UPDATE: Since we first published this story, Zoom has implemented end-to-end encryption for all users.
Until recently, you had probably never heard of the video conferencing software Zoom.
But now, as we remain in lockdown and are forced to communicate with colleagues and friends remotely, it’s one of the world’s most talked-about technologies – whether that’s because of its easy-to-use and free set-up or because of accusations that it steals your data and infects you with malware.
So, which side of the divide should you be on? Let’s take a look.
What are people’s concerns about Zoom?
There are plenty of justifiable reasons to be wary of Zoom. For example, security researchers have found several major vulnerabilities – one of which can be used to steal Windows passwords, and another two that can be used to take over a Zoom user’s Mac and tap into the webcam and microphone.
There were also reports that Apple was forced to step in to secure millions of devices after it learned that Zoom installed a secret web server on users’ Macs, and that Zoom has an “attendee tracking” feature that lets a host see whether participants clicked away from the app during a call.
And then there’s the threat of “zoombombing”, where uninvited guests enter meetings to harass participants and snoop into people’s homes.
Does Zoom sell Personal Data? Depends what you mean by “sell.”
It then goes on to explain what it doesn’t mean by “sell”, in a way that Bruce Schneier describes as “[being] carefully worded by lawyers to permit them to do pretty much whatever they want with your information while pretending otherwise”.
“I really messed up”
When you stack all these issues next to each other, it’s easy to dismiss Zoom as another rogue app that is actively trying to harm its userbase.
Perhaps that’s true, but it could just as easily be an example of Hanlon’s razor: “never attribute to malice that which is adequately explained by stupidity” – although perhaps ‘negligence’ is the more accurate term.
Zoom has been hurriedly addressing the myriad security flaws that have been unearthed in recent weeks, which is perhaps a sign that its developers were, at best, careless.
CEO Eric Yuan acknowledged as much last week, telling the Wall Street Journal that he “really messed up” the app’s security.
Another explanation for Zoom’s security failures, Bloomberg’s Tae Kim argues, is that it was a victim of its own success.
“Much of its problems stem from the unintended consequences of when demand explodes in unexpected ways,” Tae writes. “Originally founded in 2011 for corporate clients, Zoom’s software is now being used in situations it was never designed for.”
He notes that the organisation was slow to recognise the changing demands of its users, many of whom weren’t familiar with the security features that would have prevented many of these issues.
Likewise, under ordinary circumstances, an organisation’s IT team would carefully assess any potential new software, apply controls where necessary and guide staff on how to use it responsibly.
Unfortunately, the suddenness with which employees were requested to work from home meant that organisations needed quick solutions. Meanwhile, many organisations that previously didn’t rely on software (and therefore didn’t have processes in place to manage the way technologies were rolled out) simply plumped for the most cost-effective solution without considering security concerns.
What action has Zoom taken?
Zoom has taken accountability for many of its security and privacy failings, which is always a positive step.
Likewise, it has implemented several controls to improve its security posture, such as password-protecting meetings by default and adding a waiting room feature, which allows the host to select who can enter a meeting.
But perhaps the most important thing it did was to advise users on things they can do to stay safe. Many vulnerabilities are directly related to people’s failure to perform basic actions (like password-protecting their account) or by doing things that actively jeopardises their security.
Remember when the UK government was criticised for holding a cabinet meeting on Zoom? The problem was that Prime Minister Boris Johnson tweeted a picture of the meeting that included the room ID.
Luckily, the meeting had already concluded, but had that not been the case, anyone with that information could have ‘zoombombed’ the meeting.
End-to-end encryption for all users
Zoom found itself in hot water in March – just as its popularity was booming – after the Intercept reported that video calls on the platform weren’t end-to-end encrypted, despite Zoom claiming otherwise.
The failure to do this gave criminal hackers the ability to capture users’ information either at rest (on their computer or Zoom’s server) or as it was being transmitted from one to the other.
However, in the wake of criticism, Zoom added end-to-end encryption for its subscribers – and will be extending the feature to all users from July.
CEO Eric Yuan had originally stated that the feature wouldn’t be made available to those using the free version of the software, because Zoom needed the data to “work together with FBI [and] local law enforcement in case some people use Zoom for a bad purpose”.
However, Yuan released a statement on June 17 saying that the organisation had changed its decision after speaking with civil liberties groups, child safety advocates, encryption experts, government representatives and users.
If you find yourself facing a cyber security disaster, IT Governance is here to help. Our Cyber Incident Response service provides the help you need to deal with the threat, as our experts guide you through the recovery process.
They’ll review the breach, mitigate the damage and ensure that you are up and running again as soon as possible.
Coronavirus: your biggest challenge yet
If you’re one of the many organisations that’s using Zoom for team meetings during the lockdown, you’ll be well aware of the cyber security uncertainties that have come with the coronavirus pandemic.
But software vulnerabilities are just one of the many issues you should be concerned about. Are your employees’ home Wi-Fi connections secure, for example? And do they understand the dangers of phishing scams?
A version of this blog was originally published on 19 April 2020.