Zoom Video Communications saw a boom in its user base, ever since lockdowns across the world due to the COVID-19 pandemic forced people to switch to video calling for work.
The video calling service initially shot to popularity with its option of customised backgrounds - users could choose a wide range of virtual backgrounds of their choice in meetings to hide their original backgrounds. However, with cybercrimes on the rise, Zoom users have faced breach in the login credentials, risking the leak of confidential information.
Recently the Cyber Coordination Centre (CyCord), under the Union Ministry of Home Affairs issued an advisory to highlight the security issues with the video calling app. The advisory stated that the app was not to be used by government officers for official purposes, and provided a security guideline for private users.
Also Read: Aarogya Setu App Crosses 50 Mn Downloads: All You Need To Know
However, the advisory came weeks after images of Union Minister of Defence Rajnath Singh using Zoom to talk to Chief of Defence Staff Bipin Rawat, went viral on social media. Aaditya Thackeray, Cabinet Minister of Tourism and Environment of Maharashtra, also tweeted out recently on how he used Zoom to conduct meetings with Brihanmumbai Municipal Corporation (BMC) officers.
Zoom was founded by Eric Yuan, an American of Chinese origin, in 2011. Yuan's Chinese origins have drawn criticism from people, with increasing number of fingers being pointed at China for not being able to contain the COVID-19 outbreak inside its borders. Earlier, the encryption and decryption keys for Zoom meetings were transmitted to servers in China, which has also raised security concerns.
In a recent report, tech blog Bleeping Computer was able to purchase credentials of over 500,000 Zoom accounts on the darknet using credential stuffing.
Credential Stuffing Of Zoom Accounts
Credential stuffing is a commonly used method to compromise user accounts online, and Zoom is hardly the only company to face such an issue.
Also Read: WhatsApp Limits Frequently Shared Messages, New Search Option Soon
What is credential stuffing? Hackers collect huge troves of usernames and passwords through various breaches and attempt to stuff them into the login page of other online services. The idea is simple - people are likely to use the same username and password across several sites. If you find the username and password for someone's Facebook profile, chances are you might be able to enter their Gmail using the same credentials.
The best way to get around credential stuffing is to have a unique password for every digital service you use.
Zoom acknowledged this issue and said that they were "building systems to detect whether people are trying out username and password pairings and block them from trying again".
"We have also hired multiple intelligence firms to find these password dumps and the tools used to create them, as well as a firm that has shut down websites attempting to trick users into downloading malware or giving up their credential," the company said in its progress report.
BOOM reached out to Sameer Raje, who is the India Head at Zoom Video Communications, with questions that were being frequently asked by social media users.
Speaking on whether there was a hack at Zoom, as many had questioned, Raje stated that the company has found no evidence to substantiate the occurrence of a hack, and that the leak was just a case of credential stuffing.
"We have already hired multiple intelligence firms to find these password dumps and the tools to create them, as well as a firm that has shut down thousands of website attempting to trick users into downloading malware or giving up their credentials," he said.
Are there any ways for users to mitigate such damage? Raje stated that Zoom was educating its users on best practices on how to use the app to protect their meetings.
"Through our offering of training, tutorials and webinars, including our CEO Eric Yuan's weekly privacy and security webinar, Zoom is continuing to engage with all of our users on how they can best use Zoom and protect their meetings. We encourage users to report any incidents of this kind either to Zoom so we can take appropriate action or directly to law enforcement authorities," he added.
New Security Features
In a blog post written on April 1, Yuan apologised for the lax in security features and promised to fix the issues being faced by Zoom users. Following this, Zoom has tightened its security features which has been the focus of the weekly webinar hosted by Yuan.
1. Enhancing Password Complexity For Meetings
According to Bleeping Computer's report, many Zoom users faced the risk of credential stuffing attacks, where leaked credentials from other websites were compiled and tried on Zoom to see if there is a match. "The successful logins are then compiled into lists that are sold to other hackers," they reported. If a potential attacker has access to someone's credentials, they could potentially snoop into private meetings.
In order to improve upon this potential risk, Zoom has now enhanced the minimum requirements for passwords to include "numbers, letters, and special characters, or allow only numeric passwords".
During the first weekly webinar, named "Ask Eric Anything", Yuan stated that a new and unique password should be set for every meeting.
"For business meetings, I normally use a password, and after everyone has joined, I lock the meeting. And for very sensitive meetings, I will only allow authenticated users from the same domain as mine to join the meeting," Yuan said.
2. Are Calls Encrypted?
In the first webinar, Yuan mentioned that Zoom was using AES-256 ECB encryption, which, according to the company, has now been upgraded to AES-256 GCM (which is considered more secure) in the latest version - Zoom 5.0. In a progress report released on April 15, the company stated that its "long-term focus will involve a totally new cryptographic design that greatly reduces risk to Zoom's system".
3. Enable/Disable File Sharing
Earlier, Yuan had mentioned that due to a potential security vulnerability that was found with the file sharing feature, it was disabled. BOOM was recently informed by a Zoom spokesperson that hosts now have more control over in-meet file sharing. In order to prevent the sharing of malicious files, hosts can enable/disable the file sharing option accordingly.
4. Default Settings Upgraded
Zoom's progress report stated that meeting passwords and Waiting Rooms will be enabled by default for Basic users and single Pro users. Those part of Zoom's K-12 education program will need a password to join meetings, while Waiting Rooms are also activated by default for such users.
5. Data Centre Routing - Increased Control
In one of the most recently released features, account admins for paid Zoom accounts will now have the ability to choose the data centre regions their account can use for real-time meeting traffic. They will be able to do so by either opting out of specific data centre regions, or opt in on a data centre region of their choice.
Cybercrimes On The Rise
The recent spate of lockdowns around the world has pushed people to depend on internet for most activities, including work. This has drawn the attention of cyber criminals, who are looking to exploit this dependency to extract sensitive information. The attack on Zoom accounts is only one of the many instances of such crimes taking place, as the world comes to term with data security issues.
Editor's Note: The article was updated on May 11 with the latest information regarding the upgraded version of Zoom.