The ongoing lockdown had forced the several people all over the world has forced to connect through the video call apps to stay connected. Zoom has rapidly become one of the most essential apps as people adapt to remote working. It was reported that over 500 thousand Zoom accounts were sold on the dark web, which is available for a penny. Now, as the platform is not safe, as per the Ministry of Home Affairs has raised alarm bells, and said is unsafe and vulnerable to cyber-crimes.
The ministry’s notification comes at a time when the platform has gained prominence with most industries now working from home in the wake of the covid-19 outbreak, globally. At the same time, with privacy coming into question in case of Zoom, the Centre has also asked all its ministers and staff to refrain from conducting any meetings on third party applications.
The MHA in its latest advisory through its Cyber Coordination Centre (CyCord) on Thursday has red-flagged the video conferencing facility as “unsafe”, days after India’s Computer Emergency Response Team (CERT-IN) had raised concerns over potential cyber attacks through Zoom. In an order issued earlier on 30 March, CERT-IN said the application was vulnerable to cyber attacks, including leakage of sensitive information.
Key Highlights:
- Zoom has seen a surge in use around the world amid coronavirus lockdown
- It claims to use end-to-end encryption in its marketing and official documents
- The definition of end-to-end encryption differs from industry standard
- Instead it uses a less secure process which is equivalent to HTTPS used online
- This offers some protection but allows Zoom to access private chat records
Online communication platforms such as Zoom, Microsoft Teams, TeamViewer and Teams for Education, Slack, Cisco WebEx etc are being used for remote meetings and webinars. Insecure usage of the platform may allow cyber criminals to access sensitive information such as meeting details and conversations, it added.
In case of Zoom, a Motherboard analysis revealed that its iOS app sends data to social networking website Facebook even if a user doesn’t have an account on it. In fact, a user has filed a suit against the company, alleging that the app “collects information of its users and discloses, without adequate notice or authorisation, this personal information to third parties, including Facebook, invading the privacy of millions of users”.
Motherboard found that when a user opens Zoom, the app shares details about its users’ devices—the time zone they are in, device model, the city they are in, the phone carrier they are using and a “unique advertiser identifier” that can be used for targeted advertising.
Both CERT-IN and the Union home ministry have now suggested as part of the directive that users and organisations need to keep the software up to date and ensure that the password for each meeting should be changed and reset.
At the same time, it also suggested the host of the meeting to “end meeting” after the conference was over instead of “leaving” it, adding that “these suggestions are especially important for those meetings in which sensitive details are discussed.”
In a set of guidelines, the CCC division of the MHA mentioned that “those private individuals who still would like to use Zoom for private purposes” should follow certain guidelines like prevention of unauthorized entry in the conference room and unauthorized participants to carry out the malicious activity on terminals of others in the conference. The advisory also suggested to “avoid ‘DOS’ attacks by restricting users through passwords and access grant.”
However, in response, Zoom stated that it takes user security extremely seriously. “A large number of global institutions ranging from the world’s largest financial services companies and telecommunications providers, to non-governmental organisations and government agencies, have done exhaustive security reviews of our user, network and datacenter layers and continue to use Zoom for most or all of their unified communications needs,” a Zoom spokesperson said.
Here’s how you can make Zoom meeting secure: ( Suggestions)
# Set new user ID and password for each meeting
# Enable waiting room, so that every user can enter only when host conducting meeting admits him
# Disable join before host
# Allow screen sharing by host only
# Disable “allow removed participants to re-join”
# Restrict file transfer option (if not required)
# Lock meeting, once all attendees join
# Restrict recording feature
# End meeting, and not just leave, if you are administrator
The home ministry also said these safety practices would prevent unauthorised entry into the meeting rooms, as well as thwart “DOS (denial of service) attacks and prevent authorised people to carry out malicious tasks within various conferences.”
In the meantime, the government on 13 April also issued an advisory to all central government officers cautioning them against using third-party software and apps.
