Zoom Security: Myth vs Reality for Remote Teaching

Remote teaching with Zoom

The Zoom web conferencing solution has recently risen to the forefront of the news with regards to concerns for cybersecurity and privacy. McGill wants to reassure our Zoom users that we have put controls in place to address these legitimate concerns.

The following are the main concerns raised by the community and the media in recent weeks and, where applicable, how McGill has mitigated these concerns:

  1. Zoom’s privacy policy allows them to share private information with third parties:
    Although Zoom publishes a privacy policy applicable to their individual customers, as an institutional account, McGill uses an integrated solution to deliver Zoom services for remote teaching. As part of this integrated solution, the information shared with Zoom is limited to: McGill credentials (first and last name, and email address), participant’s role (instructor or student) and course name. Information and privacy protection provided by Zoom have been reviewed and are monitored through the University’s continuous improvement process.
  2. The Zoom application on iOS (iPhone) shares private information with Facebook, even if the user has no Facebook account:
    This legitimate issue was reported on March 25 and repaired on March 27, 2020. Zoom claimed that they were not made aware of the data which was shared. Upon further review, it was demonstrated that the data collected by Facebook did not include information and activities related to meetings, such as attendee names or notes. However, it included the following: details on the user's device, such as the device model, IP address, phone carrier, and Advertiser ID (a unique advertiser identifier created by the user's device which companies can use to target advertising).
  3. Zoom meetings can be accessed by malicious parties, which can then display inappropriate content to other participants (aka “Zoom‑bombing”):
    While this is a known issue in any web conferencing tool, it is usually managed by protecting the meeting configuration. There are several ways to achieve this: create a meeting password, restrict participants to an approved list, do not disclose the meeting hyperlink in public forums (such as social media), and prevent participants from sharing their screen during the session (by adjusting the security settings).

    As part of McGill’s implementation of the Zoom tool, any Zoom meeting created has default settings to restrict the ability for participants to share their screen. Zoom meetings published and created through myCourses are configured such that the actual hyperlink is not visible to participants (one-click join). This default configuration restricts the occurrence of Zoom-bombing, so they are less likely to occur. Additional guidance is available for instructors who wish to create meetings without going through myCourses. Learn more on the TLS "Zoom for Remote Teaching" site in the "How to prevent Zoomboming" section.
  4. The Zoom application on MacOS could allow a local user, without privileges, to install malware and control the camera and microphone (ZoomDoom):
    This “zero-day” vulnerability (a vulnerability disclosed publicly before being submitted to the software editor for a fix) was published on March 31, 2020 and repaired on April 1, 2020. It required the cyber attacker to have local access to the computer (locally or through a remote desktop connection) to increase their privileges.

    As with all software vendors, vulnerabilities do exist in Zoom. When evaluating a software solution’s security, McGill’s cybersecurity specialists not only evaluate the number of vulnerabilities, but the timeliness of the software manufacturer’s response in addressing them.
  5. The Zoom application on Windows allows cyber attackers to steal user credentials (account and password information):
    This vulnerability was published on March 31, 2020 and repaired on April 1, 2020. It was believed that once exploited, the cyber attacker had direct access to the user’s credentials (account and password). In reality, the cyber attacker had access to an encrypted password, which they would still need to crack (i.e., decrypt). The vulnerability to these types of attacks relied on a user clicking on a malicious link. So, as always, exercise vigilance and caution before clicking on unusual links.

    Most McGill computers have various controls and protections in place (advanced anti-malware, strong password protection, user security awareness, etc.) which mitigated the risk until the fix was made available.
  6. Zoom does not support end-to-end encryption: 
    When the cybersecurity and legal review of the Zoom service was performed, McGill never presumed that the service supported end-to-end encryption. A diligent review was completed, concluding that although Zoom’s service offering is not truly encrypted end-to-end, it still met McGill’s legal and cybersecurity requirements for the urgent need of remote teaching.

    Note: Zoom has acknowledged the confusion that could result from their initial “end-to-end encryption” claim and has since then reviewed their offering description.

    To mitigate this risk in the short-term, here are the actions McGill has taken:
    • We remove any recordings from Zoom and transfer them into the McGill hosted Lecture Recording System platform.
    • IT Services will continue to assess other service offerings with Zoom.
  7. Zoom had more than 500,000 accounts compromised:
    Although true, that these credentials were leaked and consolidated to be resold on the dark web, most of these credentials were inactive and may not be active, as reported in the article. As part of its routine security monitoring activities, McGill’s IT Security Team gained access to the data file and cross-referenced all McGill Zoom accounts for matching credentials, resulting in no matches found. However, if you hold a personal Zoom account (not associated with your McGill email address) you may want to consider changing your password, as well as any other websites where you may have used this password. 

    This example should serve as a best practice to limit the re-use of passwords across various websites and to never re-use your McGill credentials on external websites. Should you wish to know if your personal email account was compromised in a data breach, you can visit “Have I Been Pawned” to look up your email address and see which site(s) reported a data breach related to your account.  

With the increased usage and attention that Zoom has received in the last few weeks, the company has acknowledged their commitment to a continuous improvement process on cybersecurity.

McGill is conscious of Zoom’s efforts to improve their default security settings. Given the urgent requirement for this service during the current COVID-19 pandemic, we feel confident that Zoom allows for an acceptable McGill configuration.

Stay up-to-date on cybersecurity and other IT related security alerts by subscribing to IT Security Alerts.

Back to top