Due to the unprecedented spread of the novel coronavirus across the globe, many organisations were forced to adopt remote working and virtual conferencing solutions to stop their activities from grinding to a complete halt. The most widely known of these tools, due to its most recent media coverage, is Zoom.
At the time of publishing this article, Zoom has gone on to address many of its security issues in its latest update (5.0). Regardless, Zoom, its recent meteoric rise, and its security issues raise an important lesson. Companies must always take time to do proper due diligence on allowing staff to download and use unvetted software. Popularity and ease of use be damned. Hacking has become too big of an issue in the last five years for businesses of any size to be lax with software choice.
You are not likely to be a cybersecurity expert or have one readily available, but hopefully, this evaluation of Zoom’s security practices will inspire you to look at your software selection process and view it more critically.
Zoom has witnessed an unexpected growth in its number of users, due to being adopted by almost everyone as the go-to option to hold business meetings and (potentially sensitive) conversations. This is in part due to its price tag (free) and some features that make it fun and easy to use. With this massive surge in popularity, and especially within the enterprise space, a light has also been shed on Zoom’s security and privacy practices.
You might be wondering whether the usage of Zoom is secure and up to par concerning your organisational privacy requirements. The answer to this question is not simple and requires us to evaluate Zoom against several potentially indicative events subjectively.
Zoom's Triage and Escalation Process
For those not so well versed in cybersecurity terms, triage and escalation is the process that happens when a bug is found, evaluated, and a decision is made on how to approach resolving it.
Back in July 2019, a security researcher disclosed in his blog post a vulnerability in Zoom, which potentially allowed webcams to be turned on without Mac users being aware. Furthermore, the vulnerability continued to affect Mac users even if the Zoom software was uninstalled. This is quite concerning, especially if your remote workspace is in your bedroom and you are the type to not to turn your computer off every evening.
Looking at the timeline of remediation, we can see that the overall reaction was not swift enough; potentially leaving all Mac users vulnerable for about 90 days after acknowledging the vulnerability. After the public disclosure from the security researcher, Zoom issued an announcement about the misunderstanding from their side about the 90-day disclosure deadline, and that they are learning from this experience and working on improving their bug bounty program and the escalation process. Furthermore, they outlined the actions taken to tackle the security issue.
We think that Zoom’s escalation process still needs to mature a lot; judging by how they handled their first potentially critical vulnerability less than a year ago. When evaluating products for your organisation, be sure to thoroughly search for or ask a representative for information regarding triage and escalation process. In the simplest terms, this is the time between being notified of a vulnerability and fixing it.
There is a myriad of tools that software development teams have been using to facilitate collaboration. For example, Git-based solutions have revolutionized version control for source code and compartmentalized development, JIRA and Trello have streamlined project management in Agile methods, and CI/CD platforms have increases releases from once a sprint occurrence to nearly daily routines.
While tools are coming into the foreground to help specialised teams continue working, despite being geographically dispersed, one important part of software development is lagging in innovation, quality assurance.
Misleading Claims of End-to-End (E2E) Encryption
We do not believe that this inconsistency is due to a marketing mistake. The feature was detailed in their whitepaper and relevant UI elements were implemented for it, such as the green padlock that clearly mentioned, “Zoom is using an end to end encrypted connection” when hovered over.
Another interesting fact is the lack of transparency reports from Zoom. With the confirmed technical ability to spy on video meetings, we can never be sure if and when Zoom is required by legal requests from law enforcement agencies to provide recordings of private meetings. These are serious factors to consider when deciding whether to allow employees to use this software on company devices.
Zoom's Data Routing Concerns
Zoom has been found to be sending data to Facebook, even if you didn’t log in with a Facebook account. Facebook has recently been in the news for its own issues regarding privacy and its habit of selling your data to various parties, where it was fined roughly $5 billion.
Zoom also caught some flak for routing some call traffic through China, which is a big no-no considering the internet is heavily monitored by the Chinese government. Most tech companies operating in China strictly separate their traffic, as many users don’t trust the Chinese government. The government is often criticised for its lack of respecting intellectual property rights, as well as human rights violations.
Zoombombing, or that act of entering meetings uninvited to leave comments or share media using the screen-share feature, is more of a user setting misconfiguration rather than a vulnerability. While this is undoubtedly annoying and does represent a potential security risk, these issues can be solved by an attentive user or meeting host.
Several methods could mitigate the chances of preventing someone that does not belong in the meeting from joining it.
Some people are able to Zoombomb by randomly guessing room IDs. Others gain access because they have seen meeting attendees share screenshots of their Zoom meeting. When they do this, they accidentally share the room ID as well. Either way, turning the on “Waiting Room” feature will prevent those people from entering, by allowing the host to decide who can enter.
Screen sharing options
Screen sharing can be set to “Host Only” by clicking the “Advanced Sharing Options.” Doing this will prevent meeting members, chiefly the ones that aren’t supposed to be in the meeting, from hijacking the meeting. This is very helpful if Zoom is being used for educational purposes.
Locking the meeting room
Once all attendees have joined, lock the meeting room to avoid any disruptions.
While some technologies are requiring us to make a tradeoff between convenience and privacy, we urge businesses to understand the consequences and evaluate the potential risks of using new software, in this case, Zoom. At the moment, Zoom is perhaps too young in its development life to support the security and privacy requirements of many governments, businesses, and other organisations.
We realise that Zoom is a highly functional conferencing solution and that it is currently undergoing a lot of positive security and privacy changes. Still, we think that there are safer alternatives that are nearly as functional and integrate with already existing organisational software, such as Google Meet or Microsoft Teams.
Microsoft Teams is especially suitable for businesses that utilise Office 365. It “enforces team-wide and organisation-wide two-factor authentication, single sign-on through Active Directory, and encryption of data in transit and at rest” according to Microsoft. This effectively allows organisations to manage their employee’s communications and make sure that sensitive information stays secure. Google Meet also has a slew of security features, that also integrates with G Suite, to make it an application suitable for business use.
For larger organisations, there is no excuse. Their IT departments should already have a list of approved software and/or they should limit the administrative rights of users so that non-sanctioned software can’t be installed. This is where staying with the Google G Suite or Microsoft ecosystems has its benefits.
Smaller organisations with limited IT departments and budgets will have a much harder time vetting software, as they lack some of the technical knowledge to properly evaluate software from a security standpoint. This is understandable, but considering the now constant threat that cybersecurity poses to businesses (small and medium business equally), technology champions within these smaller organisations must do their research.
The good news is that you don’t need a degree in computer science to do this, you merely need to spend some time searching the internet. Cybersecurity is becoming more prevalent as a business issue and as a topic for technology writers. This means that if you can be smart with the monitoring of your existing technologies and pay attention to trends, you will be better equipped to evaluate new tools.