Ever since the beginning of the Coronavirus outbreak, Zoom has become the most well-known and widely used video conferencing platform. Used by corporations, universities and schools, families and more, millions of people around the world have found themselves desperately in need of a platform to hold meetings, see loved ones and cope with social distancing. The video conferencing app, that previously boasted 10 million users during busy hours, quickly shot up to 300 million during peak daytime hours. But as Zoom’s popularity rapidly rose, so did concerns about the platform’s security.
With the newly widespread use, the platform soon faced countless types of attacks targeting its users. The most common, known as “Zoom-bombing”, is a new attack type in which people maliciously enter Zoom meetings and cause havoc – yell slurs, draw inappropriate pictures on a shared screen, and more. Furthermore, many exploits in the platform were uncovered. For example, Patrick Wardle, a Former NSA hacker and security researcher, revealed two "zero-day exploits" in the platform last month. These vulnerabilities allowed hackers to use the Zoom installation on a user’s machine to gain access to their microphone and camera, or in another attack method, to their entire device.
Security flaws discovered in April also showed that the Zoom application was leaking users’ email addresses and photos, as well as access to LinkedIn profile data, and that video call recordings were left unprotected and viewable on the internet. Later on, it was revealed that half a million compromised Zoom accounts were being sold on the dark web. In addition, although promised in their marketing materials, Zoom had not implemented end-to-end encryption for the call data sent back to their servers.
Zoom has also faced public criticism in an additional field – user data and privacy. In March, it was uncovered that the Zoom iOS app sent user analytics data to Facebook, even for users who did not have a Facebook account. By this point you are probably wondering - how is Zoom coping with these pressing security issues?
In response to security and privacy concerns, Zoom has pivoted to make these issues their main focus. The company has launched a 90-day plan to substantially improve the platform’s security. Security features and patches that have been introduced, as well as plans for the Zoom 5.0 release at the end of May, include:
- The Zoom bug bounty program, a program aimed at finding and patching bugs in the platform, will be upgraded by Luta Security
- The company has added Alex Stamos, former Facebook and Yahoo CSO as a security advisor
- Zoom has acquired the secure messaging platform Keybase to utilize its deep encryption and security expertise
- A software update has been released that removes meeting IDs from the title bar, which were previously shown during meetings, to help prevent the leakage of these IDs via screenshots
- Zoom’s waiting room feature will now be default, and a report-a-user feature for zoom-bombers will be added
- The platform will use AES 256-bit GCM encryption, making it stronger against hijacking
- Quickly after it was uncovered that their iOS app sends user data to Facebook, Zoom removed the feature responsible for Facebook data collection and released an apology statement. Since then, Eric Yuan, founder of Zoom Video Communications, has stated that Zoom will not sell user data.
So, as you can tell, this blog post is dealing with a tricky question. Zoom has faced heaps of criticism about its security problems, but it is also working very hard to combat them. Since they are by far the most popular platform right now, it makes sense that Zoom will continue to be the most-targeted program. If you’re considering changing your default video conferencing platform, we recommend reviewing the different options before you choose one that suits you. Kaspersky has released a great videoconferencing app security comparison. If you are set on using Zoom, we highly recommend you always use a password for your sessions. If you are an organization, you can also use your own custom subdomain.
Due to the impact of novel Coronavirus (COVID-19), ThreatSTOP is offering 3 months of MyDNS free, or until the stay at home orders expire. Whichever is longer. With the COVID-19 crisis comes an unprecedented transition to a work from home workforce, and a massive increase in cyber attacks. Because people need to work from home, we want to provide the cyber security protection they should have at work, for free.
Unlike other solutions that send all your data or DNS queries to their Cloud, creating privacy issues and potentially exposing critical company data to hacking and theft through man-in-the-middle attacks, our MyDNS puts a DNS Firewall enabled DNS server onto your device, keeping your traffic under your control and preventing DNS hijacking by enforcing DNSSEC.
Easy and quick to set up, no hardware, no contracts or obligations, and we're here to help.