Zoom and Security: A Work in (Good) Progress

The video conferencing app shot to fame during the COVID-19 crisis, but now the dust has settled, Infosecurity assesses its security progress. Phil Muncaster reports...

If ever there was a company that appeared to be a victim of its own success, it is Zoom. Having leapt to fame during the sudden global COVID-19 lockdowns earlier this year, the extra scrutiny that followed very soon turned into wave after wave of negative headlines. Platform vulnerabilities, insecure default settings, privacy problems and some high-profile corporate bans on the use of the app dealt the brand some early body blows. Yet Zoom also seemed to bounce back remarkably well. 

With the agility of a startup and a refreshingly candid admission of its mistakes, the firm adjusted to its new-found fame and began an ambitious 90-day security plan, completed in early July. So the question is: can CISOs trust Zoom today?

A Magnet for Threats
True to its moniker, the video conferencing app experienced accelerated growth on a remarkable scale in the first few months of 2020. Its daily meeting participants soared from 10 million in December to roughly 200 million in March as populations across Europe, Asia and the US were sent home to work and study. Its relatively straightforward UI and ease-of-use, which means users don’t need to log-in or even have an account to attend a meeting, were a major draw. That’s not to mention the fact its free version allowed 40-minute calls for up to 100 attendees.

However, with great power comes great responsibility. In Zoom’s world, that means protecting the data and privacy of consumer and corporate users with simple yet powerful protection enabled by default. In this regard, there were numerous early problems. One of the main issues related to the Zoom Personal Meeting ID, a unique number given to every user. At the start of the year, if a user didn’t password-protect their meeting or use a one-off meeting ID and a third party got hold of this number, they could have accessed the meeting. This led to a spate of ‘Zoombombing’ incidents, when large-scale Zoom meetings advertised on social media were disrupted by uninvited guests streaming adult content or posting abusive comments. Although the problem was ultimately down to customers not using the platform securely, critics argued that default settings should have been designed to encourage secure behavior.

Another spate of bad headlines followed the discovery of several vulnerabilities in the platform. In early April, researchers published details of a new bug in the Zoom Windows client which could be exploited to steal user passwords, and two flaws in the macOS app which could be abused to remotely install malware or eavesdrop on users.

Privacy concerns then emerged after Zoom was forced to remove a Facebook data collection feature from its iOS app. Reports suggested it was sending user analytics data to Facebook, even for Zoom users who did not have a Facebook account. The firm was also criticized for misleading users into thinking that its video conferences were end-to-end encrypted. What encryption it did offer on the platform was also branded sub-standard. At the same time, high profile organizations including SpaceX, NASA, the Taiwanese government, the US Senate and New York school districts all banned use of the tool by employees.

Some incidents, however, could not be blamed on the company. The appearance of hundreds of thousands of Zoom credentials on the dark web is likely to have been the result of credential stuffing, while there’s also little the firm could have done about malware hidden inside legitimate-looking Zoom installers.

"The video conferencing app experienced accelerated growth on a remarkable scale in the first few months of 2020"

Bouncing Back
However, Zoom responded swiftly. To help combat ‘Zoombombing’ and other privacy/security threats, it changed default settings to automatically generate passwords for each new meeting, and switched off the use of personal meeting IDs. It fixed bugs discovered in its platform within days, and continues to respond quickly to the new ones.

CEO Eric Yuan then launched a 90-day security plan, promising a feature-freeze whilst security and privacy issues were worked out. The outcomes of this initiative were a comprehensive security review and ongoing white box pen tests, an enhanced bug bounty program, the launch of a CISO council and a transparency report. For the product, it means AES 256-bit encryption support, a new security icon providing instant access to important features, a ‘report a user’ function, customized data routing and more redesigned default settings. In fact, the firm tells Infosecurity it rolled out 100 features in the latest version of its product, Zoom 5.0.

Zoom also went on a hiring spree, announcing Salesforce senior vice-president of security operations, Jason Lee, as its new CISO in June, and a list of advisors and consultants, including former Facebook CSO, Alex Stamos, John Hopkins University cryptography expert Matthew Green, and representatives from Luta Security and NCC Group.

The firm has also been refreshingly quick to listen to these experts and the wider privacy and security community, as evidenced by its speedy decision to reverse course and offer end-to-end encryption (E2EE) for free as well as premium users. Webroot security analyst, Tyler Moffit, believes the feature could be key to its long-term success.

“To make this possible, ‘basic’ users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message,” he tells Infosecurity. “If this gets released for all users and if Zoom pulls this off successfully, then the video software will continually be favored by customers and shareholders.”

Zoom claims privacy and security are now firmly in its DNA, but that the 90-day plan was only a first step.

“On a global scale, Zoom follows all requisite guidelines of the countries it operates in and interfaces with local governing bodies on cybersecurity issues with speed and rapidity should a circumstance arise,” a spokesperson tells Infosecurity. “At the same time, on an individual level, it is important to note that Zoom’s system is designed in such a way that only minimal information is collected and – unless a meeting is recorded by the host – the video, time, audio and chat content is not stored, with the aim of protecting personal data.”

"On a global scale, Zoom follows all requisite guidelines of the countries it operates in"

The China Challenge
However, its relationship with China remains a concern for enterprise users. The firm admitted in June that it suspended three user accounts based in Hong Kong and the US at the behest of Beijing. These meetings were set up simply to discuss the June 4 anniversary of the Tiananmen Square massacre. Although Zoom claims new geo-based capabilities mean no similar issue will occur in the future, analysts believe it could be a turn-off for some, and that Zoom’s large R&D presence in China exposes it to continued influence of this kind.

“The biggest issue Zoom has to overcome now is the perception of China’s influence on the platform, especially in regard to its missteps with disabling users in other countries at the request of China’s government,” Forrester principal analyst, Jeff Pollard, explains. 

He believes that, although some rival platforms may have been no better on security, Zoom “took a very public beating” because of its early success. 

“That’s one of the challenges when a company fails to secure what it sells, especially in the B2B arena. That reputation will linger, and Zoom will have to overcome it for quite a while,” says Pollard.

"Zoom’s large R&D presence in China exposes it to continued influence of this kind"

Managing Risk
In the meantime, Zoom continues to try and build on its early success. The latest offering is Zoom for Home, a push into the home office with corporate-level collaboration and conferencing features.

For Webroot’s Moffit, the onus is on corporate security teams to ensure their remote workers know how to use the platform, or indeed any video conferencing tool, securely.

“It’s crucial to make sure that their Zoom software is up-to-date as there have been exploits in previous versions that can result in malware through the chat system,” he says. “CISOs also need to make sure that robust security software is implemented on all devices for best practice and that employees download Zoom only from the official website.”

Much will depend on each organization’s risk appetite, but securing the distributed workforce goes far beyond this single home working tool, according to Forrester’s Pollard.

“Educating users as to the risks, enabling security through default configuration settings so that users don’t have to, creating a culture that understands and cares about security, and performing their own due diligence with strong third-party risk practices so they understand what could happen, are straightforward and powerful choices CISOs can make,” he concludes. 

“What security leaders can’t do is what they’ve done in the past, which is say no. Obviously that won’t work.”

What’s Hot on Infosecurity Magazine?