Zoom has rolled out new security features and promised a cyber security and privacy makeover after withering reports of the platform’s failings. In the meantime, enterprises are left to wonder ‘to Zoom or not Zoom?’
In a matter of a few weeks the virtual meeting platform Zoom went from a digital meeting tool for remote workers to something like a digital lifeline for businesses, families, school districts and governments. The firm said earlier this month that its daily user population jumped 20-fold from 10 million to an average of 200 million users, as the COVID virus has shut hundreds of millions of people at home.
But increased use has focused attention on the platform’s security and privacy protections in ways that have not been flattering. A spate of reports and disclosures by security researchers have underscored a range of issues in the remote meeting platform: from loose default configurations that facilitate “Zoom bombing,” to lax use of encryption to exploitable flaws that could be used to steal Windows passwords.
Opinion: The Perils and Promise of the Data Decade
Those reports have attracted the attention of lawmakers on Capitol Hill, with one Senator publicly calling on Zoom to clean up its act.
In response to the deluge of complaints the company has received, Zoom has rolled out some new protections aimed at better safeguarding its users and prevent these unwanted intrusions.
Episode 179: CISO Eye on the Virus Guy – Assessing COVID’s Cyber Risks
In a letter to customers on April 1, Chief Executive Officer Eric Yuan said Zoom was making information security the number one focus of the company’s engineers. Yuan acknowledged that, like nearly all organizations, the company was not prepared for the impact of the Coronavirus pandemic.
In the case of Zoom, that has meant skyrocketing use of its platform as workers tried to stay connected for important meetings with coworkers, as everyone worked remotely. The company had previously seen a maximum of 10 million daily users of the platform as of the end of 2019. In March of this year, the number jumped to 200 daily meeting participants.
“We recognize that we have fallen short of the community’s – and our own – privacy and security expectations,” Yuan said. “For that, I am deeply sorry, and I want to share what we are doing about it.”
As of this April 5, Zoom has added several new security features, including passwords to access meetings and Waiting Rooms for each meeting by default.
“Going forward, your previously scheduled meetings (including those scheduled via your Personal Meeting ID) will have passwords enabled,” Yuan announced. “If your attendees are joining via a meeting link, there will be no change to their joining experience. For attendees who join meetings by manually entering a Meeting ID, they will need to enter a password to access the meeting.”
All scheduled meetings going forward will have the password noted in the invitation, instant meetings will display the password in the Zoom client, and passwords will also be presented in the meeting join URL.
A secondary security feature is the Waiting Room, which is turned on by default. The Waiting Room prevents anyone from joining the meeting before the host is ready. The host can then manage the participants in the Waiting Room, allowing each one individually to join the virtual meeting if appropriate.
The company has also enlisted to top-tier security talent in the person of Alex Stamos, former CISO of Yahoo! and Facebook. After weighing in on Zoom’s challenge via Twitter, Stamos said on April 8 that he was approached by Yuan to advise the company on its security makeover and would be working with Zoom as a consultant to help the company address its myriad security challenges.
Not waiting for Zoom to act
Not all organizations were willing to wait for Zoom to address its security woes. In recent days, organizations ranging from Google to the New York Public Schools have banned the use of the remote meeting platform, citing concerns about security and privacy risks.
Digital Defense, Inc., a security risk assessments firm in San Antonio, TX, banned the use of Zoom by all employees on April 2, just three days before the new security enhancements were made.
“Employees were instructed to avoid using Zoom for any video conferencing and to uninstall the resource from their systems,” explains Tom DeSot, executive vice president and chief information officer at Digital Defense.
Prior to the ban, DeSot says the firm “found that some employees had been using Zoom at the request of clients, vendors and partners. We put directives in place that communicated the importance of utilizing alternate approved platforms for external meetings. We use a variety of technologies to support our conferencing needs. Each has been evaluated for security and privacy.”
Security problems with the Zoom application grew rapidly in February and March, as legions of workers were requested to work from home, and later told to do so, and ‘Zoom bombing’ tales spread quickly. Digital Defense was paying attention, and acted quickly.
“We became aware early on of the Zoom security issues, and determined that action was necessary to ban the use of the toolset,” DeSot explains.
To Zoom or not to Zoom…
But is banning the use of Zoom by employees an extreme measure? Perhaps, says Ilia Kolochenko, founder and chief executive officer at web security company ImmuniWeb, based in Geneva, Switzerland.
“I think it will only spur rapid proliferation of shadow IT, when employees will be deploying un-trusted solutions to communicate with their customers and will eventually exacerbate the situation,” Kolochenko says. “Framing and policing usage of Zoom makes a lot of sense, while a ban will likely lead to undesirable consequences.”
Employees at ImmuniWeb have been using the Zoom application for some time.
“Zoom and other platforms were always popular for meetings and calls when it was more practical to meet online then in person,” Kolochenko says. “COVID-19 shifted all possible meetings and discussions into the digital realm, thereby soaring the usage of Zoom.”
While ‘Zoom bombings’ are grabbing a lot of media and social media attention, Kolochenko believes fears are somewhat overblown.
“The most widespread and palpable security concerns as of today are Zoom bombing and vandalism, which are pretty innocent in terms of inflicted damage,” Kolochenko notes.
“Many controversies now exist around Zoom’s security and privacy, though it is extremely far from dominating the plethora of emerging security risks,” Kolochenko says. “Few attackers will ever both to intercept Zoom communications, even fewer will extract any value from the alleged data sharing with Facebook. Instead, they will bet on the skyrocketing number of poorly configured VPNs and RDP technologies, abandoned servers and unprotected cloud storage, exposed databases and shadow IT resources that widely open the door to companies’ crown jewels.”
And the added scrutiny of Zoom doesn’t mean that competing platforms don’t also harbor serious security flaws, security experts note.
“It should be noted that no other video teleconference has gotten the same level of scrutiny as Zoom has,” wrote Dave Kennedy (@rel1k), the co-founder of the firm TrustedSec. “Historically taking a look back at vulnerabilities year over year, the other major players have had substantial exposures and people continue to use them,” Kennedy wrote.
Kennedy advises caution when using Zoom…though not more or less than when using any other remote meeting application.
“Zoom became a critical tool that many of us work with and just like almost any tool or program out there — it could always be used maliciously,” he wrote.
Pingback: Episode 182: Hackers take Medical Devices ‘off label’ to Save Lives | Raymond Tec