Over the past month, the teleconference software Zoom has seen explosive growth because of, you know, the thing. But that growth has also come with increased scrutiny and a slew of uncovered security screwups. Taken individually, many of the problems seem more sloppy than malicious or sneaky, but taken in aggregate, they make a billion-dollar publicly traded company seem like it’s held together with duct tape and string.
A Sketchy Installer
There was the problem with Zoom’s installer, which took over admin privileges to gain root access to a user’s computer. That access could be abused to surreptitiously install programs without the user’s knowledge, including the ability to access a user’s webcam and microphone. (Last summer, a security researcher found a Zoom feature that opened up vulnerabilities by turning any user’s computer into a local server. In an unprecedented move, Apple silently pushed out an operating-system update to disable it.)
There are questions about where Zoom is sending the data it collects from your computer. Zoom was found to be sending data to Facebook, even if you weren’t logged in to a Facebook account. Zoom also apologized this month for mistakenly routing traffic through China, where the internet is heavily monitored by the government. Most tech companies operating in China have strict separations between domestic and international online traffic.
That monitoring would be less of a concern if Zoom were encrypted end-to-end, as the company claimed in marketing materials. But it admitted to The Intercept that Zoom did not use E2EE for video calls. Zoom uses some encryption (known as transport encryption) but not the more secure end-to-end type. Some of the confusion stems from defining what an “end” is. Zoom seems to think that its servers, acting as middlemen between users, count as such.
There’s also the rash of “Zoombombing” that has gone on. People are guessing or finding Zoom meeting ID numbers online and entering uninvited to leave disruptive comments or share disruptive media using Zoom’s screen-share feature. Finding open meetings, which have IDs from nine to 11 digits, is relatively simple and has already been automated. Until a patch issued this week, the meeting ID would often be highly visible in screenshots.
Zoom says it has patched out many of the security flaws. The company has also turned on common-sense features, such as password-protecting meetings by default, to prevent Zoombombing. CEO Eric Yuan also published an apologetic blog post at the beginning of April, announcing a 90-day feature freeze, shifting all development resources toward bolstering security.
“[W]e did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home,” Yuan wrote. “We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.”
Those fixes haven’t stopped clients from growing wary and looking for other options. The New York Department of Education has recommended that its schools find a new teleconference software to conduct classes with. Taiwan has banned the software from use in government over fears of Chinese spying. Google has also prohibited the software from its employees’ work-issued devices, stating that the app “does not meet our security standards.”
The question for you, a normal person with normal problems, is: “Should I care about any of this?” Personally, I think you should care about it, but I’m less sure you need to worry. The documented security flaws of Zoom would require a high level of targeting and precision to fully exploit. This isn’t the sort of lax security that could lead to catastrophic widespread data leakage; it’s the sort of lax security that leaves high-value individual targets vulnerable.
Amid the fallout from Zoom’s many security stumbles, Yuan contacted Facebook’s former head of information security Alex Stamos for advice. In a blog post announcing that he was consulting with Zoom, Stamos reiterated a core idea to keep in mind when thinking about security issues: “Coding flaws and cryptographic issues are important, but the vast majority of real technological harm to individuals comes from people using products in a technically correct but harmful manner.” Zoombombing, for instance, is not a result of hacking and subterfuge; it’s a result of sloppiness enabled by Zoom and by users through poor software design.
The question for you surrounding Zoom then becomes, “Am I really that important?” If you work for a government entity or a multinational corporation, or you handle sensitive information like medical or financial data, maybe take a look at some of Zoom’s competitors. Google and Microsoft would certainly not mind more enterprise customers. But if you’re using Zoom’s most recently updated software and you have basic privacy features enabled, such as password-protecting your meetings, you can probably rest easy.