What's happened? Well, Coronavirus 2019 (COVID-19) happened. Okay, smart alec. I know about that. What else is going on? Well, because so many people are (wisely) staying at home, they're using videoconferencing and chat technology like Zoom to keep in touch with friends, family and colleagues. In fact, Zoom says that daily usage has soared from approximately 10 million daily meeting participants in December 2019 to over 200 million today. Zoom must be pleased. I'm sure they are. Dealing with those kind of new user problems are the kind of problems you want to have, right? But massive increase in the service's usage has also meant an increase in the number of security researchers taking a closer interest in Zoom. And they've found problems? Yes. And it's not as if Zoom has a spotless record when it comes to privacy and security. For instance, back in January, Zoom patched a bug that could have allowed an attacker to find and join active meetings. And last July, Zoom fixed a security hole that could have allowed hackers to hijack Mac users' webcams without their permission just by tricking them into visiting a malicious website. Zoom didn't do itself any favors by initially attempting to explain away that bug as a "legitimate solution to a poor user experience problem, enabling our users to have faster, one-click-to-join meetings" and making veiled criticisms of the researcher who uncovered it. And then it was revealed that Zoom was using underhanded tricks to bypass macOS's built-in security and reinstall itself without permission on computers even after users had uninstalled the software. Apple wasn't impressed by this practice, so much so that it issued a silent update to remove Zoom's sneaky code from all Macs. So, they've made mistakes in the past. What concerns are folks having about Zoom now? Where shall we start.... Security researcher Patrick Wardle blogs that he found some disturbing flaws in Zoom's Mac app that could allow a locally-run malicious script to grant a hacker total control over a computer without needing to know the admin password. Wardle also found a way for an attacker to take over Zoom's webcam and microphone privileges, turning Macs into spying devices. Zoom says it has since issued an update to address the security vulnerabilities discovered by Wardle. Meanwhile, The Intercept claims that Zoom has misled users into believing it uses end-to-end encryption, something for which Zoom has since apologized and clarified its position. And, as Ars Technica reports, the Zoom app for Windows was found to be exploitable by hackers looking to steal operating system credentials. This sounds bad. What is Zoom doing about all the bad press? Amid rising concerns, Zoom founder and CEO Eric S Yuan has posted a public message on the company's blog. Refreshingly, Yuan acknowledges that his company has not performed flawlessly:
For the past several weeks, supporting this influx of users has been a tremendous undertaking and our sole focus. We have strived to provide you with uninterrupted service and the same user-friendly experience that has made Zoom the video-conferencing platform of choice for enterprises around the world, while also ensuring platform safety, privacy, and security. However, we recognize that we have fallen short of the community’s – and our own – privacy and security expectations. For that, I am deeply sorry, and I want to share what we are doing about it.
In the blog post, Yuan listed the changes that have been made to Zoom in recent days to address some of the security and privacy concerns. But more than that, Yuan says that Zoom is immediately freezing all work on new features to shift "all our engineering resources to focus on our biggest trust, safety, and privacy issues" and to conduct a comprehensive review with third-parties into ensuring the product's security. Sounds like they've got the message. Let's hope so. Having suddenly found itself with a gigantic increase in usage, Zoom was facing a crisis. It risked losing a large amount of the goodwill it had received because of revelations about its less-than-perfect attitude towards security and privacy. Of course, we're living in extraordinary times, and Zoom is a very good way for workers, friends and families to keep in contact while we're staying safe at home. And if you have to balance the positives of staying in touch with the potential risks that the Zoom program might introduce, then I completely understand why most of us would consider it a chance worth taking. But there's no reason why Zoom can't keep offering a good way to keep in touch *and* address security and privacy concerns. It appears that Zoom has already addressed some alarming vulnerabilities and is now recognizing publicly that it needs to focus more on fixing problems than adding bells and whistles. That's good news for all of us. Let's hope that the company's culture will change from its previous "fast and loose" attitude when it comes to such concerns. What can I, as a Zoom user, do to better protect myself? If you're going to continue to use Zoom, you would be wise to apply security updates as they become available to ensure that you are running the latest version of the software. Always be careful of unsolicited links sent to you out of the blue, as these may masquerade as invitations to join Zoom meetings or links to install security updates for Zoom. In addition, acquaint yourself with Zoom's security features to lock down meetings as well as ensure that no-one can share their screens without permission and that unauthorised parties are locked out.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
