Tomas Foltyn, security writer at ESET discusses the privacy and security issues faced by the videoconferencing platform, Zoom that has caught the fancy of millions of users worldwide either for work or education or leisure purpose, as they get confined to their homes amid efforts to contain the COVID-19 pandemic.
As countless people are confined to their homes amid efforts to contain the COVID-19 pandemic, the popularity of videoconferencing software for work, education and leisure is exploding. Of all such communication tools du jour that were suddenly thrust into the limelight, probably none stands out as much as Zoom.
The skyrocketing demand among people and businesses alike has helped reveal a rash of privacy and security challenges facing the platform, which is now used even for daily meetings of the UK Government (though, interestingly, the UK Ministry of Defense forbids its employees from using the app).
The app’s maker is weathering a storm of criticism from various quarters, including privacy advocates, security experts, several U.S. state attorneys general, a U.S. lawmaker, and the FBI. Bad news have kept piling up in recent days, prompting the company to respond.
On Wednesday, the firm’s founder and CEO Eric S. Yuan apologized for the issues and outlined measures to beef up Zoom’s security and privacy. He also announced a 90-day feature freeze, adding that the company was shifting all its engineering resources to “focus on our biggest trust, safety, and privacy issues”.
Here’s a rundown of five of the key issues Zoom has had to address since last week:
- Despite claims to the contrary, the app’s video and audio meetings don’t support end-to-end encryption, according to research by The Intercept. Zoom later apologized and clarifiedthat it uses transport encryption known as TLS. The key difference is that the latter doesn’t put users’ communications out of the company’s reach.
- The app was also found to contain several security vulnerabilities, though they were all fixed in short order. Its Windows client was found susceptible to a UNC path injection flaw that could expose people’s Windows login credentialsand even lead to the execution of arbitrary commands on their devices. Two more bugs, this time affecting Zoom’s MacOS client, could have enabled a local attacker to take control of a vulnerable computer.
- The company has also dropped Zoom’s ‘attendee tracking’, a feature that made it possible for a meeting’s host to check whether the participants were actually paying attentionwhen the host was in screen-sharing mode.
- The FBI has released a warningagainst a phenomenon dubbed “Zoom-bombing” following multiple reports that trolls and pranksters invaded private meetings and school classes to display disturbing images.
The issues could have affected a vast number of people, as the platform saw a surge from 10 million to 200 million daily users over the past three months. By Yuan’s own admission, Zoom has been overwhelmed by its own unforeseen success.
“We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived,” he said.
How to stay safe
Even in this remote-work era (and not only when it comes to videoconferencing), we shouldn’t overlook the privacy and security side of things. No matter how slick and feature-rich any software is, it may bring new threats, and with them come added responsibilities. The most effective measures you can take to protect your security and privacy when using Zoom include:
- Password-protecting your meetings and/or vetting meeting participants with the help of Zoom’s ‘Waiting Room‘ feature.
- Limiting screen sharing to the host.
- Running Zoom’s latest version.
- Refraining from sharing links or meeting IDs on social media.
Indeed, consider using meeting IDs rather than links when inviting other participants, as there’s been a surge in malicious Zoom-themed domains that seek to capitalize on the app’s unexpected success.