Ever since the majority of the companies rolled out the work-from-home option for their employees in the coronavirus pandemic, countless gatherings have been taking place on Zoom – the viral video conferencing app. Within just three months, the number of Zoom users surged into 200 million (as of March 2020) from 10 million.
However, this sudden rise in the Zoom’s popularity made it equally easy for cyberattackers to hijack meetings and exposed crucial privacy shortages. From the reports of “Zoom bombers” to the recent news on videos of chats available online, the company is now undergoing the harsh repercussions of that speedy growth.
Our goal through this article is, to make you aware of all problems caused due to inadequate privacy and security of the platform and talk about possible workarounds.
Video Calls Left Exposed
Leading up the pandemic, thousands of Zoom video call recordings have been left exposed on the open web. As per a report by The Washington Post, the videos included personal therapy sessions, business meetings that included company financial statements, school classes, videos that contained deeply intimate conversations, as well as personally identifiable information.
As the news outlet sighted, these videos can be viewed and downloaded by anyone through a cursory search online. This is because Zoom video recordings are named identically, making it quite simple to download and view thousands of more such videos.
The “Misinterpreted” End-To-End Encryption
Zoom claimed in marketing materials and white papers that its video calls are end-to-end encrypted. But they later came with a clarification statement that their concept of end-to-end encryption was different from the rest.
According to a Zoom spokesperson, the phrase end-to-end refers to the “connection being encrypted from Zoom endpoint to Zoom endpoint”. Sounds good, but the problem is, they considered the Zoom server as an endpoint. However, for every other company, the endpoint is a user device, and “end-to-end encryption” means servers that relay messages between endpoints can’t decrypt the messages.
Zoom Chief Product Officer Oded Gal apologized for misinterpretation of the term. But for users, their privacy was invaded by cybercriminals due to the company’s minor fault.
Is Zoom A Malware?
Amidst the variety of privacy and security issues faced by Zoom, software security researcher Felix Seele discovered that Zoom’s macOS installer works using similar tricks that are being used by malware to get its software on Mac systems.
Ever wondered how the @zoom_us macOS installer does its job without you ever clicking install? Turns out they (ab)use pre-installation scripts, manually unpack the app using a bundled 7zip, and install it to /Applications if the current user is in the admin group (no root needed).
- Mr. Seele tweeted.
The Zoom team promptly responded over Twitter, with a promise to improve the situation. Within two days, they issued a new update that fixed the auto-installer.
Unprotected User Data
On 24th April 2020, the Consumer Reports published a report describing how the Zoom’s privacy policy rendered a user’s right to privacy absolutely useless. Besides claiming its right to collect data and share it with any third party, Zoom extended its information collection to customer content from cloud meetings, instant messages, files, whiteboards, and anything shared using Zoom.
Once this was revealed, the team behind reworked its privacy policy to remove those bits and state that Zoom does not sell user data.
Zoom Bombed!
“Zoom-bombing” is perhaps the most popular security issue faced by the Zoom users. This phenomenon is said to have happened when anyone easily hacks into meetings and displays inappropriate content. The perpetrators of these attacks were hard to identify, making it difficult for the meeting organizers to remove them. There may be several attackers in a single call, and they can jump from one alias to another.
When this commanded the attention of the FBI, the Zoom team rolled out two new features to fix it. These features enhanced the practice of using passwords for video meetings. The team also advised users not to share their meeting IDs in public, and keep them password protected.
500,000 Zoom Accounts Compromised
On 13th April 2020, BleepingComputer revealed that more than 500,000 Zoom account usernames and passwords were being sold on the dark web and other criminal forums. According to reports, the data were sold either for less than a penny per data or given free.
These accounts weren’t compromised due to data breach but through a brute-forcing sub-technique known as “credential stuffing”. Such attacks usually involve the usage of automated tools to brute-force activities with login details from already leaked credentials, assuming that they match with the existing accounts. These attackers rely on individuals who reuse their credentials over multiple services. Once the attackers confirm the credentials as valid, they will be collated and sold on criminal marketplaces.
Now, All Eyes On Zoom…
Zoom became a “business phenomenon” within a wink of an eye. On Facebook, Twitter, TikTok, and elsewhere, the Zoom app went viral – quite a feat for business software. However, with the recent, pressing security and privacy concerns, apologies and clarifications have become too common at Zoom. And here’s what happened further…
- The office of New York Attorney General Letitia James sent a letter to Zoom, outlining the privacy vulnerability concerns and enquiring about the steps taken by them to keep its users safe.
- A class-action lawsuit was filed against Zoom for violating California’s new data protection law.
- Upon significant privacy and security concerns, Elon Musk’s SpaceX prohibited employees from using Zoom.
- Democratic Representative Jerry McNerney and 18 others from the House Committee on Energy and Commerce wrote a letter to Zoom, expressing their concerns and questions regarding companies’ privacy practices.
- Tycko & Zavareei L.L.P. filed a class-action lawsuit against Zoom for sharing users’ information with third parties.
- The Electronic Privacy Information Center advised the Federal Trade Commission (FTC) to investigate Zoom’s privacy concerns.
- Taiwan banned the use of Zoom for official purposes.
- Google banned Zoom on company-owned employee devices, citing security vulnerabilities.
- Zoom shareholder Michael Drieu filed another lawsuit.
- German Ministry of Foreign Affairs warned employees not to use Zoom.
- The US Senate advised members to stop using Zoom.
Attempts To Cut Through The Chaos
With back-to-back complaints regarding privacy and security issues, Zoom CEO. Eric Yuan apologized to the public live stream and assured us to resolve the concerns very soon. As part of that new focus, the company instituted a 90-day freeze on planned features, allowing their tech-savvy staff to work solely on addressing the concerns. They hired Bruce Mehlman – the former assistant secretary of commerce for technology policy, as well as Luta Security – the company known for setting up bug bounty programs for Microsoft, Symantec, and Pentagon, for better assistance.
Following this, Alex Stamos – the former Chief Secretary Officer of Facebook and Yahoo, was also invited to join the team as their Security advisor.
All of that being said, Zoom is still not able to fix its bad reputation.
Takeaway: When customer trust is violated, it’s tough to win back.
Security Was All That Mattered
As we already mentioned, most companies are now offering their employees the option of working from home. However, this growing trend of remote working also leads to an ever-increasing trend in risks, and IT breaches due to people working on unsecured networks. So, we recommend you take a look at the “Best Practises For Working From Home” to understand the possible solutions.
Apart from this, strong cybersecurity measures are required to be taken by organizations to protect from cyber thefts, as the usual security measures may not be enough to beat the sophisticated techniques of cybercriminals during this changed scenario.
Cybernetic Global Intelligence (CGI), an Aussie cybersecurity company with years of experience in delivering excellent cybersecurity services, is here to help you set up required cybersecurity protection for your business. Need assistance? Give a ring to 1300 292 376.