Zoom, the video-conferencing app darling of the stay-at-home coronavirus era, is zooming through some cybersecurity growing pains alongside explosive growth.
From businesses conducting all their meetings over Zoom to aspiring Romeos and Juliets, Although we’ve long been able to conduct video chats via the likes of Skype, WebEx, Google Hangouts, FaceTime, WhatsApp, and even Facebook Messenger, Zoom has suddenly become the brand name synonymous with video conferencing, much like Kleenex and Band-Aid respectively have for facial tissue and bandages.
Zoom skyrocketed to 12.92 million monthly active users by the end of February, up 21 percent since December, according to mobile-software tracker Apptopia. Zoom’s founder and CEO, Eric S. Yuan, wrote in a blog post that the number of the company’s daily meeting participants leapt from a maximum of 10 million at the end of December to more than 200 million at the end of March. He said 90,000 schools in 20 countries are now using it for remote learning.
Yuan didn’t write his post to crow about Zoom’s growth. It was a mea culpa for the company, in response to a growing number of security and privacy complaints, as usage shot up, and security researchers found vulnerabilities in Zoom’s code. Most recently, ex-National Security Agency researcher Patrick Wardle revealed two vulnerabilities that require physical access to a Mac running Zoom. One would allow a hacker to trick the computer into handing over access to the microphone and webcam, while a second would give the hacker access to the underlying Mac operating system.
While that might not sound like a threat for most people working remotely during the coronavirus outbreak, it could pose one for those still working in their offices, or for those who are “sheltering in place” with a cyberstalker.
“For attackers, Zoom has become a more opportunistic target. The worrisome thing is how many vulnerabilities were found when researchers just started poking at it. We would look at it sideways, and it would fall over—which is worrisome, and makes us wonder what else is wrong under the hood,” says Wardle, now the principal security researcher at Apple device management company Jamf.
Zoom declined to comment for this story.
Zoom CEO Yuan’s public apology was a pleasant surprise, Wardle says. So was the company’s immediate work to fix the vulnerabilities Wardle had found.
“We appreciate the scrutiny and questions we have been getting—about how the service works, about our infrastructure and capacity, and about our privacy and security policies. These are the questions that will make Zoom better, both as a company and for all its users,” Yuan wrote. “We are looking into each and every one of them, and addressing them as expeditiously as we can. We are committed to learning from them and doing better in the future.”
Zoom’s growing list of security and privacy problems since June 2019 run the gamut from weak default settings and vulnerabilities in the software itself, to development decisions and corporate-policy choices. They include webcam hijacking vulnerabilities, sending user data to Facebook without permission (and even when users don’t have a Facebook account), abusing installation privileges on Macs, letting hackers steal Windows passwords, and allowing the rise of Zoombombing—sending abusive messages and interfering with conference video in meetings that aren’t passcode-protected.
It was easier to ignore the app when far fewer consumers and businesses used it. But now that it’s practically ubiquitous, security researchers are applauding Yuan’s efforts to secure the app in the hopes that security becomes a priority at the company.
“Instead of getting annoyed at security researchers or downplaying this, they acknowledged that they weren’t as serious about security and privacy as they could have been.”—Patrick Wardle,
In addition to fixing the vulnerabilities that Wardle discovered, as well as addressing many of its other problems over the past weeks, Yuan also implemented a “feature freeze,” where it will focus on improving the security and privacy settings of its software instead of shipping new features. Zoom will also offer a bug bounty for new vulnerabilities and reach out to penetration testers, professional bug searchers.
While a company fixing vulnerabilities in a day or two is rare, Wardle says he was more impressed with the company’s overall response. “Instead of getting annoyed at security researchers or downplaying this, they acknowledged that they weren’t as serious about security and privacy as they could have been,” he says.
Rik Ferguson, the vice president of security research at security software company Trend Micro, said in an email that Zoom’s problems are numerous, but not unexpected for a company that offered its services for free as the coronavirus pandemic grew in scope.
“With great deployment comes great scrutiny, from abusers, criminals, and security and privacy researchers,” Ferguson wrote. In addition to installing updates as they become available so that users can be protected by the latest security patches, and to always be vigilant about when you have your microphone or webcam on, Ferguson offers eight tips on how to host a Zoom meeting more securely:
- Avoid sharing the link to your meeting publicly.
- Don’t use a Personal Meeting ID; use a one-time Meeting ID and a meeting password.
- Disable “Join before host.”
- Disable “Allow removed participants to rejoin.”
- Enable Waiting Room, as it allows you to approve attendees before they join.
- Set screen sharing to “host only” (to avoid someone broadcasting annoying or inappropriate content).
- Disable file transfer (to prevent the transfer of malicious files).
- Once everyone has arrived, lock your meeting.
Zoom participants won’t be able to implement these options themselves, but they can check with their meeting host to make sure that person has taken these steps. Ferugson also cautions that, as with many other apps, what happens in the app can be recorded. Meeting organizers can even record the full meeting—so what happens in the meeting may have a life beyond its apparent duration.
The alternatives, from FaceTime to Hangouts to Skype to WebEx, are still available, of course. But, Ferguson cautions, you don’t always get to choose the platform.
Besides, he writes, “I would hate to scare people away from Zoom, if it works for them. It’s easy to use, it can be secured, and the company has demonstrated that they are listening and learning.”