- Zoom has become extremely prominent during the COVID-19 pandemic: its stock has doubled, its iOS app is No. 1 in the App Store, and schools are relying upon it to hold classes for students stuck at home.
- That spotlight has turned harsh, as the company has been battered by privacy and security scandals — so-called “Zoombombing” has become prevalent, as bad actors crash meetings, classes, and other online classes, while concerns swirl about how Zoom gathers user data.
- Security experts and the company itself say the platform was not intended for this spike of global use in all kinds of areas. Rivals like Cisco are quick to slam Zoom, highlighting the steps that they take to protect user security and privacy.
- Experts say that while Zoom apparently has serious security issues as a product, they praise the steps the company has taken so far in addressing them, and the gravity with which the company is treating the claims. It’s already taken steps to prevent so-called Zoombombing.
- “During the COVID-19 pandemic, we are working around-the-clock to ensure that hospitals, universities, schools, and other organizations across the world can stay connected and operational,” the company said in a statement. “We are proud of the role we are playing during this challenging time and committed to providing users with the tools they need.”
- Visit Business Insider’s homepage for more stories.
Chances are pretty good that at some point today you will stare into a screen at other people who are staring into screens. You will talk and listen and laugh and sneakily peer into each other’s homes. And that odd activity will be an important way in which you interact with the world in the age of COVID-19.
Videoconferencing is a central part of the hermit economy, and right now Zoom is its star – and its villain. And that is all of our faults, experts suggest.
Like Facebook more than a decade before, Zoom’s popularity blew past its privacy issues, which seem to pop up like late coworkers on a mandatory video call, and they just keep on coming.
Zoom is pulling the world together in this dark hour, while at the same time unleashing egregious security issues. And, as with Facebook, the onus is on you and your company and your group and your kid’s school to investigate its privacy and security settings and protect yourselves.
It’s as easy to blame Zoom as it was to blame Facebook, but the company made a valid point this week when its CEO wrote: “We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home.”
Mark Ostrowski of Check Point, an Israeli security firm that identified Zoom vulnerabilities in January, gives the firm credit for speedily addressing issues. “We often look at these tools and complain about privacy and security, but they’re free. You almost have to assume some of these things. You have to take security and privacy under our own responsibility.”
Which is to say: Security experts say that Zoom has serious issues that need addressing, and rivals like Cisco and Microsoft are quick to point out the ways that their more-mature technology protects users.
But many of those same experts also give Zoom credit for the gravity and speed of the company’s response to those issues, and argue that users could be doing more to protect themselves, too. And even the most hard-boiled security experts note that if Zoom had not been focused on easy adoption without a lot of configuration, it might not have filled the immediate need for connection that neither it nor the world anticipated.
Zoom rides the zeitgeist
Zoom, a 2,000-person Silicon Valley company founded in 2011, has seen its stock nearly double this year while the Nasdaq market where it trades has tumbled more than 20%. Zoom calls were up 600% in March and the data they generated was up 1,200%, according to the cloud security firm Wandera. Zoom’s iOS app is No. 1 for business, and No. 1 overall in downloads rated by the service App Annie. CEO Eric Yuan won hearts and minds by giving schools use of the videoconferencing platform. There has literally been a lovefest around the company: Insider recently reported that a London sex club hosted a “virtual orgy” on the platform with “a lot of nakedness and lingerie on display and people challenging each other to do certain things.”
It hasn’t all been peace and love, though. This week the FBI warned the world about “Zoombombing,” in which intruders with swastika tattoos were dropping into school web conferences, and screaming profanities and teacher’s privacy information.
Research from the University of Toronto cited a UK Cabinet meeting being held on Zoom, complete with meeting ID number and ministers’ faces onscreen (not to mention virus-stricken Prime Minister Boris Johnson). This highly-classified use of the platform was even more questionable in light of the report’s other findings that much of Zoom’s development and some of its user data is run through China.
—Amichai Stein (@AmichaiStein1) March 31, 2020
The New York Times found that Zoom’s software automatically sent meeting participants’ names and email addresses to a company system it used to match them with their LinkedIn profiles.
And a class action case with citations from the events of this week was filed on behalf of users whose information was given to Facebook via yet another Zoom privacy opening.
And that’s not to mention the fact that the company has been lambasted for allegations that it made misleading marketing claims around the encryption of video calls on the service.
What Zoom says
It would be tempting to envy Zoom’s popularity, but it clearly has brought challenges.
“Our platform was built primarily for enterprise customers – large institutions with full IT support,” CEO Yuan wrote on the Zoom blog this week. “We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.”
The company noted it has deleted the tool exposed by The New York Times that accessed meeting participants’ LinkedIn data, and froze new features so engineering can focus on security issues.
On Friday evening, the company also announced new anti-Zoombombing measures coming on April 5th, including new default settings to enable both passwords and the “waiting room” feature that allows hosts to vet conference participants.
“During the COVID-19 pandemic, we are working around-the-clock to ensure that hospitals, universities, schools, and other organizations across the world can stay connected and operational,” the company said in a statement. “We are proud of the role we are playing during this challenging time and committed to providing users with the tools they need.”
What the competition says
Cisco, makers of WebEx, an older and arguably more secure platform, was not shy about weighing in on its popular rival. “We are different. Security is not an afterthought. It’s part of our culture,” says Abhay Kulkarni, Cisco’s general manager of WebEx Meetings. Cisco bought WebEx in 2007, but the company has been around since 1995 – a paleozoic era for web conferencing. (One of its early engineers was Zoom’s CEO, Eric Yuan.) Kulkarni says WebEx meetings require a password, can be locked, and are harder to share online.
Microsoft, makers of the web conferencing tools in its Teams coworking tools, says its video conferencing “is built with Microsoft security, identity and compliance technologies” including identity protection via multi-factor authentication; data-loss prevention, which prevents sensitive content from being accidentally shared; access controls; and the antivirus tools in its built-in Microsoft Threat Protection. Microsoft is also providing some free access to its coworking tools during the virus crisis.
Google declined to comment on the security of its Hangouts web conferencing app, but technical specs show its meetings are encrypted, that invitations cannot be shared except by a host organization, and that meeting codes are long, difficult to crack, and not available in advance of the meeting.
Wickr, a high-security, software-as-a-service alternative to Zoom with end-to-end encryption, says its web conferencing is different because all data is only available at the end points involved in the individual conversations – not via a central server that could get hacked. Founded in 2012, Wickr has around 50 employees and is a privately held company that doesn’t reveal financial records. Crunchbase reports it has raised $73 million in venture capital.
“Is Zoom bringing the world together, or unleashing security threats? Both,” says Joel Wallenstrom, CEO of Wickr. “I’m watching my kids’ high school getting onto Zoom fast. People are using this to weather the storm. I think Zoom is doing a great job, but it’s disingenuous to say they can serve large security needs.”
What cybersecurity researchers say
In January, the Israeli cybersecurity company Check Point showed how hackers could eavesdrop into Zoom calls by generating and guessing random numbers allocated to Zoom conference URLs. Zoom fixed the security breach and addressed other issues.
“We followed the proper process of disclosure in January,” says Ostrowski, its evangelist. “We went to them, Zoom fixed it, and then we released our research. Some of the people publishing right now about unfixed research flaws in Zoom are kind of piling on. I’m very impressed with how Zoom responded to this with an open dialogue and with the fixes they released very quickly.”
Zoom’s viral popularity brought a rush of hacking and scrutiny to a platform never intended to host Cabinet meetings, or even board meetings without IT oversight.
Patrick Wardle, a cybersecurity researcher who has presented findings at large security conferences such as BlackHat, DefCon, and RSA, recently published a blog post (“The ‘S’ in Zoom Stands For Security”) detailing several vulnerabilities he found in Zoom, including flaws that could give hackers the ability to taken control of the microphone and camera on a Mac – or the entire computer.
“For better or worse, businesses generally value features and usability vs. security and privacy,” Wardle says. “And Zoom both prioritized and shone in the former.”