In 2020, Zoom has had a rapid rise in popularity globally due to increased need for remote working and education delivery in response to the COVID-19 pandemic. This rapid rise has also increased the scrutiny of Zoom’s security and privacy practices. Scrutiny of an organisation’s cyber security is positive step in ensuring they remain accountable for their product claims, in line with best practices and customer expectations. Increased visibility of security and privacy issues with a product or service does not necessarily mean it is better or worse than alternatives.
This document aims to help people answer some of the common questions and concerns they may have about the privacy and security of Zoom.
Should I be concerned?
No - Cyber Security is everyone’s responsibility and users should remain vigilant to security issues and report cyber security incidents. The University’s instance of Zoom implements additional security controls to protect users and ANU continues to monitor security developments concerning Zoom.
Report any cyber security incidents HERE
What is ANU doing about Zoom security concerns?
The ANU Office of the Chief Information Security Officer (CISO) has been working closely with stakeholders to understand the security risks and claims reported in the media regarding Zoom security issues. Additionally, ANU IT Services and the University’s external service provider AARNet have reviewed Zoom security configuration and, where required, implemented additional security controls to further increase the security of Zoom for ANU users.
The Office of the CISO will continue publish and revise guidance to the ANU community on Zoom and other cyber security matters pertaining to working and learning remotely.
Is Zoom secure?
Faced with a determined and well-resourced adversary, no system is ever truly secure. However, many of the issues raised in the public domain about Zoom security are not applicable given the University’s implementation and usage of Zoom.
A review of the security risks for Zoom has determined the security posture of the University’s Zoom instance to be adequate for our needs, and additional security controls have been implemented to further increase the security posture of the University’s Zoom. The CISO’s office continues to monitor and review this situation as new information develops.
Zoom as a vendor has rapidly responded to security issues identified with their products to provide best practice guidance, patches and security enhancements where required.
Cyber security is everyone’s responsibility and users must also ensure they take simple steps to remain cyber secure.
Why is our Zoom different?
The University’s Zoom capability is a private instance (https://anu.zoom.us/) hosted by our service provider AARNet. This means the implementation differs from the widely used public version of Zoom for which most of the security concerns have been raised. Due to differences in implementation and security configuration of ANU instance, many of the issues raised in the media are not applicable. Additional steps have been taken to further increase the security posture of the University’s Zoom instance in light of recent developments.
Who is AARNet?
Australia’s Academic and Research Network (AARNet), is a national resource owned by the Commonwealth Science and Industrial Research Organisation (CSIRO) and Australian universities – including ANU – and is a trusted partner and service provider to ANU and Australia’s academic and research sectors.
What is ‘Zoom Bombing’ or ‘Zoom Raiding’? How do I prevent it?
Zoom Bombing or Zoom Raiding is where an uninvited participant or coordinated groups of participants attempt to hijack and disrupt a meeting, often through the use of profanities, offensive imagery and racial epithets. The most common cause is users publicly sharing Zoom meeting details and meetings where no password was set, allowing uninvited people to join the meeting.
To stay safe and secure with Zoom, see our guidance: Zoom for Meeting Hosts and Participants.
Have Zoom accounts been compromised?
Unconfirmed – There are public reports that the Zoom user account credentials have been found online being distributed on the darkweb. ANU is not aware of any ANU user accounts being contained in this data breach.
For more information on how to protect yourself and your accounts online check out the Australian Government’s Stay Smart Online and subscribe to the data breach notification service Have I Been Pwnd?
Are there alternatives?
Yes –ANU provides a number of alternatives for staff and students. The preferred alternative method for conferencing and collaboration is using Microsoft Teams or Microsoft Skype for Business, part of Microsoft Office 365. Microsoft is phasing out the Skype for Business product, so users are encouraged to use Teams for future compatibility and the best experience. Office 365 is made available to all ANU staff and students no cost and more information is available from:
What data does Zoom collect?
The University’s private Zoom instance still relies upon Zoom public cloud infrastructure to function correctly. When using our private instance the following information is securely encrypted and sent through Zoom’s cloud to enable users to successfully connect to the University’s private instance:
- Notifications – to send meeting notification to users.
- User and meeting metadata – including authentication and scheduled meeting lists.
- Meeting status – synchronising meeting status across all users.
Other meeting data such as chat, voice, video and data sharing are transmitted and processed through the University’s private Zoom instance, not Zoom’s public cloud.
Am I being recorded by Zoom?
It depends – Zoom offers users the ability to record a meeting. This may be done for a number reasons such as recording a lecture or webinar for further distribution. When a meeting is being recorded, all participating users are made aware of the recording occurring either via a voice announcement or a recording indicator visible to all users from the Zoom workspace.
Meeting hosts for the purposes of transparency are also encouraged to notify meeting participants that a meeting is being recorded.
Have Zoom recordings been compromised?
No – There are public reports that Zoom recordings have been leaked online, however, these are not ANU recordings. Based upon available information, it appears these recording belong to users and organisations who have not adequately secured the data storage location of where their recordings are stored, rather than a security issue specific to Zoom.
Where are the University’s Zoom recordings stored?
ANU recordings are either stored locally on the computer of the person hosting the meeting or AARNet’s secure file storage cloud; CloudStor. This secure cloud storage is located in Australia, avoiding data sovereignty issues, and data stored on CloudStor is access controlled plus securely encrypted during storage and transmission.
Are my ANU Zoom communications private?
Yes – All communications using the Zoom application are encrypted except when using devices or methods that do not support Zoom’s encryption. If you are connecting to a Zoom meeting via a phone number, using the public telephone network, then this is an instance where the communication is not encrypted due to not using the Zoom application.
Within the applicable laws and policies that bind the ANU and AARNet, communications using the University’s Zoom are private with the exception of where a meeting is recorded for later use. Where a meeting is being recorded, attendees are provided warnings that the recording is occurring; see: Am I being recorded by Zoom?
Does Zoom use flawed encryption?
No – There has been public criticism of how Zoom’s communications encryption is implemented, these issues do not apply to the University’s Zoom instance. Our Zoom instance has its own encryption keys that are maintained within Australia.
Some of the criticism of Zoom’s encryption remains valid. Zoom’s encryption implementation represents what is considered good practice, just not best practice cyber security standards. Despite this, the encryption standards are more than adequate to protect ANU user’s communications and Zoom have publicly committed to improving this; see Zoom’s blog response.
Is Zoom sharing my data with Facebook?
No - Previous versions of Zoom’s Apple iOS application used software components from Facebook to provide another convenient way to connect to Zoom using your Facebook account. It was identified that these components were sharing technical data with Facebook about a user’s mobile device. Zoom updated their client software on 27 March 2020 to remove the Facebook components; see Zoom’s blog response.
You can get the latest versions of the Zoom client and plug-ins for Windows, MacOS, Apple iOS and Android from https://anu.zoom.us/download
Is the Zoom client software vulnerable?
Maybe – Most software at some time experiences security vulnerabilities. Just because software experiences vulnerabilities, does not necessarily mean it is better or worse than alternatives. In fact, a larger competitor to Zoom has experienced more registered vulnerabilities of higher risk in 2020 with limited public attention by comparison.
It is critically important that users always keep software and operating systems up to date in order to protect themselves from a broad range of cyber security threats. You can get the latest versions of the Zoom client and plug-ins for Windows, MacOS, Apple iOS and Android from https://anu.zoom.us/download
More information on software updates is available from the Australian Government’s StaySmartOnline.
Can Zoom steal my password?
No – Recently a vulnerability existed in Zoom where under certain circumstances if a user clicked a malicious link shared via the Zoom chat feature, then it may have been possible to steal a participant’s Windows logon password.
This vulnerability was patched on 1 April 2020, so be sure to click the “Update” button anytime Zoom notifies you of a new update. You can get the latest versions of the Zoom client and plug-ins for Windows, MacOS, Apple iOS and Android from https://anu.zoom.us/download