The UK prime minister’s post showed the meeting ID number on video conferencing platform Zoom, as well as the usernames of some ministers taking part.
Johnson’s communications with his top team of ministers is secure, Downing Street insisted after the online meeting. But according to one cybersecurity expert, the prime minister’s tweet showing meeting details broke a key rule about security when using such technology.
Jonathan Knudsen, senior security strategist at Synopsys, said those using tools such as Zoom must “be careful about sharing the meeting information”.
“Video conferencing helps people stay connected by being able to speak to each other, see each other, and share text and files. Like any other technology, however, video conferencing has security risks that must be considered,” he said. “No matter who you are, publishing information to the world must be done carefully.
“Boris Johnson’s Twitter post reveals a Zoom meeting ID and what appear to be one or two personal IDs that might correspond to e-mail addresses. In the worst-case scenario, the meeting ID will be reused, the meeting is not protected by a password, and an eavesdropper is able to join. Likewise, Johnson’s colleagues might get unsolicited and unwanted e-mail.
‘Stop and think’
“Before posting anything online, stop and think. In the best-case scenario, this screen shot was reviewed and determined to contain no sensitive information.”
Richard Bejtlich, principal security strategist at Corelight, said: “Zoom users should treat their Zoom meeting IDs as sensitive and should not share them on social media. Meeting owners should also set unique passwords for meetings, to prevent unauthorised access by those who obtain or guess meeting IDs.”
A password was in place to protect the virtual cabinet meeting and while some Zoom meeting numbers can be repeatedly used, Downing Street said new meeting IDs were being generated each time the software was used.
This morning I chaired the first ever digital Cabinet.
— Boris Johnson #StayHomeSaveLives (@BorisJohnson) March 31, 2020
Concerns have been raised about Zoom after the use of the software by British ministry of defence staff was suspended last week while “security implications” were investigated.
There have been reports of strangers gaining access to meetings and displaying explicit material if proper security measures are not taken, such locking a meeting once all expected attendees have joined, in a process which has become known as “Zoombombing”.
The service has come under increased scrutiny in recent weeks as millions of workers and students turn to its video conferencing tools to help with working from home during the coronavirus pandemic.
Zoom lists a number of additional security options on its website for users making video conferencing calls, including creating a waiting room for invited attendees before a meeting starts and only allowing those with provided e-mail addresses to join a meeting.
Cabinet ministers dialled into the meeting instead of sitting around the table in 10 Downing Street as part of social distancing measures to curb the spread of Covid-19.
Downing Street was “following all necessary security procedures” and “I am happy to say with confidence we were satisfied it was secure”, the spokesman added. — Reported by David Hughes and Martyn Landi