Zoom Video Conferencing – Security Breach Amid Covid-19
Before the COVID-19 crisis, a lot of people haven’t even heard of Video Conferencing application Zoom. As coronavirus has moved many in-person activities online, the use of video conferencing applications has also seen a surge in demand in the past two months. One such application we are talking about today is Zoom: Video Conferencing, Web Conferencing, Webinars application.
The company has claimed that it has seen a 535% rise in daily traffic in the past month but according to security researchers the Application is a privacy disaster and fundamentally corrupt. Even the politicians and other high-profile figures were using the video conferencing application Zoom for conferencing as they work from home. On 30th March 2020 increased cases of video hijacking or we can say “Zoom-Bombing” were detected. In this hackers infiltrate video meetings.
Factors Causes Downfall of Zoom Video Conferencing Application
- No End-to-End Encryption: Zoom has falsely advertised that it is using end-to-end encryption policy on it’s platform. End-to-end encryption means a system that secures communication so that the data can only be read by the intended audience.
Later, it was admitted by Zoom, that current surge in demand leads to missteps in the security and privacy implementation in the new modules and end-to-end encryption is currently not possible.
- Security Flaws: A number of security flaws have been detected in the recent week:
- A hidden web server was installed on the user machine so that the user can be added to a call without their permission.
- A bug was discovered, that can take over the control of Zoom User’s Mac, including tapping into the webcam and hacking the microphone.
- In-app Surveillance Measures: Zoom has introduced a “Attention Tracking” feature. This feature allows the host to see if the user clicks away from the Zoom Window for 30 seconds or more. This feature helped the employers to see if the employee is really turned into the meeting or if the students are really watching classroom presentations remotely.
- Selling of User Data: Zoom has said that the company has never sold user data in the past and has no intention of selling users data. Cuber Security researchers have found multiple databases containing Zoom credentials and started analyzing how hackers got hold of them in the first place.
Researchers explain that the hackers are using a four-prong approach to get hold of Zoom Credentials:
- Collected databases from dark web markets or online crime forums that contained usernames and passwords.
- Writing a configuration file for an application stress test.
- Perform Credential Stuffing Attack that employs multiple bots to avoid the same IP Address being spotted checking multiple Zoom Accounts.
- All valid credentials are collated as a new database, ready for sale.
These credentials are not from a breach at Zoom itself, but rather just a collection of stolen, recycled passwords. That is why these credentials are even given for free or for as low as $0.0020 cents.
You can follow a few measures to protect your Zoom Account from Recent Data Breaches:
1. Check to see if your account is being involved in a data breach: Use Free Services like Have I Been Pwned or pwdquery to see if the Email Id and Passwords associated with your account are floating around the web.
If it is, then you should start updating your account credentials at all places and use strong security settings like two-factor authentication. Even if it is not, it is worth updating your Zoom Password, if you tend to use the same password for multiple accounts.
2. Check your Zoom Settings: Change your personal meeting-id and six-digit host key. Always remember to select “Sign Me Out From All Devices”—once you’ve updated your password.
While any service that we use is responsible for protecting users from security breaches, but end users can take precautions to protect themselves from such potential attacks like credential stuffing.My Personal Notes arrow_drop_up