How Secure is Zoom and Should I Be Using It?

There are a few businesses which have been proven to thrive in the conditions we find ourselves in today; and telecommunications companies are one of them. Whether it be Zoom, Webex, GoToMeeting or any other provider of teleconferencing software, the demand for such solutions and services have soared, as large swathes of the population now adjust to new working from home requirements.

So much so, that in March of 2020, Zoom reported a 535% rise in usage of their services – and unsurprisingly so, as everything from Government meetings, to training courses and even birthday parties are now seemingly going virtual.

Yet despite this, Zoom in particular with its affordable price-tag and easy-to-use interface, has attracted a bit of a reputation for not being the most secure nor privacy-friendly piece of software available.

So, what is it that worries security experts about Zoom, and should we continue to use it?

You may also be interested to read How to Secure Your Remote Access from the Changing Threat Landscape

Hidden Web Servers

While you might have only just become aware of Zoom, due to its increased fame as a result of the COVID-19 crisis, it has been around since 2011.

In that time, it has, like most software, discovered vulnerabilities in its solution which it has sought to address. However more curiously, in 2019 it was revealed that Zoom had covertly included a web-server into its solution, which could allow a user to be added to a Zoom call without their permission or explicit action in joining.

What this meant is that simply by browsing to a website, the user could be placed into a Zoom call with their camera activated. More worryingly, this undocumented web-server was not removed from the user’s device, when the user elected to uninstall Zoom’s software.

After taking considerable flack from members of the IT security industry, Zoom did release a patch to rectify the problem. However, the problem was concerning enough that Apple took matters into their own hands by releasing an operating system level patch to deal with the problem themselves.

Hacked Webcams and Microphones

While 2019 seems like a world away in a slow-motion lock down world, Zoom have had their fair share of security issues in 2020.

In the latter part of March 2020, two bugs were discovered which could be used to snoop on webcams and microphones; and which could be used to steal Windows passwords.

This led to Tech Crunch labelling the incident “Zoom Doom” and an associate computer science at Professor at Princeton University to say “Let’s make this simple, Zoom is malware.”

It is important to point out that Zoom have since released a patch to correct both issues. However, there is no information available which tells us how many people are running vulnerable versions of the Zoom software.

You may also like The Top 5 Cloud Security Challenges Haunting Every IT Manager

Privacy Concerns

Finally, in what was the most important matter of our time – Zoom has come under heavy criticism for its privacy policy.

In April 2020, New York’s Attorney General, Letitia James, sent a letter to Zoom asking it to outline the measures it had taken to address privacy concerns, considering the rise in the number of users using its software.

Referenced in this letter is an alleged incident whereby Zoom has been sending data from users of its iOS app to Facebook, for the purposes of advertising. Even when the user doesn’t have a Facebook account.

In response to this, Zoom has changed some of its policies and has said that it “has never sold data in the past and has no intention of selling users’ data going forwards.” Since then, a lawsuit has been filed in California against Zoom, accusing it of a failure to safeguard its users’ personal data.

You may also be interested to read Five Considerations for a COVID-19 Ready Remote Workforce

Should We Continue to Use Zoom?

It is important that when it comes to the use of one software solution over another, that we weigh up the risks and benefits which are applicable to our individual cases.

It is easy to cast a judgemental eye over Zoom for their past security flaws. But which software solution hasn’t had to release security patches or respond to publicly disclosed vulnerabilities? As IT Security Professionals, we are already aware of the need to regularly assess and patch to reduce our risk surface of exploit.

Zoom software is no exception.

When it comes to privacy, I ask a similar question. How many big tech companies are also in the hot seat? This doesn’t mean that we shouldn’t question and scrutinise, but I do think that any attempt at demonisation should be placed into context. Is the alternative any better?

That said, Zoom is a great piece of teleconferencing software which is very easy to use, whether you are adept at IT or not. It has proven to be very popular in very testing times; and there is no-doubt that some of its negative attention is due to its increased usage.

My recommendation is that anyone considering using Zoom software should be aware of the alleged and proven flaws; and assess those against how they intend to use the software. There is no such thing as eliminating risk – in the end, it comes down to likelihood and impact – the fundamentals of every choice we make as human beings.