Recently, the Ministry of Home Affairs (MHA) and The Indian Cyber Crime Coordination Centre (I4C) have expressed concerns regarding the security aspects of using Zoom, a popular video communication platform for office and personal communication. The sudden rise in Zoom’s usage, due to the lockdown imposed to curb the Covid-19 pandemic, has brought focus onto its potential security vulnerabilities.
Growth in Zoom’s Usage Amid Lockdown
With offices temporarily closed during the pandemic, professionals are increasingly relying on applications like Zoom for communication. Furthermore, around 90,000 schools across 20 countries have integrated it into their distance learning programs. Consequently, the number of daily meeting participants on Zoom has exponentially risen from approximately 10 million in December 2019 to over 200 million in March 2020. Notably, this platform has been extensively utilized by central and state ministers for official purposes.
Concerns about Zoom’s Security
Zoom is a US-based company with three affiliate companies in China. These Chinese subsidiaries, employing at least 700 staff, develop software for Zoom, which significantly contributes towards reducing the company’s operational cost. This arrangement, however, potentially makes Zoom susceptible to pressure from Chinese authorities. Moreover, it has been reported that some calls made through the app are routed through servers in China.
Cyber Security Threats from Insecure Use of Zoom
India’s Computer Emergency Response Team (CERT-In) previously released advisories warning against the use of Zoom for sensitive communication, such as official meetings. This was due to concerns that insecure usage of the platform might provide an avenue for cybercriminals to get access to sensitive information like meeting details and conversations, thereby facilitating cyber fraud. Additionally, CERT-In highlighted a range of vulnerabilities in Zoom, which could potentially enable an attacker to gain access privileges or obtain sensitive data.
Weaknesses in Zoom’s Encryption
The University of Toronto-based Citizen Lab identified significant weaknesses within Zoom’s encryption which provides protection for meetings. Specifically, they found that the transmission of meeting encryption keys is routed through China. This revelation raised two major concerns: geo-fencing and meeting encryption.
Zoom’s Response and Measures to Enhance Security
In response to these concerns, Zoom’s Founder and CEO Eric S Yuan has promised to address these security and privacy issues. As part of this pledge, Zoom has introduced some new safety features. These include a new security icon in the meeting controls, alterations in default settings, and enhancement of meeting password complexity. Additionally, Zoom has announced that it will soon allow account administrators to decide if their data is routed via specific data center regions.
Suggestions Provided by the Ministry
To enhance Zoom’s security, The Ministry of Home Affairs (MHA) advises users to set strong passwords and enable the “waiting room” feature, providing control over the participants. Users are also encouraged to use randomly generated meeting IDs for each event rather than personal meeting IDs. Furthermore, sharing meeting links on public platforms should be avoided.
About Indian Cyber Crime Coordination Centre
Set up in 2018, the I4C intends to manage all types of cybercrimes in a comprehensive and coordinated manner. This center, located in New Delhi, has seven different components, ranging from a National Cyber Crime Threat Analytics Unit to a Platform for Joint Cyber Crime Investigation Team.
About Computer Emergency Response Team-India
CERT-In, a part of the Ministry of Electronics and Information Technology, aims to secure Indian cyberspace. This nodal agency deals with cybersecurity threats like hacking and phishing. It collects, analyzes, and disseminates information on cyber incidents, and issues alerts on cyber security incidents. CERT-IN also delivers Incident Prevention and Response Services and Security Quality Management Services.