What are the chief security concerns with Zoom and have they been fixed?

With Covid-19 lockdowns forcing most companies to work from home, the popularity of video conferencing platforms, particularly Zoom, has surged. The platform saw its global users shoot up from 10 million in December last year to more than 200 million daily participants in March.

The San Jose, California headquartered communications company, founded in 2011 by CEO Eric S Yuan, provides both free and subscription fee-based plans for home and enterprise users. It allows customers to take part in video conferencing, online meetings and group chats. The company had close to 2,000 employees as of 2019. 

However, as the popularity of the app rose, so did concerns around its security protocols.

Concerns of privacy and security emerged, as people complained on social media about ‘zoombombing’. The term refers to an instance where unknown users join and interrupt Zoom meetings to post lewd messages and hate speech, and stream pornography.

Well, Yeshiva University was just Zoombombed by Nazis. A lot more than the few pics below. We ignored it but it's undeniably scary. pic.twitter.com/Wyi7RyFJI9

— Elazar Abrahams (@Elazarta) April 1, 2020

In fact, the office of New York attorney general Letitia James wrote an official letter to the company asking what security measures were put in place to handle increased traffic and detect hackers on the platform, The New York Times reported.

The government of Taiwan banned the usage of the app in the country. Australian defence forces and members of parliament have been asked not to use the app, as have schools in New York.

In India, geostrategist and author Brahma Chellaney said on microblogging platform Twitter that defence minister Rajnath Singh used the application to chat with defense personnel, and urged him to not. The government, however, has not made a formal statement about the issue or the platform, in general.

Additionally, there have been reports of Zoom sending data to social media platform Facebook. There have also been allegations that the company claimed data shared on the platform is end-to-end encrypted, while it wasn’t. The platform also had an ‘attention tracking’ feature, where the host of a meeting was intimated if any of the participants was away from the screen for longer than 30 seconds.

Read: Covid-19 cyberattacks at 2,600 a day, Netflix phishing attempts double: Check Point

The allegations prompted CEO Yuan to put out a formal message. 

“We recognise that we have fallen short of the community’s – and our own – privacy and security expectations. For that, I am deeply sorry, and I want to share what we are doing about it,” he wrote in a blog post. 

“We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying and socialising from home,” he added.

So, what are the massive security issues on Zoom and have they been addressed? 

1. Zoombombing 

“The first rule of Zoom Club: Don’t give up control of your screen,” the company said in a blog post detailing how users could avoid unwanted guests in Zoom calls. Some takeaways:

• Don’t use personal meeting identities (PMI) to host public events. Learn about generating random meeting IDs.
• Familiarise yourself with Zoom settings and features. For example, use the waiting room feature to control who enters and exits meetings.
• Prevent participants from screen sharing a call: choose ‘only host’ under the ‘who can share?’ column that pops up by clicking the arrow next to the share screen in the bottom tab.
• Allow only signed-in users into the meeting.
• Use the ‘lock the meeting’ feature: it allows hosts to close the door once the call begins.
• Mute participants, turn off file transfer and disable private chats. 

2. Facebook collects user device information from Zoom

While it is uncertain whether Facebook collected data from Zoom without the latter’s consent, a lawsuit filed in a California federal court alleged that Zoom did not inform its users that their data was being sent to Facebook.

Zoom’s Yuan said in a blog post that the company noticed that the Facebook software development kit (SDK) -- a group of software development tools in one installable package -- collected “device information unnecessary for us to provide our services”.

While he admitted that data was indeed collected by Facebook, the information did not include data related to meetings and names of attendees, notes or identities, he said. The data that was collected included type and version of mobile OS, device model, screen size, processor cores and disk space of user devices.

The company said the Facebook SDK has been removed in its iOS versions. However, individuals can still log into Zoom via Facebook on their browsers. Users using older versions of the app can install an update sent on March 27 to stop the unwarranted collection of data.

3. Updated privacy policy for educational users

Yuan said that 90,000 schools in over 20 countries used Zoom to hold virtual classrooms. To ensure the teaching sessions are not hacked, Zoom changed its default settings for K-12 (kindergarten to class 12) education-based users to have waiting rooms by default and only allow the teachers or hosts to share content in class, he said. 

4. Is it really end-to-end encrypted? 

Several reports said that Zoom had made false claims of having in place end-to-end encryptions for its meetings. 

The company’s chief product officer Oded Gal admitted that the data was indeed not end-to-end encrypted, and apologised for “the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption” in a blog post.

He said there were discrepancies in what was considered end-to-end encryption and how Zoom used it. He said that while Zoom is not end-to-end encrypted, the encrypted video, audio, screen sharing and chat contents are not decrypted by the platform at any point before it reaches from one user to another.

Zoom does not have a built-in mechanism to decrypt live meetings for purposes that the law might require and “nor do we have means to insert our employees or others into meetings without being reflected in the participant list,” he added.

However, there are still concerns that if a bad actor gained access to the Zoom server, they could decrypt files and steal or misuse sensitive information.

5. The attention tracking feature

The attention tracking feature allowed hosts to know if a participant was away from the Zoom screen for more than 30 seconds. After several users complained, Zoom permanently disabled this feature. 

Additionally, another feature, called the LinkedIn sales navigator, which allows users to view LinkedIn profiles of participants without their consent, was also disabled.

6. Hacking cameras and microphones of Mac users 

Security researcher Patric Wardle had discovered two issues that could be used to hack into a Zoom user’s microphone and webcam, according to a TechCrunch report. This could potentially be used by a local attacker to gain control of a Mac personal laptop or computer. Zoom’s Yuan clarified that the issue was fixed on the company’s website, but did not give out any further information. 

While the company addressed some major concerns, it continues to be plagued by allegations. There are reports that its accounts are found on the dark web and that the company had allowed calls to be routed through China. 

While still a viable option for communication amid the growing work from home environments, Zoom must take proper precautions to ensure safety and privacy concerns. Security firm Sophos said safety issues can usually be resolved if individuals understand basic prevention and protection mechanisms. It also gave customers some insights about how to use the platform, while ensuring safety.

However, it may be wise to avoid using the app for highly secure and critical functions, with sensitive data.