Security and Privacy Alert - Zoom
BLOOMBERG
APR 3, 2020
During the coronavirus pandemic, it seems as if everyone is connecting with Zoom’s videoconferencing app — including, on occasion, unwanted visitors.
Online trolls have been sneaking into web meetings and disrupting them with profanities and pornography for at least the better part of the last month. Cybersecurity researchers fear these disruptions could be a precursor to more harmful attacks allowing hackers to commandeer connected machines to access secure files or other corporate software.
“Much of our current reality is unchartered territory, and this growing dependence on Zoom at home is just another one,” said Mark Ostrowski, regional head of engineering for Check Point Software Technologies Ltd. “As soon as a platform’s attack surface gets big enough, you can only expect that they’ll become more interesting to attackers. That’s what’s happened to Zoom.”
In a Wednesday blog post, Zoom said that it takes security concerns “extremely seriously” and is working to address them. In addition, a Zoom representative said in an email that the company is upset about reports of harassment on Zoom and has sought to educate users about protecting meetings.
But there’s good news. Users don’t have to follow Elon Musk, whose SpaceX has banned the use of Zoom Video Communications Inc. amid privacy concerns.
There are a few simple steps to host secure video meetings, according to security experts. For instance, ensure your meeting is password protected, and don’t share meeting IDs and passwords on social media, where criminal hackers may grab the credentials.
Experts also recommend that meeting or classroom organizers take attendance and kick out unwanted visitors.
Zoom’s shares have more than doubled this year as investors bet that the teleconferencing company would be one of the rare winners from the coronavirus pandemic. The company has become wildly popular, reaching more than 200 million daily meeting participants in March, according to its blog. But it has also drawn increased scrutiny from cybersecurity and privacy experts.
The most recent incident came on Monday when Patrick Wardle, principal security researcher at Jamf, published a blog about two new flaws in Zoom. If already infected with malware, the Mac OS desktop version could enable attackers to gain high-level privileges and hijack the webcam and microphone, he said. Zoom said it subsequently released fixes for the issues.
Zoom appears to have been designed with security as an “afterthought,” Wardle said, adding that it was a common phenomenon among startups primarily focused on users and funding.
But Zoom’s meteoric popularity has drawn additional scrutiny.
“We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home,” Zoom said in the blog post. The influx of new users has presented the company with “challenges we did not anticipate when the platform was conceived” and that company “committed to learning from them and doing better in the future.”
On March 30, the FBI issued a warning about so-called “zoom-bombing,” urging users not to make classes or meetings public or share links to teleconferences on social media.
That same day, a Zoom user sued the company claiming its services were illegally disclosing personal information.
The company collects information when users install or open the Zoom application and shares it, without proper notice, to third parties including Facebook Inc., according to the federal lawsuit. Yet Zoom’s privacy policy doesn’t explain to users that its app contains code that discloses information to others, according to the complaint.
Zoom acknowledged that it shares data with Facebook in a blog post on March 27.
In addition, New York State Attorney General Letitia James wrote a recent letter to Zoom that included “a number of questions to ensure the company will take appropriate steps to ensure users’ privacy and security is protected,” according to a spokesperson for the attorney general’s office, who declined to share a copy of the letter.
Concerns over Zoom’s security practices aren’t new. Last year, a researcher named Jonathan Leitschuh discovered that the desktop version of Zoom for Macs quietly installed a web server — one that remained on systems even if the app was removed — that presented a new way for hackers to access webcams, he said. Apple Inc. released an update in July that plugged the security hole.
Holding Zoom’s “feet to the fire” around security and privacy amid the app’s new popularity will create incentives for the company to adapt, Leitschuh said in an interview.
April 3, 2020