As recently as a few weeks ago, it wasn’t hard to find someone who had never heard of Zoom Video Communications (ZM), the web conferencing focused company founded in 2011 by former Cisco Webex engineer Eric Yuan.
Although Zoom has been building a loyal user base for years, and went public on the NASDAQ about a year ago with its initial public offering (IPO), it only became truly ubiquitous with the advent of the novel coronavirus pandemic.
Suddenly, everyone was on Zoom. In one day alone last month, it was downloaded 343,000 times. It’s been used for classes, group meetings, doctor’s appointments, birthday parties, virtual family reunions, and every other kind of gathering you can think of in addition to workplace meetings and presentations. The company’s explosive growth has put it in the spotlight.
Over the past few weeks, journalists and security researchers have been subjecting the company and its service to increasing scrutiny. They have collectively demonstrated that Zoom is a privacy and security nightmare.
It turns out that Zoom’s encryption is fake, the company’s longstanding meeting defaults jeopardize user privacy, and the code in their apps has vulnerabilities.
And if that weren’t bad enough, Zoom has been sending users’ data to social media companies for no defensible reason. Surveillance capitalism at its finest.
Let’s round up the many problems that security researchers and journalists have documented with Zoom, shall we?
Zoom’s encryption is fake
Zoom claims to offer end-to-end encryption, but it turns out that it doesn’t.
Unfortunately for those hoping for privacy, the implementation of call security in Zoom may not match its exceptional usability. We determined that the Zoom app uses non-industry-standard cryptographic techniques with identifiable weaknesses. In addition, during multiple test calls in North America, we observed keys for encrypting and decrypting meetings transmitted to servers in Beijing, China.
An app with easily-identifiable limitations in cryptography, security issues, and offshore servers located in China which handle meeting keys presents a clear target to reasonably well-resourced nation state attackers, including the People’s Republic of China.
Bill and John’s thoroughly researched and impeccably documented report proves that Zoom does not actually implement end-to-end encryption. It is thus wholly unsuitable for any group that desires to avoid being spied on. Eavesdropping on Zoom meetings is probably trivial for intelligence outfits like the United States’ National Security Agency given Zoom’s lack of real encryption.
Zoom doesn’t properly protect users’ contact information
Motherboard found out that Zoom isn’t safeguarding the contact information of people who sign up with non-work email addresses. Joseph Cox explains:
Popular video-conferencing Zoom is leaking personal information of at least thousands of users, including their email address and photo, and giving strangers the ability to attempt to start a video call with them through Zoom.
The issue lies in Zoom’s “Company Directory” setting, which automatically adds other people to a user’s lists of contacts if they signed up with an email address that shares the same domain. This can make it easier to find a specific colleague to call when the domain belongs to an individual company.
But multiple Zoom users say they signed up with personal email addresses, and Zoom pooled them together with thousands of other people as if they all worked for the same company, exposing their personal information to one another.
This is an example of bad defaults and settings. Zoom was originally built for enterprise and corporate videoconferencing, and in those contexts, sharing by default isn’t a bad thing. But the company has known for some time now that its platform was being used for much more than enterprise collaboration, and it didn’t tighten up its settings to protect users’ privacy.
Zoom has been covertly sharing its users’ data externally
Motherboard also found out that Zoom’s iOS app was sending troves of user data to Facebook without its users’ knowledge or consent. Here’s Joseph Cox again:
As people work and socialize from home, video conferencing software Zoom has exploded in popularity.
This sort of data transfer is not uncommon, especially for Facebook; plenty of apps use Facebook’s software development kits (SDK) as a means to implement features into their apps more easily, which also has the effect of sending information to Facebook. But Zoom users may not be aware it is happening, nor understand that when they use one product, they may be providing data to another service altogether.
After the above article was published, Zoom removed the code from its iOS app that was feeding data to surveillance capitalism conglomerate Facebook.
And, within hours, The New York Times had published an article detailing how a Zoom integration with Microsoft-owned LinkedIn (which matches Zoom user accounts to LinkedIn profiles) could be unethically used for data mining purposes, unbeknownst to people participating in meetings.
For Americans sheltering at home during the coronavirus pandemic, the Zoom videoconferencing platform has become a lifeline, enabling millions of people to easily keep in touch with family members, friends, students, teachers and work colleagues.
But what many people may not know is that, until Thursday, a data-mining feature on Zoom allowed some participants to surreptitiously have access to LinkedIn profile data about other users — without Zoom asking for their permission during the meeting or even notifying them that someone else was snooping on them.
The undisclosed data mining adds to growing concerns about Zoom’s business practices at a moment when public schools, health providers, employers, fitness trainers, prime ministers and queer dance parties are embracing the platform.
An analysis by The New York Times found that when people signed in to a meeting, Zoom’s software automatically sent their names and email addresses to a company system it used to match them with their LinkedIn profiles.
Again Zoom was forced to respond. The company promptly disabled the integration with LinkedIn Sales Navigator and offered an apology.
Zoom’s apps make your computer less safe
Last year, a security researcher discovered a big vulnerability in Zoom’s macOS app that left Zoom users shocked (and justifiably so). Here’s Jonathan Leitschuh:
A vulnerability in the Mac Zoom Client allows any malicious website to enable your camera without your permission. The flaw potentially exposes up to 750,000 companies around the world that use Zoom to conduct day-to-day business.
This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.
On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.
Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day.
The vulnerability was so egregious that Apple actually pushed out a silent software update to remove the web server that Zoom’s app had been quietly installing on people’s Macs without their knowledge.
Leitschuh turned down a bug bounty from Zoom Video Communications in order to avoid signing a nondisclosure agreement (NDA) that would have prevented him from telling the world about what Zoom had done.
More recently, another security researcher — Felix Seele of VMRay — documented how Zoom’s installer mimics malware in order to reduce the amount of user intervention required to install it. His blog post attracted the attention of Zoom’s founder and CEO Eric Yuan, who conceded that well, gosh, maybe Zoom’s app shouldn’t behave that way. It also caught the attention of many journalists.
What about Windows users?
Zoom put them at risk, too.
According to cybersecurity expert @_g0dmode, the Zoom video conferencing software for Windows is vulnerable to a classic ‘UNC path injection’ vulnerability that could allow remote attackers to steal victims’ Windows login credentials and even execute arbitrary commands on their systems.
Such attacks are possible because Zoom for Windows supports remote UNC paths that convert potentially insecure URIs into hyperlinks when received via chat messages to a recipient in a personal or group chat.
Zoom’s defaults make “Zoombombing” disturbingly easy
Zoom was originally conceived as a workplace collaboration tool, not as a universal electronic meeting venue for families, community groups, advocacy organizations, or healthcare providers. The company has historically privatized ease-of-use above all else. That has left Zoom users — particularly those new to the platform — in a very vulnerable position.
As you may have already heard or read, Zoom’s meeting defaults make it pretty easy to barge into a meeting and begin causing mayhem.
And, of course, meetings that are publicly advertised are trivial to disrupt.
A common “Zoombombing” technique involves entering a meeting and using the screen-sharing functionality (which can be restricted to hosts, but often isn’t) to share pornographic, sexually explicit images and videos.
Experienced “Zoombombers” know how to reenter meetings after being kicked off so that they can continue to cause mayhem — at least, until the host decides to end the meeting after having lost control of it.
Tools have also been developed to allow people up to no good to find meetings to crash without much effort. Brian Krebs wrote about one such tool.
“Zoombombing” is not good clean fun, as some juvenile Internet trolls appear to believe. Law enforcement officials have begun to speak out and warn that those who disrupt Zoom meetings could face criminal prosecution.
Given that Zoom is neither private or secure, people engaging in “Zoombombing” could easily find themselves on the wrong end of the law.
“Zoombombing” is largely preventable, but not using Zoom’s old default settings.
Zoom’s response to all of this
To address reports of “Zoombombing”, the company initially published a guide for its users so they could learn how to change their account and meeting settings to protect themselves, their family, friends, students, and colleagues.
When that proved to be insufficient, Zoom began inverting some of its defaults so that hosts wouldn’t have to make those changes themselves.
“On April 4th, 2020, Zoom will enable the Waiting Room feature and require additional password settings for all Basic users on free accounts and accounts with a single licensed user, including K‑12 education accounts who have the forty-minute limit temporarily waived. The new password requirements apply to both meetings and webinars,” the company announced last week.
It is not lost on Zoom’s executives that goodwill is a valuable, intangible asset, and they’re losing it fast. Many companies and public agencies have already banned Zoom’s use, including the United Kingdom’s Ministry of Defence, SpaceX, NASA, New York City Department of Education, and Clark County Schools.
Zoom CEO Eric Yuan is pledging to do better. In an April 2nd blog post, he detailed how the company has scrambled to respond to all the privacy and security issues that researchers and journalists have exposed in its platform.
He also promised that Zoom would become more secure and private.
Over the next ninety days, we are committed to dedicating the resources needed to better identify, address, and fix issues proactively. We are also committed to being transparent throughout this process. We want to do what it takes to maintain your trust.
- Enacting a feature freeze, effectively immediately, and shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues.
- Conducting a comprehensive review with third-party experts and representative users to understand and ensure the security of all of our new consumer use cases.
- Preparing a transparency report that details information related to requests for data, records, or content.
- Enhancing our current bug bounty program.
- Launching a CISO council in partnership with leading CISOs from across the industry to facilitate an ongoing dialogue regarding security and privacy best practices.
- Engaging a series of simultaneous white box penetration tests to further identify and address issues.
- Starting next week, I will host a weekly webinar on Wednesdays at 10 AM Pacific Time to provide privacy and security updates to our community.
This seems like a good start.
But Zoom can and should do more.
Our friends at Fight For The Future have begun a campaign calling on Zoom to implement true end-to-end encryption so that its users can enjoy the privacy that Zoom has been falsely claiming to offer all this time. Said Evan Greer:
We don’t need Zoom’s apologies. We need them to actually implement the type of security measures needed to keep people safe. They’ve said that they are pivoting to focus on user privacy and security, and I want to believe them. It’s time for them to take their previously misleading claims and make them true.
Zoom implementing end-to-end encryption by default is perhaps the single biggest thing that any company could do right now to protect people’s online safety during the COVID-19 crisis.
I hope the engineers who work there realize the power that they have and the importance of the decisions they make over the next several weeks. Strong encryption saves lives.
It’s needed now more than ever. Zoom has a chance to lead the way. I hope, for the sake of the children using this for school, the therapists using this to treat patients, the health officials using this to share confidential information, that they do the right thing.
We agree. Zoom is widely used (including by our staff and board at NPI) in large part because it “just works”. Unlike competitors, Zoom offers apps for users on GNU/Linux desktops and laptops running Ubuntu or other distributions. Even its BlackBerry 10 app still works, allowing people who refuse to give up their BlackBerrys (like me) to use Zoom without having to switch to another device.
Zoom’s video quality, app interface, and advanced screen sharing and audience interaction capabilities are also part of the service’s appeal.
But Zoom’s privacy and security track record is more than unsettling. It’s alarming. The company has dug itself into a deep hole by making a lot of bad product design decisions and making deceptive marketing claims.
It now needs to pivot towards being a privacy and security oriented service. The company already has millions of people and firms signed up as paying subscribers to its pro plans, so it has a means of generating revenue that doesn’t depend on surveillance capitalism (where the users are the product).
It appears that Zoom is heading down the right path. That’s encouraging. But actions speak louder than words. The proof will be in the pudding. Zoom needs to deliver for its users, and soon. It needs to go beyond the steps announced by its CEO. More meeting defaults and sharing settings need to be changed, particularly for accounts on Zoom’s free tier, which are less likely to be enterprise users.
And most importantly of all, Zoom needs to deliver real end-to-end encryption for its users. That might require some hard work on Zoom’s part.
But it will be worth it. The company must enlist the help of leading security researchers and technologists to get the job done. If it can do that, then it will be able to win back a lot of the trust that it has jeopardized or squandered.