The national cyber security agency on Thursday cautioned against the cyber vulnerability of the popular video conferencing app Zoom, used by tens of thousands of professionals who are working from home in the country due to the COVID-19 pandemic, and issued an advisory outlining the safety measures for both the operator and the users.
The Computer Emergency Response Team of India (CERT-In), the national agency to combat cyber attacks and guarding the cyber space, said the unguarded usage of the digital application can be vulnerable to cyber attacks, including leakage of sensitive office information to cyber criminals.
“Many organisations have allowed their staff to work from home to stop the spread of coronavirus disease (COVID-19). Online communication platforms such as Zoom, Microsoft Teams and Teams for Education, Slack, Cisco WebEx etc are being used for remote meetings and webinars,” the advisory said.
“Insecure usage of the platform (Zoom) may allow cyber criminals to access sensitive information such as meeting details and conversations,” it said.
Security concerns with popular video conferencing app, Zoom, came to light during a media briefing by television body BARC on Thursday.
The Broadcast Audience Research Council (BARC), which was hosting a virtual conference to inform people about TV and smartphone consumption trends amid the lockdown, was forced to stop the briefing midway because of the “hacking” episode.
“The Zoom meeting platform got hacked and as a result, we had to end the meeting urgently,” said an e-mail from the organisers.
In its advisory, the agency suggested some measures for enhancing the security of Zoom meetings including keeping the Zoom software patched and up-to-date and always set strong, difficult-to-guess and unique passwords for all meetings and webinars.
“This is especially recommended for any meetings where sensitive information may be discussed,” it said.
Enable ‘waiting room’ feature so that the call manager will have a better control over participants; all participants can join a virtual ‘waiting room’, but they will be approved by call manager to be part of the actual meeting, the advisory said.
It asked the operators of the platform to disable the ‘join before host’ feature as that lets others to continue with a meeting in the absence of an actual host this option enables the first person who joins the meeting to automatically become the host and will have full control over the meeting.
“Alternatively, ‘scheduling privilege’ may be given to a trusted participant to host the meeting in the absence of an actual host,” it said.
Some other counter-measures included: If not required, restrict or disable file transfers, ensure removed participants are unable to re-join meetings and if not required, limit screen sharing to the host only.
“Lock the meeting session once all your attendees have joined and restrict the call record feature ‘allow record’ to trusted participants only,” it said.
Millions of professionals in India are working from home after the imposition of a 21-day nationwide lockdown from March 25 to contain the spread of the COVID-19 pandemic
Leave a Reply