Consumer users of Zoom’s free Basic service will get access to enhanced cyber security protections from Saturday 9 May in a new update activating additional default safeguards across the platform.
The upcoming changes will see passwords required by default for all Zoom sessions, including new and previously scheduled sessions, and for those using personal meeting IDs, or PMIs. Also, Waiting Rooms for users with PMIs will now be switched on by default, and screen-sharing privileges will be made Host Only be default.
At the start of May, Zoom also added new security features to give all users – business and consumer alike – more control over the use of PMIs by letting account owners or admins disable the use of PMIs for scheduling or starting instant meetings.
“Because PMIs are always accessible using the same ID or meeting link, anyone can join unless they are properly secured,” said Zoom’s Eric Lee in a blog post detailing the latest round of enhancements. “Disabling the use of PMIs reduces that risk altogether and doesn’t leave PMI security up to individual users. This option to disable PMIs can be locked at the account or group level.”
By disabling PMIs, existing ones and personal links become invalid, which essentially means they can’t be used to host a meeting. If using this option, previously scheduled or recurring meetings that do use PMIs will be updated – further details on how to manage this change, alongside FAQs and other support options, are available from Zoom at the above link.
The latest changes are in addition to those previously detailed by Zoom when it launched version 5.0 of its platform towards the end of April. One of the most high-profile changes in the latest iteration is the addition of advanced AES 256-bit GCM encryption. The upgrade is available now and should be downloaded sooner rather than later – Zoom 5.0 will be a requirement to join meetings as of 30 May 2020.
Zoom’s latest updates are essentially designed to make it much harder for malicious actors to engage in so-called zoombombing, which is when trolls gain access to legitimate meetings on the service to hijack and disrupt them and harass their participants.
Read more about Zoom
- Zoom’s rapid rise to prominence has highlighted a score of security problems with the service. Should CISOs try to steer their organisations away from it, or ban it outright?
- Check Point researchers have observed a surge in suspicious Zoom domains as cyber criminals target popular remote working and collaboration tools.
- Zoom has chosen Oracle Cloud Infrastructure to deliver its online video meetings service as usage has spiked due to the Covid-19 coronavirus public health crisis.
Oz Alashe, CEO of security awareness software supplier CybSafe, said: “PMIs were always a weak link in the platform, since they were accessible at all times. While these changes are positive, much of the damage has already been done.
“Zoombombing has captured a lot of media attention. Routing some user traffic through China, even though the issue now seems resolved, has further muddied brand trust, particularly with enterprise organisations and governments. Moreover, there continue to be concerns around a lack of end-to-end encryption.
“What impact this ultimately has on user numbers and market position is yet to be seen. The company currently holds a dominant market position and competitors are still in catch-up mode.”