I've tried to contact Zoom about this, but it's been a week and they aren't answering back. 

We have our schools switched to Google Meet for now due to a warning sent out by Michigan State Police Cyber Command Center regarding security concerns involving Zoom. We have not heard any updates from MSP, and we have not heard anything from Zoom. Our users would like to get back to using their Zoom accounts for their meetings, but due to the sensitive nature of their communications, we are being very cautious.

Anyone here have any updates regarding this Michigan Cyber Command Center warning about Zoom meetings? They have not released an update either. 

Email Message From Michigan State Police: 

From: Michigan Cyber Command Center (MC3)  Date: Fri, Mar 14, 2025, 11:23 AM Subject: TLP:CLEAR - MC3 Cyber Situational Awareness Message (SAM) – Major Security Concerns Involving Zoom To: Michigan Cyber Command Center (MC3) 

TLP:CLEAR MC3 Cyber Situational Awareness Message (SAM) – Major Security Concerns Involving Zoom

Overview:

In recent years, Zoom has become a go-to tool for virtual meetings and remote collaboration. However, its widespread adoption has exposed several security vulnerabilities that make it unsuitable for professional or sensitive business use. The MC3 is aware of major security flaws in the Zoom communication software which are likely being leveraged by cyber threat actors to intercept and collect information. Since 2022 Zoom has had 107 known vulnerabilities. If users are not keeping up with patches for these vulnerabilities, they are at risk of having their data stolen and/or allowing unauthorized access to a Zoom session.

Security concerns with Zoom:

Data Encryption Gaps - Zoom claims to offer encryption, but it does not implement end-to-end encryption in all aspects of the platform. While meetings are encrypted in transit, Zoom itself retains access to meeting data and may decrypt content potentially exposing sensitive information to unauthorized users. Zoombombing - In the past, Zoom has faced high-profile incidents of "Zoombombing," where uninvited individuals join meetings to disrupt conversations or share inappropriate content. Though measures have been implemented to address this, the platform's default security settings were not strong enough to prevent such disruptions. Poor Default Security Settings - Default settings, such as allowing attendees to join meetings without authentication or enabling video and audio by default, can create security risks if not manually adjusted by the host. This can expose meetings to cyber threat actors and allow unauthorized access. The MC3 assesses with high confidence cyber threat actors are targeting Zoom to collect sensitive information from unwitting victims. Zoom collects, stores, and sells a lot of user data adding to the security concerns associated with Zoom. For more information on the data collected, stored, and sold by Zoom see the following link: https://www.zoom.com/en/trust/privacy/privacy-statement/

Recommendations:

The MC3 recommends any organizations handling sensitive or confidential information, to consider alternative platforms with more robust security measures, including true end-to-end encryption, stronger authentication protocols, and more granular control over meeting access. Always review and update security settings on Zoom to mitigate risks but be mindful that no platform is immune to vulnerabilities.

Alternate means of video teleconferencing:

Google Meet

Microsoft Teams

Cisco Webex

If your organization must use Zoom be sure to update to the most recent version. By staying informed about the risks associated with Zoom, organizations can make better decisions about which tools to trust for their digital communications.

Michigan Cyber Command Center

Cyber Section

Intelligence Operations Division

Michigan State Police

7150 Harris Dr Dimondale, MI 48821