As workers adapt to remote work amid the COVID-19 outbreak, it is turning many people to look for an easy to use video conferencing solution. Zoom video is an obvious first choice for many people looking to start a video meeting, easy to set up and generous free membership make it an attractive option. Since 2011, Zoom has done well to attract new users, thanks largely to word-of-mouth, “viral” adoption among employees, rather than top-down software rollouts often mandated by IT departments. As Jonathan Leitschuh discovered, there are some serious privacy and security issues to take into account with Zoom.

Security vulnerabilities with Zoom

As Leitschuch discovered, Zoom set up a local server on a Mac device that allowed the program to bypass security features. When this was ethically disclosed to Zoom, Leitschuh claims that Zoom delayed acting on the vulnerability and did not discuss what he had found until 18-days before the end of the 90-day non-disclosure “grace period.” Then, on June 24 “after 90 days of waiting, the last day before the public disclosure deadline,” Leitschuh says that Zoom simply deployed a “quick fix” he had suggested to the company three-months earlier. It would almost seem as though Zoom was somehow making use of the exploit and reluctant to promptly patch as you would generally expect a software vendor to act.

Odd security policies allowing any third party and malicious scripts

More recently (yesterday actually) security researchers Jasvir Nagra and Scott Helme noticed some odd third party scripts running that seemed to contradict the security policy. As Helme tweeted, the 50million club website is rather interesting indeed. A Google search on the same domain points to listings warning people of pop-ups by 50million club that are a social engineering attack to display fake error messages stating that your computer is infected with malware. It is not certain if Zoom is aware that they are trusting what looks to be a malicious URL.  

Since publishing this post, there have been several developments with Zoom

  • On March 26th, Motherboard discovered that Zoom was sending data to Facebook without an account or permission.
  • On March 27th, Zoom founder Eric Yuan, thanked Joseph Cox from Motherboard for bring privacy concerns to attention while failing to acknowledge security flaws.
  • On March 30th, Patrick Wardle, a former NSA hacker disclosed a zero day vulnerability in Zoom on his blog.
  • On March 30th, Bloomberg announced a class action lawsuit was launched against Zoom for illegally disclosing personal information.
  • On March 30th, the FBI warns about Teleconferencing Hijacking vulnerability in Zoom.
  • On March 31st, a report from the Intercept found that Zoom has falsely advertised itself as using end-to-end encryption.
  • On April 3rd, Dan Ehrlich of Twelve Security, mapped out more than 130,000 subdomains associated with Zoom.us, also noted ties linked to military hacking activity.
  • On April 3rd, researchers at the University of Toronto also found Zoom’s encryption used keys issued via servers in China.
  • On April 5th, School districts, including New York City’s, start banning Zoom because of online security and privacy issues reports Tech Crunch.
  • On April 7th, Taiwan joined Canada in banning Zoom for government video conferencing reports CBC.
  • On April 9th, Google bans employees from using Zoom on their devices.
  • On April 13th, Bleeping Computer reported that over 500,000 Zoom accounts sold on hacker forums, the dark web.
  • On April 14th, Stay off Zoom and Google Hangouts, Standard Chartered chief tells staff via Reuters

How can people ensure video conferencing is secure and private

Security, privacy, and ease of use shouldn’t have to be a trade-off for having online meetings. The Microsoft Teams offering with Office 365 is another popular choice, although our support team is well aware of known issues with Teams that make it a challenge for many organizations to adopt. After doing some research and testing out some more secure video conferencing tools, I found some that are open source which allows you to move the instance from another provider if you wish. With open source there is also the option to customize the source code to suit individual needs or comply with legislation such as GDPR or HIPAA.

Jitsi

jitsi.org

A keen leader in free video conferencing is Jitsi, this is mostly due to the extreme ease of use: It runs directly in the browser with no download necessary, and no registration required. To set up a video-conferencing session, you just point your browser to Jitsi Meet (meet.jit.si), enter a user name (or select the random one that’s offered), and click Go. Once you give Jitsi permission to use your webcam and microphone (sessions are DTLS/SRTP-encrypted), it generates a web link and a dial-in number others can use to join your session, and you can even add a conference password for an added layer of security. Jitsi is written in Java and managed to keep low-latency due to passing audio and video directly to participants local devices. 

An excellent cross platform solution with Android and iOS apps allowing you to make and take Jitsi video conferences on the go, and you can host your own multi-user video-conference service by installing Jitsi Videobridge on your server. There is also an option to record meetings and have them saved to your Dropbox account. While Jitzi will support over 1000 participants in a meeting, testing with 250 participants seemed to slow performance and put high CPU load on the host computer. 

Benefits

Easy of use

h

No sign up required

Open Source

Free

Group calls & chat

Limitations

Uses local computer resources

Brave

brave.com

The privacy focused web browser Brave have been busy in recent years, last year BAT was launched that allowed users of the browser to earn cryptocurrency when they clicked on opt-in advertisements. The browser by default will block ads and trackers on websites loaded, this cuts down on data usage and load time. It is built on Chromium so looks and behaves much like Google Chrome. Brave now boasts over 13.9 million people now use it monthly,

The latest feature to be added to Brave is online video conferencing service that does not require any download. It is based on the open source software offered by Jitsi above. Simply visit the together.brave.com via the Brave browser to start your video call.

Benefits

Easy of use

h

No sign up required

Open Source

Free

No Download

Limitations

Uses local computer resources

Nextcloud

Setup a Nextcloud instance

We have been a big supporter of the Nextcloud project even before when the developers were part of ownCloud. This open source software provides you with you own private cloud space with plenty of tools geared toward collaboration installed on your own server. Although this is free, open source software, you will need a server and with our service you can set one up with a few clicks and have Nextcloud pre-installed. Users can store and share documents and files using either the web interface, or just by dropping them into a Nextcloud directory on their desktop, which gets synchronized automatically with the Nextcloud desktop client. The web interface also features a chat application called Talk, which features the ability to make voice and video calls to now offer Nextcloud as a complete conferencing platform.

Benefits

Regular new features

Open Source

Unlimited users

Limitations

Requires server

Resource intensive

Early days for video

Jami

jami.net

A true open source product, Jami is licensed under the GPLv3, and takes its commitments to security and free and open source software seriously. Communications are secured by end-to-end encryption with authentication using RSA/AES/DTLS/SRTP technologies and X.509 certificates.

Jami’s features include teleconferencing, media sharing, and text messaging. For more information about Jami, access its source code repository, and its FAQ answers many questions about using the system.

Benefits

h

No sign up required

SIP compatible

Easy to use

Limitations

Q

Basic video conferencing

Both users require app

Riot

riot.im

Riot is a lot more than just a video-conferencing solution—it’s team-management software with plenty of communication features built-in, including voice and video conferencing, file sharing, notifications, and project reminders. Another great feature of Riot is that you can communicate with people using other collaboration tools—including IRC, Slack, Twitter, SMS, and Gitter. Riot can be installed on your own server or you can use a free public Matrix server. It is available under an Apache 2.0 license, its source code is available on GitHub, and you can find documentation, including how-to videos on its website.

Benefits

Mobile friendly

Free & Open Source

Easy to use

Limitations

Requires server

Implementation can be tricky

Limited desktop support

Signal

signal.org

For mobile devices running Android or iOS, the open source Signal app offers end-to-end encrypted voice, video, text, and photos, and it’s been endorsed by security and cryptography experts including Edward Snowden and the Electronic Frontier Foundation. It is really simple to register, you just download from the iOS or Android app store on your device or visit signal.org/install, enter your mobile number and your are good to go. To make a video call, both users will need the mobile app, there is a desktop app, but it does only allow text chat and not video chat. An excellent choice for secure group chat.

Benefits

Mobile friendly

Free to use

Easy to use

Limitations

Q

No video conferencing

Both users require app

Limited desktop support

Linphone

linphone.org

Linphone is dual-licensed; there’s an open source GPLv2 free version as well as a closed version which can be embedded in other proprietary projects. As a VoIP service that operates over the session initiation protocol (SIP), you will need a SIP number to use the service and Linphone limits you to contacting only other SIP numbers—not cellphones or landlines. Linphone can provide you with a free SIP service to use which allows you to make audio and  video calls, do web conferencing, communicate via chat, and share files and photos (SIP TLS, SRT. P, SRTP-DTLS, zRTP), including end-to-end encryption for messaging. A draw back is there are no other screen-sharing nor collaboration features. 

Benefits

Mobile friendly

Free & Open Source

Easy to use

Limitations

Q

No cellphones or landlines

No collaboration features

No screen sharing

Others worth looking at

These are services that are on out list to try out and look good. I actually tried Wire and it was great. 

  • Wire
  • Cisco Webex
  • Proficonf
  • FreeConference.com

Zoom re-branded services

These vendors are using Zoom to power their own video conferencing service. If you use any of these for video calling, you are also using Zoom.

  • RingCentral
  • Zhumu
  • Telus Meetings
  • BT Cloud Phone Meetings
  • Office Suite HD Meeting
  • AT&T Video Meetings
  • BizConf
  • Huihui
  • UMeeting
  • Zoom CN

We recognize that working from home is going to require a reshuffle of how organizations, offices, and employees work. However, workers’ personal privacy should not be sacrificed in this transition.

Now that offices are closed, it is more important than ever that workers remember security guidelines. We have resources that can help you stay safe. Our 5 tips to stay safe online outline best practices, our Internet Security Bundle can help employees maintain their security and privacy while working from home.