Video conferencing app Zoom yesterday pledged to clean up its act following a wave of scrutiny
about its security and privacy policies—but is the software safe to use?
The California-based firm enjoyed a huge influx of new users as the coronavirus outbreak pushed entire countries into lockdown, with social distancing measures forcing citizens to work and learn from home, while relying on video-based chats to stay in touch with close friends and family.
In fact, Zoom revealed the sheer amount of growth in an April 1 blog post, saying it counted about 200 million daily users in March 2020, up from roughly 10 million in December 2019.
It is being widely publicized on social media, used to facilitate virtual classrooms, hangouts and gym sessions.
But the surge also attracted the attention of security experts, who swiftly detailed a slew of bugs, flaws and murky data-sharing practices that appeared to exist in the software.
The bad press came thick and fast. New York Attorney General Letitia James sent a letter to Zoom on Monday, obtained by The New York Times, that questioned its ability to protect webcams from hackers and complained “existing security practices might not be sufficient” to cope with the rising demand.
The same day, the FBI warned about a rise in cases of “Zoom-bombing” that involved conferences being hijacked to show “pornographic and/or hate images and threatening language.”
The situation escalated yesterday as TechCrunch reported a former National Security Agency (NSA) hacker, Patrick Wardle, had disclosed previously-unknown bugs that, if exploited locally, could be used to hack into a victim’s computer and allow them to install malicious spying software.
The Intercept revealed Zoom’s video and audio meetings were not protected by end-to-end encryption, despite claims to the contrary made by its own marketing and security policies.
Motherboard exposed a bug that appeared to be leaking users’ email address and photos. An unpatched flaw appeared to leave Windows passwords vulnerable. And it emerged that both SpaceX and space agency NASA had outlawed use of the app due to privacy concerns, Reuters revealed.
With hundreds of millions of people relying on the software during the novel coronavirus outbreak, the company quickly sought to calm fears that general users are at risk. But can it be trusted?
“It is fine for ordinary use, but I would avoid using it for discussing anything particularly sensitive,” independent cybersecurity researcher Sean Wright told Newsweek today.
“It’s not the one issue or even two of them. It’s a collection of issues which point to a product that doesn’t seem to take privacy and security all too seriously. So Zoom is OK for general use, but use something else such as [chat app] Signal if you want to discuss something more sensitive.
“From a privacy perspective, while better than nothing, it’s still not as private as some other applications out there which do provide end-to-end encryption in the true sense,” said Wright.
Dave Kennedy, CTO at Binary Defense and a former U.S. Marine Corps cyberwarfare expert, said on Twitter he considered most of the flaws to be low to medium risk and “not world ending.”
He wrote: “What we have here is a company that is relatively easy to use for the masses (comes with its challenges on personal meeting IDs) and is relatively secure. Yet the industry is making it out to be ‘this is malware’ and you can’t use this. This is extreme. We need to look at the risk specific applications pose and help voice a message of how people can leverage technology and be safe.
Some security experts voiced the opinion that hacking bugs should be made public immediately as users deserve to know the potential risks, but Kennedy warned that comes with consequences.
He wrote: “I had a non-tech friend the other day say that they were scared to message their family members because of all the news on how insecure Zoom was. This is what we’ve done.
“Most of these exposures wouldn’t even bubble up to a high or critical finding in any assessments a normal tester would conduct. Yet, it has world reaching implications to the masses that don’t understand the technical details. It creates hysteria when it is not needed.”
Broadly, whether you consider Zoom to be “safe” comes down to how much you are willing to part with your personal data, especially in terms of the free version of the software, experts say.
Aside from risks like “Zoom-bombing,” the Electronic Frontier Foundation (EFF) recently shared a list of the major privacy implications of the video tool, explaining how Zoom hosts are able to monitor all call activity while screen-sharing is live and describing how administrators can see the operating system, IP address, location data, and device information of every participant who is in a video-call.
For its part, Zoom says it is now freezing feature development and shifting all engineering resources to focus on “trust, safety, and privacy issues” and bulking up its bug bounty scheme.
The quick and detailed response was welcomed by Wardle.
Zoom CEO Eric Yuan wrote in a media release yesterday: “For the past several weeks, supporting this influx of users has been a tremendous undertaking and our sole focus.
“We have strived to provide you with uninterrupted service and the same user-friendly experience that has made Zoom the video-conferencing platform of choice for enterprises around the world, while also ensuring platform safety, privacy, and security. However, we recognize that we have fallen short of the community’s… privacy and security expectations. For that, I am deeply sorry.”
Yuan noted the company did not design the video software with the foresight that “every person in the world would suddenly be working, studying, and socializing from home.” He said the company is conducting an audit of its internal systems to “ensure the security” of the new consumer use cases.
“This is not specific to Zoom. All software has unknown vulnerabilities,” cybersecurity researcher Robert Baptiste told Newsweek when asked if he considers Zoom software to be safe.
“Today, people focus on Zoom due to the lockdown and the Streisand effect but it is the same thing for all software,” he added. “My answer would be Zoom is not more or less secure than anything else.”