It was perhaps natural that after the COVID-19 pandemic forced around a fifth of the world’s population into various forms of quarantine, video-conferencing apps became popular—both for work and for play.
Whether it was to work from home or to get friends and family members together in virtual gatherings, apps like Zoom, HouseParty, Microsoft Teams and Google Hangouts have seen a surge in popularity. According to an App Annie report, downloads of video-conferencing apps went up 45 per cent between March 14-21, a cumulative 62 million downloads.
There are good reasons to be videoconferencing, some financial, some emotional.
For businesses, employees working at home need an enterprise-level solution that can provide safe communications for teams working remotely. The decision by Google to offer premium features of Hangouts Meets for free, or for ZOOM to give K-12 students free access and Microsoft to hand out a free six month subscription has all helped drive downloads of these apps. UK Prime Minister Boris Johnson even used Zoom to chair the first-ever ‘digital cabinet’.
For everyone else, HouseParty is a lighter alternative, marketing itself as a “face to face social network”, letting up to eight people chat at the same time and play fun activities. It has become a source of respite for those who miss their friends from the confines of their homes.
However, concerns have been raised about the security and privacy of both of these apps.
For HouseParty, problems began after social media users started posting screenshots of the company’s user data policy, and a rumour circulated that accounts were being hacked and people’s PayPal’s and email ids were getting compromised because of the app. #DeleteHouseParty started to trend, and several started uninstalling the app from their phones.
Once the rumour that HouseParty was leading to hacked accounts emerged, Android users found themselves unable to delete their HouseParty accounts. To do so, they had to send a mail to the company requesting the account be deleted. Because of the surge of such requests, mails sent would bounce back, leaving users unable to even delete their accounts.
HouseParty, in turn, said that all Houseparty accounts were safe and that “the service is secure, has never been compromised, and doesn’t collect passwords for other sites.” They claimed they had become victim to a smear campaign against them and offered a $1 million bounty to anyone who could prove that this was the case.
Zoom too has been making headlines for the wrong reasons. On Tuesday, Taiwan became the first country to ban the app’s usage in government, on account of concerns over its security. The move came after Elon Musk’s SpaceX banned employees from using it and the New York Education Department banned it from schools in favour of Microsoft Teams.
Cybersecurity researchers have pointed out multiple flaws with Zoom, and the FBI has issued an advisory to schools over attempts by trolls to ‘hijack’ video-calls, usually to post offensive messages or pornography in a practice now called ‘Zoom bombing’.
A report by VICE shows how Zoom’s iOS app sent user data to Facebook, prompting a class action lawsuit against the company. A report by the University of Toronto’s Citizen Lab found the company used substandard encryption, prompting the company to admit it could do better. However, a report by The Intercept claims the company’s video calls do not feature end-to-end encryption at all.
One takeaway from this is that Zoom and HouseParty may not necessarily be more vulnerable than other apps—it is just that their increased popularity has raised their profile in the eyes of hackers. Arguably, cybersecurity researchers pointing out vulnerabilities is a chance for companies to improve their practices. Zoom, in a statement on April 1, said they had initially designed the app at an enterprise level and did not expect that “every person in the world would suddenly be working, studying, and socializing from home”. The company has so far acted promptly on being alerted to vulnerabilities and has enacted a feature freeze to focus on privacy and security-related issues.
Other collaboration apps are also facing security issues. Slack and CISCO WebEx both had vulnerabilities fixed in March, according to a ThreatPost report. Trello has features that could accidentally make team conversations searchable on Google if the boards are set to ‘public’, and both Slack and Microsoft Teams could be vulnerable to phishing attacks if users are not careful.
The takeaway is that it is not just app-makers that have to be careful, but their users as well.
What experts say you should do to stay safe on Zoom or HouseParty
The FBI had advised people to make sure their calls are set to private, in a bid to prevent Zoom bombing.
“As large numbers of people turn to video-teleconferencing (VTC) platforms to stay connected in the wake of the COVID-19 crisis, reports of VTC hijacking (also called “Zoom-bombing”) are emerging nationwide. The FBI has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language,” the FBI said. The agency advised schools and businesses not to make their meetings or classrooms public, which allows strangers to jump in. They also advised against sharing invite links on public platforms like social media.
Similar advisories have been issued by schools and the like for parents of children using HouseParty—a lot of the concerns over these have to do with making sure the video-conferences are made ‘private’, not ‘public’.
India’s national cyber-security agency, The Computer Emergency Response Team of India (CERT-In) has also urged users follow best practices to stay safe with Zoom. "Insecure usage of the platform (Zoom) may allow cyber criminals to access sensitive information such as meeting details and conversations," it said.
The agency suggested some measures for enhancing the security of Zoom meetings which included: Keeping the Zoom software patched and up-to-date and always set strong, difficult-to-guess and unique passwords for all meetings and webinars.
"This is especially recommended for any meetings where sensitive information may be discussed," it said.
Enable 'waiting room' feature so that the call manager will have a better control over participants; all participants can join a virtual 'waiting room', but they will be approved by call manager to be part of the actual meeting, the advisory said.
It asked the operators of the platform to disable the 'join before host' feature as that lets others to continue with a meeting in the absence of an actual host this option enables the first person who joins the meeting to automatically become the host and will have full control over the meeting.
"Alternatively, 'scheduling privilege' may be given to a trusted participant to host the meeting in the absence of an actual host," it said.
Some other counter-measures included: If not required, restrict or disable file transfers, ensure removed participants are unable to re-join meetings and if not required, limit screen sharing to the host only.
"Lock the meeting session once all your attendees have joined and restrict the call record feature 'allow record' to trusted participants only," it said.
With inputs from PTI