CYBERSECURITY – How the Coronavirus Forced ZOOM to grow up Fast!
How the Coronavirus Forced Zoom to Grow Up Fast
The coronavirus has catapulted Zoom into the living rooms of hundreds of millions of people. But extra scrutiny of the videoconferencing software has found its security and privacy to be lacking. Rob Scammell looks at where Zoom messed up, how it responded to criticism and what it is doing to fix things
To put its growth into more context, it had 10 million daily meeting participants in December 2019. In March, that figure soared to 200 million.
That kind of growth doesn’t go unnoticed. Its share price is up by more than 100% year-to-date against a backdrop of markets in freefall, as investors carve up companies into pandemic winners and losers.
But with great power comes great responsibility – and scrutiny. No sooner had Zoom ballooned to new heights, cracks started to appear in its security and privacy.
The US firm has faced backlash from security professionals and privacy advocates over everything from ‘Zoom-bombing’ to faux end-to-end encryption.
And Zoom’s rivals – Microsoft Teams, Google, Skype – have been circling like sharks, looking to make a dent in Zoom’s current market dominance.
In a whirlwind four months, Zoom has been forced to face up to its mistakes – but so far it appears to be listening to its critics.
What Zoom got wrong
Zoom-bombing became a problem because Zoom meeting URLs and personal meeting IDs are either shared online by participants or too short, which means it’s not difficult for trolls to randomly guess the numbers. Combine that with screen sharing permitted by all participants, along with misconfigurations on the user end, and you have Zoom-bombing.
Then, on 31 March, a report by The Intercept revealed how Zoom’s marketing had been using its own, unconventional definition of end-to-end encryption – one that meant its encryption had “significant weaknesses”.
“This is not merely a semantic distinction, as the potential attacks and security vulnerabilities are radically different – and greater – in an architecture where communication does not remain encrypted for the full path between end points,” says Tim Callan, a senior fellow at Sectigo, a provider of digital identity solutions.
In other words, user data was unencrypted while on Zoom’s servers.
“An app with easily-identifiable limitations in cryptography, security issues, and offshore servers located in China which handle meeting keys presents a clear target to reasonably well-resourced nation-state attackers, including the People’s Republic of China,” the report stated.
To make matters worse, Zoom then came under fire for its privacy policy, which used deliberately vague language to give it some legal leeway when it comes to selling user data to advertisers.
“Zoom is a security and privacy disaster, but until now had managed to avoid public accountability because it was relatively obscure,” wrote renowned cryptographer and privacy specialist Bruce Schneier. “Now that it’s in the spotlight, it’s all coming out.”
Zoom’s response
Arms of government, from the German Foreign Ministry to the United States Senate, banned its use. On 31 March the FBI sent a nationwide security alert warning the public and private sectors against leaving Zoom meetings open, in which it classes Zoom-bombing as a cybercrime.
Schools switched to alternative services; others abandoned video lessons altogether.
“Zoom’s reaction has been pretty encouraging,” says Carole Theriault, an independent cybersecurity expert and co-host of the Smashing Security podcast. “They seem to be owning the responsibility for the flaws, and they have announced a few measures to rectify the situation.”
It is reflective of a wider business culture that an honest apology should be worthy of praise. But weighed against a long list of companies that have played the semantics game to avoid a clear apology – often using gaslighting language (“we’re sorry if customers feel let down”) – it is a refreshing change.
“We recognise that we have fallen short of the community’s – and our own – privacy and security expectations,” wrote Zoom CEO Eric Yuan in a blog post addressing privacy concerns. “For that, I am deeply sorry, and I want to share what we are doing about it.”
To Zoom’s credit, it set about fixing problems promptly. Two days after Motherboard revealed Zoom was sending data to Facebook, Zoom removed the code enabling the “unnecessary” data collection while keeping the ability for users to login via Facebook.
On 29 March it updated its privacy policy to clearly state that it does not sell user data and “has no intention of selling users’ data going forward”.
“He asked detailed and thoughtful questions of my experiences working at companies facing extreme crises,” wrote Stamos, “and I was impressed by his clear vision for Zoom as a trusted platform and his willingness to take aggressive action to get there.”
Meanwhile, Moussouris’ company, Luta Security, will help beef up Zoom’s bug bounty programme.
Then, on 8 April, it announced a new “security” option that makes it easier for Zoom hosts to lock down a meeting and kick out unwanted participants, as well as preventing rogue screen sharing. The Waiting Room function is now on by default, as are password-protected meetings.
And after UK Prime Minister Boris Johnson unwittingly broadcast his cabinet’s Meeting ID, Zoom will no longer show the number on the tab’s toolbar.
In response to Citizen Lab’s report, data is no longer relayed through servers in China, while paying Zoom customers can choose the exact regions their conversations pass through.
On 7 May Zoom announced the acquisition of secure messaging and file-sharing service Keybase, in a move to accelerate its plans to add end-to-end encryption to its platform.
All of these changes fall under Zoom’s 90-day plan, during which it is freezing all new feature updates to focus solely on security.
“Zoom’s retrospective changes were very much forced and possibly not even on their short-term radar,” says Jake Moore, a cybersecurity specialist at ESET, an internet security firm.
“However, it must be said that it’s refreshing to see a company listen to their users and take on board the suggestions and make security more of a focus.”
Room for improvement
Yet while most tech companies have years to roll out changes that improve security while maintaining ease of use, Zoom has had a matter of weeks for its volte-face.
In other words, Zoom’s simple user experience, combined with an unprecedented growth surge, created the perfect storm for security to fall well short of the mark.
“Zoom had a dilemma on its hands as soon as it became popular,” says Moore. “Its original unique selling point was the simple easy to use click of a button functionality. This very quickly came under the spotlight as it’s well known that convenience is usually at the other end of the spectrum to security.”
Zoom has done neither of these things. It has skipped past the usual stages of Silicon Valley grief – denial, legal threats, apology tours – and moved immediately to acceptance and remedy.
It remains to be seen whether the coronavirus will usher in a new era of mass remote working post-pandemic. And if remote working does increase when normality is resumed, Zoom’s position as the videoconferencing tool of choice is far from secure.
“Zoom now has to deliver on these promises,” says Theriault. “And fast. Otherwise, they will find themselves sidelined by another video service provider.”
But what is certain is that the pandemic has forced Zoom to grow up fast. There will likely be more growing pains to come.