Zoom Is Struggling With Security Flaws as Demand for Videoconferencing Spikes
Close-up of hand of a man holding a Samsung Galaxy S10 smartphone with app for teleworking and conference call company Zoom in Walnut Creek, California on March 11, 2020. Smith Collection/Gado/Getty Images
APRIL 3, 2020 5:44 AM EDT
uring the coronavirus pandemic, it seems as if everyone is connecting with Zoom’s videoconferencing app—including, on occasion, unwanted visitors.
Online trolls have been sneaking into web meetings and disrupting them with profanities and pornography for at least the better part of the last month. Cybersecurity researchers fear these disruptions could be a precursor to more harmful attacks allowing hackers to commandeer connected machines to access secure files or other corporate software.
“Much of our current reality is unchartered territory, and this growing dependence on Zoom at home is just another one,” said Mark Ostrowski, regional head of engineering for Check Point Software Technologies Ltd. “As soon as a platform’s attack surface gets big enough, you can only expect that they’ll become more interesting to attackers. That’s what’s happened to Zoom.”
In a Wednesday blog post, Zoom said that it takes security concerns “extremely seriously” and is working to address them. In addition, a Zoom representative said in an email that the company is upset about reports of harassment on Zoom and has sought to educate users about protecting meetings.
Zoom also apologized, in another blog, for “the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption.” While the company strives to use encryption in as many scenarios as possible, “we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.”
But there’s good news. Users don’t have to follow Elon Musk, whose SpaceX has banned the use of Zoom Video Communications Inc. amid privacy concerns.
There are a few simple steps to host secure video meetings, according to security experts. For instance, ensure your meeting is password protected, and don’t share meeting IDs and passwords on social media, where criminal hackers may grab the credentials.
Experts also recommend that meeting or classroom organizers take attendance and kick out unwanted visitors. Here are a few more tips:
Zoom’s shares have more than doubled this year as investors bet that the teleconferencing company would be one of the rare winners from the coronavirus pandemic. The company has become wildly popular, reaching more than 200 million daily meeting participants in March, according to its blog. But it has also drawn increased scrutiny from cybersecurity and privacy experts.
The most recent incident came on Monday when Patrick Wardle, principal security researcher at Jamf, published a blog about two new flaws in Zoom. If already infected with malware, the Mac OS desktop version could enable attackers to gain high-level privileges and hijack the webcam and microphone, he said. Zoom said it subsequently released fixes for the issues.
Zoom appears to have been designed with security as an “afterthought,” Wardle said, adding that it was a common phenomenon among startups primarily focused on users and funding.
But Zoom’s meteoric popularity has drawn additional scrutiny.
Play video on original page
“We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home,” Zoom said in the blog post. The influx of new users has presented the company with “challenges we did not anticipate when the platform was conceived” and that company “committed to learning from them and doing better in the future.”
On March 30, the FBI issued a warning about so-called “zoom-bombing,” urging users not to make classes or meetings public or share links to teleconferences on social media.
That same day, a Zoom user sued the company claiming its services were illegally disclosing personal information.
The company collects information when users install or open the Zoom application and shares it, without proper notice, to third parties including Facebook Inc., according to the federal lawsuit. Yet Zoom’s privacy policy doesn’t explain to users that its app contains code that discloses information to others, according to the complaint.
Zoom acknowledged that it shares data with Facebook in a blog post on March 27.
In addition, New York State Attorney General Letitia James wrote a recent letter to Zoom that included “a number of questions to ensure the company will take appropriate steps to ensure users’ privacy and security is protected,” according to a spokesperson for the attorney general’s office, who declined to share a copy of the letter.
Concerns over Zoom’s security practices aren’t new. Last year, a researcher named Jonathan Leitschuh discovered that the desktop version of Zoom for Macs quietly installed a web server — one that remained on systems even if the app was removed — that presented a new way for hackers to access webcams, he said. Apple Inc. released an update in July that plugged the security hole.
Holding Zoom’s “feet to the fire” around security and privacy amid the app’s new popularity will create incentives for the company to adapt, Leitschuh said in an interview.
Subscribe to TIME
The Coronavirus Brief.
Everything you need to know about the global spread of COVID-19
You can unsubscribe at any time. By signing up you are agreeing to our Terms of Service and Privacy Policy. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Haitian Migrants Reportedly Being Released in U.S.
Texas Abortion Law May Worsen Maternal Death
COVID-19 Is Making New Moms Feel Even More Pressure to Breastfeed
China's End to Coal Funding Is a Big Deal
Willie Garson, Sex and the City Actor, Dies at 57
Why Federal Prisons Are Confining Inmates for 2 Weeks
© 2021 TIME USA, LLC. All Rights Reserved. Use of this site constitutes acceptance of our Terms of Service, Privacy Policy (Your California Privacy Rights) and Do Not Sell My Personal Information.
TIME may receive compensation for some links to products and services on this website. Offers may be subject to change without notice.
This site is protected by reCAPTCHA and the Google Privacy Policy Terms of Service apply.
Manage AccountDigital MagazinesHelp CenterSUBSCRIBE Spotlight Story: How Lab-Grown Fish Maw Could Help Save Our Oceans
Manage AccountDigital MagazinesHelp Center SIGN IN Home U.S. Politics World Health Personal Finance by NextAdvisor Business Tech Entertainment Ideas Science History Newsfeed Sports Magazine TIME 2030 Video TIME100 Talks The TIME Vault TIME for Health TIME for Kids TIME Edge Red Border: Branded Content by TIME Newsletters Subscribe Give a Gift Shop the TIME Store US & Canada Global Help Center Careers Press Room Contact the Editors Reprints and Permissions Privacy Policy Your California Privacy Rights Terms of Use Site Map