Video conferencing app Zoom that grabbed the spotlight in recent months with the COVID-19 coronavirus outbreak has hit the headlines again, but for the wrong reasons. Zoom’s popularity has skyrocketed in recent months as millions of people turn to remote/home based work amid the ongoing pandemic. However, given its popularity, and increased usage, cyber criminals are seeing tremendous opportunity in the platform; prompting analysts to raise serious questions on its user privacy and security.
The company is now in soup as Elon Musk’s SpaceX just banned employees from the using video-conferencing app over “significant privacy and security concerns”, according to a memo as shown to Reuters. Following Musk’s footsteps, several other enterprises have taken similar moves.
In response to these concerns, Zoom has announced it is immediately freezing feature development for 90 days to improve security and privacy and will conduct a third-party security review. Analysts believe if Zoom is becoming a victim of its own success.
Zooming into user privacy
Analysts have always said that Hacking into a Zoom meeting can be relatively easy if certain security settings aren’t turned on. Zoom is now facing a huge privacy and security backlash from security experts, business leaders and lawmakers. Several other reports suggest that users complain getting “Zoombombed”—third parties hacking into their meetings to share inappropriate material.
In recent weeks, scrutiny over Zoom’s security practices has intensified, with a lot of the concern focused on its default settings and the mechanisms that make the app so easy to use.
“With the Zoom boom taking over social media, users should be careful how much you share in your screenshot. Some meeting tools allow you to limit meetings to only people in your organization or add a password, but not all do. It’s important to understand the link sharing options for file sharing – this includes video links and services like Zoom. The last thing you want is an intruder (external or internal) to drop in on sensitive meetings,” said Aaron Zander, Head of IT, HackerOne.
Meanwhile, Zoom’s website that initially said that you can “secure a meeting with end-to-end encryption,” was forced to admit its actually misleading people. “It is not possible to enable E2E encryption for Zoom video meetings,” admitted a Zoom spokesperson in a statement to The Intercept, after the publication revealed Zoom is actually using transport encryption rather than end-to-end encryption.
“If it’s all end-to-end encrypted, you need to add some extra mechanisms to make sure you can do that kind of ‘who’s talking’ switch, and you can do it in a way that doesn’t leak a lot of information. You have to push that logic out to the endpoints,” Matthew Green, a cryptographer and computer science professor at Johns Hopkins University told The Intercept. This isn’t impossible, though, Green said, as demonstrated by Apple’s FaceTime, which allows group video conferencing that’s end-to-end encrypted. “It’s doable. It’s just not easy.”
“They’re (Zoom) a little bit fuzzy about what’s end-to-end encrypted,” Green said of Zoom. “I think they’re doing this in a slightly dishonest way. It would be nice if they just came clean.” The only feature of Zoom that does appear to be end-to-end encrypted is in-meeting text chat.
Zoom has battled security and privacy concerns before. Apple was forced to step in and silently remove Zoom software from Macs in earl after a serious security vulnerability allowed websites to hijack Mac cameras.
However, what works for Zoom is its ease of use. The other reasons why businesses flock to Zoom is its lower cost and availability across Android and iOS phones. According to a new report from App Annie, Zoom Cloud Meetings was the top app downloaded in the first two weeks of March, with the major chunk of downloads coming from the US and UK.
CISOs to guard their turf
The note for CIO/CISOs is going forward too, Zoom users may face several other issues. According to a report from Check Point, hackers are taking advantage of the rise in Zoom usage by registering fake and malicious Zoom domains. The report stated that around 1,700 new Zoom domains have been registered since the pandemic, with 25% of the domains registered in the past seven days alone.
Nonetheless, CISOs can continue to use Zoom or any other video calling platform following some of the security best practices. As Devashish Sharma, CTO at Flock said, “Apart from selecting an end-to-end encryption and multi-factor authentication platform, the leadership team in organizations should educate themselves about IT security best practices. Additionally, it is extremely vital to empower the IT teams to take decisions around security by helping them undertake training and courses that are relevant to their profile.”
Jonathan Knudsen, Senior Security Strategist, Synopsys Software Integrity Group said, “CIOs should make sure the organization’s video conferencing platform protects your meeting and its data by encrypting the data between participants. Ideally you want outgoing content (video, audio, text, files etc.) to be encrypted by each participant and decrypted when it arrives to the other participants. This ensures that your meeting content is transported over the network encrypted so that anyone eavesdropping on the network traffic will see only unintelligible encrypted data.”
“It is also important to be careful with meeting recordings. Make sure your video conferencing platform encrypts recordings and requires a password or other authentication to view them. Again, be careful about distributing the recording information so it does not fall into the wrong hands,” he said.
To conclude, the incident clearly serves as an eye-opener for CIO/CISOs who could no longer rest on their laurels and instead focus on the best practices to prevent hackers from taking undue advantage of their video calling platforms. It would also be interesting to see with over 74000 customers and 13 million active users around the globe, if Zoom can come clean and surpass its competition in the coming months.