UK Government Uses Zoom Despite MoD Security Concerns

The British government is using popular conferencing platform Zoom to conduct Cabinet meetings, despite reported Ministry of Defence (MoD) warnings about the security implications.

The government appears to be heeding its own COVID-19 advice in forcing ministers to adhere to social distancing and work from home rules. However, a photo circulated by Boris Johnson showed the Prime Minister using Zoom to host a Cabinet meeting.

The same US-produced platform, which reportedly has a large China-based engineering team, was banned by MoD officials on security concerns, with staff at the department told to stop using it until further notice.

A government spokesperson told Sky News that, according to guidance from the National Cyber Security Centre (NCSC) “there is no security reason for Zoom not to be used for conversations below a certain classification.”

However, others were not so sanguine. University of Bristol researcher, Andrew Dwyer, raised concerns about previous vulnerabilities uncovered in the platform, and of the firm’s privacy policy, as outlined here.

“Should we be letting a company we know so little about be entering our highest office of state? Should we be divulging so [much] personal data to this company with lax policies?” he tweeted. “The rush to online means we need to pay more attention and not less.”

Last July, researchers revealed a zero-day bug in the Mac Zoom client which could have allowed hackers to spy on users via their webcams. IT took several months for it to fix the bug, which was first reported to the firm in March.

“Ultimately, Zoom failed at quickly confirming that the reported vulnerability actually existed and they failed at having a fix to the issue delivered to customers in a timely manner,” argued researcher Jonathan Leitschuh. “An organization of this profile and with such a large user base should have been more proactive in protecting its users from attack.”

This was followed by a further security snafu in October, when researchers revealed an API-targeted enumeration attack affecting the platform.

What’s Hot on Infosecurity Magazine?