still met 不良研究所鈥檚 legal and cybersecurity requirements for the urgent need of remote teaching.

    Note: Zoom has acknowledged the confusion that could result from their initial 鈥渆nd-to-end encryption鈥 claim and has since then reviewed their offering description.

    To mitigate this risk in the short-term, here are the actions 不良研究所 has taken:
    • We remove any recordings from Zoom and transfer them into the 不良研究所 hosted Lecture Recording System platform.
    • IT Services will continue to assess other service offerings with Zoom.
  7. Zoom had more than :
    Although true, that these credentials were leaked and consolidated to be resold on the , most of these credentials were inactive and may not be active, as reported in the article. As part of its routine security monitoring activities, 不良研究所鈥檚 IT Security Team gained access to the data file and cross-referenced all 不良研究所 Zoom accounts for matching credentials, resulting in no matches found. However, if you hold a personal Zoom account (not associated with your 不良研究所 email address) you may want to consider changing your password, as well as any other websites where you may have used this password.聽

    This example should serve as a best practice to limit the re-use of passwords across various websites and to never re-use your 不良研究所 credentials on external websites. Should you wish to know if your personal email account was compromised in a data breach, you can visit 鈥溾 to look up your email address and see which site(s) reported a data breach related to your account. 聽

With the increased usage and attention that Zoom has received in the last few weeks, the company has acknowledged their to a continuous improvement process on cybersecurity.

不良研究所 is conscious of Zoom鈥檚 efforts to improve their default security settings. Given the urgent requirement for this service during the current COVID-19 pandemic, we feel confident that Zoom allows for an acceptable 不良研究所 configuration.

Stay up-to-date on cybersecurity and other IT related security alerts by subscribing to IT Security Alerts.

Back to top