Since the advent of Covid-19, remote conferencing tools have been a lifesaver for all those stuck at home, forced to work and socialize online. Zoom, in particular, has witnessed a massive influx of new users, which lead to increased scrutiny from information security researchers.
In the last few weeks, many of Zoom’s privacy and security issues have been pinpointed and publicized, including:
- The attendee attention tracker feature
- The incorrect claim that Zoom meetings/webinars were capable of using end-to-end encryption
- The iOS client sending user device information to Facebook (because of the Facebook SDK used)
- A UNC link issue that could result in attackers stealing users’ passwords and run malware
- Two vulnerabilities that could be used by attackers with local access take over a Zoom user’s Mac, as well as tapping into the device’s webcam and microphone. Exploitation of one of these is possible because Zoom uses a shady installation technique also used by some macOS malware. (In a similar vein, last year Zoom stopped installing a hidden web server on Macs that helped with frictionless installation of the tool)
- A feature that provided info on Zoom meeting participants (pulled from LinkedIn)
- Zoombombing (i.e., trolls crashing and disrupting Zoom meetings), additionally exacerbated by lax privacy and security choices made by users and vulnerabilities that allow for the creation of tools like zWarDial, which automates Zoom meeting discovery (The tool hasn’t been publicly released.)
Promised Zoom security and privacy improvements
Most importantly, Zoom Video Communications’s CEO Eric Yuan publicly pledged that, for the next 90 days the company will temporarily stop working on new features and shift all their engineering resources to focus on trust, safety, and privacy issues.
He apologized for the company failing short of the community’s privacy and security expectations, said that many of the issues were due to the fact that Zoom was built primarily for enterprise customers (large institutions with full IT support).
“We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived. These new, mostly consumer use cases have helped us uncover unforeseen issues with our platform,” he noted on Thursday, and promised to “make Zoom better.”
Aside from fixing many of the discovered issues and providing resources for users to use Zoom effectively and safely, Yuan said that they will:
- Engage third-party experts and users to review new consumer use cases to discover possible security and privacy problems arising from them, as well as engage experts to perform a series of simultaneous white box penetration tests for the same reason/goal
- Prepare a transparency report and enhance their bug bounty program
- Consult with various CISOs to stay on top of security and privacy best practices
- Regularly share information about privacy and security improvements they’ve implemented.
Should you use Zoom?
Yuan’s announcement was welcomed by many infosec practitioners, who praised the company’s intention to finally put more effort into the security and privacy of the popular solution.
The issues unearthed the last couple of weeks may have stopped some users from using the app but, in general, it should be relatively safe for personal use – just avoid sharing extremely sensitive data, for a variety of reasons.
Zoom – has bugs like all other software.
Zoom – fixing bugs and being responsible.
Zoom – software I easily taught my dad to use for remote classes over email and WhatsApp.
Zoom – not rated for sensitive data: natsec, confidential sources, etc.
Zoom – use it, it’s fine.
— thaddeus e. grugq (@thegrugq) April 2, 2020