The prime minister, who is self-isolating after testing positive for coronavirus, joined his top team for their ‘first-ever’ digital Cabinet’ on video conferencing platform Zoom this morning.
He later posted a picture with government ministers – including Dominic Raab, Michael Gove and Jacob Rees-Mogg – reminding the public to ‘stay at home, protect the NHS, save lives’.
However, people on Twitter immediately noticed that the Tory leader had left the Zoom meeting ID number in the top left corner of the screenshot, as well as the usernames of some ministers taking part.
Speculation was rife that the public would be able to dial into the next meeting or contact ministers personally, with people trying out different passwords. Downing Street has insisted the Cabinet’s online gatherings are secure and the meeting ID was password protected.
However, according to one cybersecurity expert, the prime minister’s tweet showing meeting details broke a key rule about security when using such technology. Jonathan Knudsen, senior security strategist at Synopsys, has warned those using tools such as Zoom must ‘be careful about sharing the meeting information’.
He said: ‘Video conferencing helps people stay connected by being able to speak to each other, see each other, and share text and files. ‘Like any other technology, however, video conferencing has security risks that must be considered.
No matter who you are, publishing information to the world must be done carefully. ‘Boris Johnson’s Twitter post reveals a Zoom meeting ID and what appears to be one or two personal IDs that might correspond to email addresses.
‘In the worst-case scenario, the meeting ID will be reused, the meeting is not protected by a password, and an eavesdropper is able to join.
Likewise, Mr Johnson’s colleagues might get unsolicited and unwanted email. ‘Before posting anything online, stop and think. In the best-case scenario, this screenshot was reviewed and determined to contain no sensitive information.’ Richard Bejtlich, principal security strategist at Corelight has also advised that Zoom users treat their Zoom meeting IDs as sensitive and not share them on social media.
He said: ‘Meeting owners should also set unique passwords for meetings, to prevent unauthorised access by those who obtain or guess meeting IDs.’ It comes after concerns were raised over the security of Zoom when the Ministry of Defence banned staff from using it.
A Downing Street spokesman said new IDs were being generated each time the software was used and No 10. is ‘following all necessary security procedures’. He added: ‘I am happy to say with confidence we were satisfied it was secure’.
The only thing worse than starting something and failing… is not starting something.