When Boris Johnson hosted the UK’s first ever video conferenced Cabinet meeting on Tuesday, the event took place not through secret military video calling technology, but through Zoom.
That is the same app being used around the world for everything from virtual exercise classes to choir rehearsals.
But experts warn that a rush to hold virtual meetings through Zoom, which has close to 13m monthly active users, could pose security risks.
The threat is so significant that British Ministry of Defence staff were told this week that the use of Zoom was being suspended with immediate effect while “security implications” were investigated.
The biggest worry is that a sudden reliance on Zoom could allow opportunistic hackers to quietly observe video calls as executives are focused on responding to the spread of coronavirus.
For now, it seems that internet pranksters are content with carrying out disruption to business calls on Zoom rather than espionage.
A recent rise in a phenomenon dubbed “Zoombombing” has seen business conference calls disrupted by strangers who join the video chats and broadcast pornography to everyone logged on – which often results in the calls being quickly ended and embarrassed apologies.
Zoombombing is, for now at least, relatively harmless. But the idea of strangers barging into virtual meeting rooms should raise alarm. What if they had stumbled upon a virtual meeting held by an NHS Trust, or even the Prime Minister addressing Cabinet?
Jake Moore, a cybersecurity expert at ESET and former police digital forensics investigator, says a private video meeting he was in was Zoombombed on Thursday.
“For very private meetings, I would not be touching any type of videoconference software that is free,” he says. “You’ve got to do your research, especially the amount of data that is being used.”
Zoom collects data on anyone using its free service, which it operates alongside paid business and government tiers, even if you don’t have a Zoom account. Its terms and conditions say it collects information including your name, physical address, email address, phone number, job title, and employer.
“The main thing for businesses to assess is if something is for free, what are they giving to it? They’re not just going to give you that service for nothing,” says Andrew Dwyer, a cybersecurity researcher at the University of Bristol.
“It’s imperative to look at whether you should be paying for some of these services to enhance the security,” he adds.
And as millions of people work from home, their IT departments aren’t always able to control which software is installed on their devices.
That could leave businesses open to cyberattacks as personal computers have outdated versions of software running that haven’t received the latest security patches.
“It’s a good reason to make sure people have the latest version,” says Alan Woodward, a cybersecurity professor at the University of Surrey.
Other experts point to an incident last year where a security researcher uncovered a serious flaw in Zoom’s software which could have allowed hackers to quietly activate people’s webcams if they had Zoom installed.
Zoom waited months to fix the problem after being notified of the issue.
“Every single piece of online tech has issues at some point in its life,” Dwyer says. “What you want to look at is how it responds to those instances. With Zoom, in that particular flaw it had, it took a long time for it to respond. That is an issue.”
The recent issues with Zoom’s software have caused experts to worry about the Government’s use of the software for its virtual Cabinet meeting.
Matt Lock, the technical director of cybersecurity business Varonis, warns that hackers now know Cabinet ministers are regularly using Zoom.
“Hackers now have a known targeted application to send spear phishing emails about,” he warns, “and they could create something such as ‘Dear MP, we are updating our Zoom software to comply with MoD security standards. Please follow the link to install the latest update.'”
However, a Government spokesman defended the Prime Minister’s use of the software, citing guidance issued by the National Cyber Security Centre (NCSC): “In the current unprecedented circumstances the need for effective channels of communication is vital. NCSC guidance shows there is no security reason for Zoom not to be used for conversations below a certain classification.”
The Government’s position is clear: It will continue using Zoom for meetings which don’t include discussions about any restricted topics.
Experts urge businesses to make the same consideration about their use of the software.
“Do your due diligence, don’t just take things for granted,” says Woodward.
A Zoom spokesperson said the company “takes user security extremely seriously”. It said more than 2000 institutions had done “exhaustive security reviews of our user, network and data centre layers confidently selecting Zoom for complete deployment”.
“Zoom are in close communication with the UK Ministry of Defence and National Cyber Security Centre and are focused on providing the documentation they need.”