HKCERT proposes 10 measures to secure Zoom Meetings
Due to the global outbreak of COVID-19, many companies and education institutes have arranged staff and teachers to work or teach from home, resulting in more people using web meeting software for communication. With its ease of use and rich features, Zoom has been one of the popular software for such purpose.
HKCERT recently observed an emerging attack called "Zoom-bombing" or "Video-teleconferencing hijacking" 1 targeting Zoom users. Attackers would either try to access Zoom meetings which are not set up securely or use a previous Zoom vulnerability to gain unauthorised access to the meetings by scanning available meeting IDs. Having once gained entry, an attacker could eavesdrop on meetings, even hijack them to spread inappropriate messages and pictures or malware.
In addition, attackers could use the features of the operating system to attack the users. One such example is the Universal Naming Convention (UNC) links which are commonly used in Windows (e.g. \\evil.server.com\images\cat.jpg). By default, Windows will send login name and NT LAN Manager (NTLM) password hash to remote server once the user has clicked any UNC links. Therefore, the attacker could capture the user's credentials by sharing malicious UNC links to all participants during a Zoom meeting.
10 measures to secure Zoom meetings
HKCERT advises the public to take the following security measures if applicable to protect the meeting in Zoom:
A. For all Zoom users
- Use the latest version of Zoom application and security software
- Download the apps from the official website or official apps store
- Keep the Zoom application updated2
- Keep operating system updated (both desktop and mobile devices). Install anti-virus software and always keep updated
- Beware of any Universal Naming Convention (UNC) links shared by unknown participants
- Do not click any suspicious UNC links shared by unknown participants
- (For advanced Windows user) Set up group policy to prevent sharing of your NTLM credential3
- Do not share confidential information during the meeting
- Zoom does not support complete end-to-end encryption (end-to-end encryption means the service provider Zoom cannot view the content of clients’ meetings) [ Update on 3 Dec 2020: Zoom announced the limited support of end-to-end encryption recently. Details please refer to: https://blog.zoom.us/zoom-rolling-out-end-to-end-encryption-offering/ or any latest announcement by Zoom.]
- To prevent information leakage, avoid discussing any confidential information
- Use a meaningful display name
- Avoid using misleading name or online nickname to let the host can identify users easily
- Protect Zoom account and monitor suspicious activities
- Set a strong account password
- Monitor suspicious account activity. Sign out all Zoom clients when in doubt (e.g. if your computer or phone is lost or stolen, sign out all clients and change the sign-in password)
- Do not share or publish the meeting ID or links sent by the organiser arbitrarily
B. For Zoom meeting hosts
- Make meetings private and deny trespassers
- Share the meeting ID and link to intended participants only and do not share on any social media or public platform
- Set a different meeting ID and password for each meeting [Note]
- Set a strong meeting password, and send meeting links separately to participants
- Use “Pre-register” feature to control the participant list
- Disable “Join before Host” option to ensure the host is already present before participants join the meeting, so that let the host could identify participants in advance
- Use the “Waiting room” feature to control admittance of participants
- Lock the meeting once everyone has joined
- Set the sharing screen to “Only Host”, and only open this function to participants when needed
- Monitor your own meeting
- Use an alternate device to sign in as a participant
- Monitor any inappropriate content shared by participants. Remove malicious contents and participants when needed
- Pay attention to security and privacy of meeting recording
- Give participants a prior notice if you will record the meeting
- If the video contains sensitive information, it should be saved on PC rather than on the cloud with appropriate access permissions, and only shared with trusted parties
- Keep your Personal Meeting ID private
- This ID ties to the account of the Zoom host and should be used by the host privately
- Do not share it, nor use it in general meetings
- Set up security policy for web meetings
- Organisation should set up security policy for both hosting and participation of web meetings
- Relevant policies should cover the usage guideline of Zoom and the related security controls
Are these measures applicable to other web meeting solutions?
Yes, these measures are applicable to other web meeting solutions. There are different web meeting solutions, such as Cisco WebEx, Adobe Connect, Microsoft Teams, Google Meet, CyberLink U Meeting, etc. The above measures for Zoom and similar settings can also be found in other solutions. Regardless of which software you choose, you should always study the security features and weaknesses of the selected solution before using it in order to secure your web meetings effectively.
Be vigilant against cyber attacks leveraging on Zoom
Furthermore, attackers would try to leverage on the popularity of Zoom to launch different attacks. It is reported that a large number of fake Zoom domains have been registered during the COVID-19 outbreak. These fake domains are used to spread phishing scams and malware disguised as Zoom installers4. Users should stay vigilant and not open suspicious email attachments or hyperlinks if have doubt.
Animation of Video Conferencing Security Tips
HKCERT has produced a short animation video to elaborate the above main points. It also features security tips for remote working. Please watch the video at https://youtu.be/FH7zWAb4-GQ.
The latest Zoom application makes password by default for meetings and disables the ability to randomly scan for meetings to join.