CERT-In: Zoom App Vulnerable to Cyber-Attacks, Issues Advisory on Safety

Computer Emergency Response Team of India, the national cyber-security agency, on Thursday cautioned against the cyber vulnerability of the popular video conferencing app ''Zoom'', used by tens of thousands of professionals who are working from home in the country due to the COVID-19 pandemic, and issued an advisory outlining the safety measures for both the operator and the users.

The CERT-In, the national agency to combat cyber-attacks and guarding the cyberspace, said the unguarded usage of the Zoom meeting app can be vulnerable to cyber-attacks, including leakage of sensitive office information to cybercriminals.

"Many organisations have allowed their staff to work from home to stop the spread of coronavirus disease (COVID-19). Online communication platforms such as Zoom, Microsoft Teams and Teams for Education, Slack, Cisco WebEx, etc. are being used for remote meetings and webinars," the advisory said.

"Insecure usage of the platform (Zoom) may allow cybercriminals to access sensitive information such as meeting details and conversations," it said.

The agency suggested some measures for enhancing the security of Zoom meetings which included: Keeping the Zoom meeting app patched and up-to-date and always set strong, difficult-to-guess and unique passwords for all meetings and webinars.

"This is especially recommended for any meetings where sensitive information may be discussed," it said.

Enable ''waiting room'' feature so that the call manager will have a better control over participants; all participants can join a virtual ''waiting room'', but they will be approved by call manager to be part of the actual meeting, the advisory said.

It asked the operators of the platform to disable the ''join before host'' feature as that lets others to continue with a meeting in the absence of an actual host this option enables the first person who joins the meeting to automatically become the host and will have full control over the meeting.

"Alternatively, ''scheduling privilege'' may be given to a trusted participant to host the meeting in the absence of an actual host," it said.

Some other counter-measures included: If not required, restrict or disable file transfers, ensure removed participants are unable to re-join meetings and if not required, limit screen sharing to the host only.

"Lock the meeting session once all your attendees have joined and restrict the call record feature ''allow record'' to trusted participants only," it said.

Millions of professionals in India are working from home after the imposition of a 21-day nationwide lockdown from March 25 to contain the spread of the COVID-19 pandemic.

April 03, 2020