Here’s My Zoom Security Checklist

A senior video chats on a laptop computer on his living room sofa — Roman Samborskyi / Shutterstock.com

Zoom is the hit software product of the coronavirus pandemic, and it’s easy to see why. We all need to connect right now, and Zoom is really easy to use.

That’s also the problem.

Whenever a technology is easy to use, it’s often easy to exploit. And Zoom is finding that out the hard way.

If you haven’t heard the word “Zoom-bombing” by now, you will. Creeps barge into video meetings uninvited and do awful things, largely because Zoom makes it so easy to set up and join meetings. Teachers are finding unwanted digital visitors show up posting porn in front of students; a virtual meeting of black women was interrupted by an invader screaming racist slurs. It’s awful.

Meanwhile, the firm has made some major missteps on its own. It was sharing users’ information with Facebook without their knowledge; it was matching anonymized users with their LinkedIn profiles; it has a spooky “attention monitoring” feature for bosses. (A list of even more horribles is here.)

Zoom is providing a lifeline for millions of people right now, many of them students using the service for free, so I don’t think we should be too hard on it. I also don’t think you should avoid it because of all these missteps. But you should proceed with care when using Zoom, and I’ll give you my advice in a moment.

But first I want to explain the problem a bit. Zoom usage is … zooming. CEO Eric Yuan said in a blog post this week that his company never expected to suddenly be the world’s platform for communicating, and a flood of new consumer use cases have exposed the service’s flaws. How big is that flood?

“As of the end of December last year, the maximum number of daily meeting participants, both free and paid, conducted on Zoom was approximately 10 million. In March this year, we reached more than 200 million daily meeting participants, both free and paid,” he wrote.

Here’s why that matters to you: Yuan has admirably said he’s stopped all feature development for 90 days and is putting all his resources into fixing security and privacy issues. That’s good, but so far, it hasn’t worked. Moving forward, I’d be very skeptical of Zoom’s claims while it deals with the sudden usage crunch and criticism.

In other words, don’t plan on Zoom taking care of your safety. Do it yourself, by checking many settings manually.

For example, Zoom has claimed publicly (here, to security journalist Brian Krebs, and here, in an FBI warning) that meetings are password-protected by default — meaning only users with the password can enter. That defies my personal experience, and empirical evidence. My inbox is littered right now with meeting invitations, not a one requiring a password. And my own meetings, which I hosted, didn’t require a password until I manually set that option.

That matters because, without a password, it’s not all that hard to barge into open Zoom meetings. All you need is a meeting ID, which is usually a nine-digit number.

These can be guessed, or someone could just stumble around looking for random open meetings. Zoom says it stops would-be bombers from brute-forcing their way into meetings by guessing a series of numbers in sequential order, but researchers say they’ve defeated this measure. Krebs talked to a researcher who created a tool that went looking for open Zoom meetings and found 14% of all meetings right now were not password-protected.

When I reviewed Zoom’s password settings, I found the options very confusing.

Ultimately, there is a single setting that meeting hosts can toggle which requires passwords on all new meetings — it’s under Settings, then “Require a password when scheduling new meetings.”

But there are several other places where users can toggle security settings. A host can simply require that users authenticate by logging into Zoom, rather than require a password. A host can require a password for only a single meeting. Hosts can require passwords only for users who dial in. Teachers can set a password for a virtual classroom. Meanwhile, a host can limit a meeting to a preselected list of members with certain email addresses.

All these options might make an IT manager at a large company happy. But it strikes me that Zoom doesn’t have a unified vision for authentication of participants, just a bunch of features.

For newbies, this is a disaster. Zoom is begging for misuse by teachers who are trying to make 25 excited kids sit still long enough to share the stories they wrote that day. Don’t forget, everyone who hosts a Zoom meeting right now is also performing tech support, and dealing with panicked Facebook messages and emails from participants who can’t get into the meeting for some reason. That’s also a recipe for relaxing all controls, making things easier for Zoom-bombers.

So, here’s my quick-and-dirty advice for using Zoom in schools, or anywhere:

1. Know where the eject button is at all times

Just presume something bad might happen. A stranger could get into your Zoom, or a kid might show something inappropriate. And be ready. You have many options, from most drastic to least:

“X” the room. Close Zoom immediately. It’s brutal but it will end the problem. People can rejoin, it’s not the end of the world.
Make the user leave. Hosts can boot individual users by selecting “Remove” from the menu pictured below, which is reached by clicking the three dots next to the attendee’s image. (People you remove cannot get back into the meeting). Hosts can also mute users or turn off their video at any time by selecting “Stop Video” from the menu below. It’s also possible to mute all participants from the participants panel on the right.
Use the “attendee-on-hold” option to put users in timeout for a short while, a bit less dramatic than “remove.” That feature must be toggled on from the administrative options menu.