Against 'zoom bombing': Meeting tool Zoom activates passwords and waiting rooms

The video conference software Zoom is extremely popular because of the currently practiced work from home. Unfortunately, not only did the tool raise concerns about questionable security, but the number sequence of a zoom conference (meeting ID) is relatively easy to guess. The latter use bystanders to engage in other people's meetings and to contribute undesirable or repulsive content – the phenomenon was called "zoom bombing". On the other hand, the software manufacturer, Zoom Video, now wants to take action.

Don't miss any news! With our daily newsletter you will receive all heise online news from the past 24 hours every morning.

From Sunday, April 5, a user can only join a conference with a known meeting ID if he enters a password. The company tells Zoom users in an email, Techcrunch reports. This should avoid unwanted participants who have guessed the meeting ID. The password should be communicated in the invitation for meetings planned in advance, and should be displayed in the zoom client for spontaneously scheduled conferences. In the same step, the virtual waiting room should also be activated by default. The moderator of a meeting manually adds participants.

Zoom was recently criticized for questionable security features. Among other things, it was about an unusual interpretation of the term end-to-end encryption: this is apparently only active in text chats between the end points of the participants, in other cases (i.e. in the mostly used audio and video conferences) Communication is not encrypted between the endpoints, but only between one endpoint and the zoom server and between the zoom server and the second endpoint. In addition, only transport encryption via TLS should be active in audio and video conferences.

This situation theoretically opens the door to the recording of data streams by strangers. In this context, Zoom Video's admission is piquant: like the company in a blog post reports that, in February, zoom conferences were inadvertently conducted via servers in China. As the demand for the software increased, the manufacturer put numerous new servers into operation in order to be able to provide sufficient capacity, some of them in China.

When changing the configuration, geofencing was mistakenly bypassed, which is to ensure that only zoom servers in the region of the subscriber are used. However, several servers in China were used as fall-back for conferences that did not take place in China. On April 3, the company changed the routing again. The variant of Zoom for political institutions (Zoom for Government) should not have been affected by this. As a precaution, the company points out in the blog post that "multi-level backups, robust cybersecurity protection and internal controls" would prevent unauthorized data access regardless of routing.

It also turned out that not only are the meeting IDs so uniform that they can be guessed: the same also applies to the naming of video recordings of the conferences. As the Washington Post has investigated, apparently numerous Zoom users openly record their conference recordings on the Internet, mostly in a cloud – assuming that they cannot be found there. However, the Washington Post examined the naming scheme and was able to access thousands of such videos by guessing the name through a search engine specialized in online cloud storage. This sometimes contains highly confidential content and private data, such as recorded therapy sessions or names and phone numbers of those involved.

Video recordings in zoom must be activated manually by users. The found objects described do not relate to the recordings that are stored on the zoom servers, but only to the cases in which users have made a record themselves on the Internet and have foregone password protection and other security measures; the software zoom cannot be accused of this user behavior.


. (tagsToTranslate) Privacy (t) Video conferencing (t) Video conferencing tools (t) Zoom