Jake Moore, a cybersecurity expert at ESET and former police digital forensics investigator, says a recent private video meeting he was in was Zoombombed. “For very private meetings, I would not be touching any type of videoconference software that is free,” he says. “You’ve got to do your research, especially the amount of data that is being used.”
Zoom collects data on anyone using its free service, which it operates alongside paid business and government tiers, even if you don’t have a Zoom account. Its terms and conditions say it collects information including your name, physical address, email address, phone number, job title and employer.
“The main thing for businesses to assess is if something is for free, what are they giving to it? They’re not just going to give you that service for nothing,” says Andrew Dwyer, a cybersecurity researcher at the University of Bristol. “It’s imperative to look at whether you should be paying for some of these services to enhance the security.”
With millions of people working from home, their IT departments aren’t always able to control what software is installed on their devices. That could leave businesses open to cyberattacks as personal computers have outdated versions of software running that haven’t received the latest security patches. “It’s a good reason to make sure people have the latest version,” says Alan Woodward, a cybersecurity academic at the University of Surrey.
Other experts point to an incident last year where a security researcher uncovered a serious flaw in Zoom’s software that could allow hackers to activate people’s webcams if they have Zoom installed. Zoom waited months to fix the problem after being notified of the issue.
“Every single piece of online tech has issues at some point in its life,” Dwyer says. “What you want to look at is how it responds to those instances. With Zoom, in that particular flaw it had, it took a long time for it to respond. That is an issue.”
The recent issues with Zoom’s software have caused experts to worry about the Government’s use of the software for its virtual Cabinet meeting. Matt Lock, the technical director of cybersecurity business Varonis, warns that hackers now know ministers are regularly using Zoom.
“Hackers now have a known targeted application to send spear phishing emails about,” he warns. “They could create something such as, ‘Dear MP, we are updating our Zoom software to comply with MoD security standards. Please follow the link to install the latest update.'”
However, a Government spokesman defended the Prime Minister’s use of the software, citing guidance issued by the National Cyber Security Centre: “In the current unprecedented circumstances, the need for effective channels of communication is vital. NCSC guidance shows there is no security reason for Zoom not to be used for conversations below a certain classification.”
The UK government’s position is clear: It will continue using Zoom for meetings that don’t include discussions about any restricted topics. Experts urge businesses to make the same consideration about their use of the software. “Do your due diligence, don’t just take things for granted,” Woodward says.
A Zoom spokesman said it “takes user security extremely seriously”. It said more than 2,000 institutions had done “exhaustive security reviews of our user, network and datacenter layers, confidently selecting Zoom for complete deployment. Zoom are in communication with the Ministry of Defence and National Cyber Security Centre and are focused on providing the documentation they need”.