The British government is defending its use of the popular video-conferencing tool Zoom during the coronavirus pandemic, after questions were raised regarding security precautions.
On Tuesday, UK Prime Minister Boris Johnson tweeted a photo of him video conferencing with other members of the government, in which a meeting ID (by which people can log into Zoom meetings) was visible. Although the meeting was password-protected, Zoom’s reputation for poor privacy means that it may not be the most secure software available.
Speaking to the Telegraph, Matt Lock, the technical director of cybersecurity business Varonis, said that hackers would now know that Cabinet ministers are using Zoom and could “send spear phishing emails” he warns. Spear-phishing is where an official-looking email or instant message is sent to potential victims pretending to be from a trustworthy source in order to manipulate them into handing over sensitive information. Hackers could “create something such as ‘Dear MP, we are updating our Zoom software to comply with MoD security standards. Please follow the link to install the latest update’,” Lock hypothesized.
“In the current unprecedented circumstances, the need for effective channels of communication is vital,” a government spokeswoman told BBC News. “NCSC [National Cyber Security Centre] guidance shows there is no security reason for Zoom not to be used for meetings of this kind.”
In 2019, a feature in Zoom’s Mac client meant that strangers could potentially spy on you via the web camera. A week ago, the FBI issued a warning about “conferences being disrupted by pornographic and/or hate images and threatening language” using the service, and ‘zoom-bombings’ are becoming more common. It’s also been discovered that Zoom’s meetings are not end-to-end encrypted, which the company has apologized for. Most recently, SpaceX took the step this week of stopping all employees from using the video-calling software over privacy and security concerns.
A Zoom spokesperson told the BBC it “takes its users’ privacy, security, and trust extremely seriously,” and the company announced yesterday that, “Over the next 90 days, we are committed to dedicating the resources needed to better identify, address, and fix issues proactively. We are also committed to being transparent throughout this process.”