Zoom's security flaws: Has it done enough to fix them?

As millions have flooded Zoom because of COVID-19, the site became a prime target for hackers. Here is how the company responded, and whether security experts think it's adequate.

COVID-19: Security risks are increasing as more people work from home

As the COVID-19 pandemic has shifted the workplace–and social gatherings–online, business meetings, job interviews, conferences, and social events have moved from the physical world to the digital. While there are many video conferencing platforms to choose from, one service stands above the rest as the most popular on the market: Zoom. 

In the weeks that COVID-19 began ramping up, Zoom use skyrocketed: In the week of March 16, for example, there was a 101.1% increase from the previous week and 224.7% more connections made a month earlier, according to new data from Wandera. And with these increased connections came a spike in data usage–in that same week, it ascended 337%. In that month, it was up a whopping 876.7%. 

What does this mean in terms of actual users? Zoom's April 1 blog post asserted that the platform hosted 200 million daily meeting participants in the month of March—10 million more than there were in December.

But as more people flooded the video conferencing platform, issues arose. Uninvited users entered meetings (because Zoom ID codes were easy to guess) and began what is now called "Zoom bombing"—harassing participants by projecting graphic images. It also became a playground for hackers, as so many conference participants were working from home, with increased vulnerability from their home computers. On top of this, Zoom's user emails and photos were being leaked, and its video calls were not end-to-end encrypted. (Instead, they were "transport encrypted," which means that the data was accessible by Zoom.)

SEE: Telecommuting policy (TechRepublic Premium)

Tim Keeler, CEO of Remediant, a security consultant and penetration tester, explained how Zoom became a target. According to Keeler, the Zoom installer ran without validation and user consent, which targeted administrators. 

"An attacker could abuse this to gain 'root' level privilege by modifying the installer without anyone noticing," he said. Also, the Windows version of Zoom "tricked users into disclosing usernames and password hashes by clicking on links in a Zoom session chat window," which "took advantage of the Universal Naming Convention (UNC) path injection vulnerability in the Zoom Windows client."

Zoom acknowledged the problems: "We moved too fast... and we had some missteps," CEO Eric Yuan told CNN. "We've learned our lessons and we've taken a step back to focus on privacy and security." The platform responded by pausing feature updates for 90 days

SEE: How to secure your zoom conference line from hackers (free PDF) (TechRepublic)

And on Sunday, April 5, Zoom responded by offering some options to help beef up security. The first big change was enabling meeting passwords. This doesn't apply to those joining via links, but anyone entering with a Meeting ID must now use a password to gain access–starting on Sunday, the passwords have been included in the invitations. Zoom recommends that meeting organizers re-share the original meeting with participants. (Here is Zoom's two-minute video for detailed instructions.) The other important update was having the virtual waiting room—the area that holds people before they enter the meeting—automatically turned on. This gives organizers an extra chance to admit individual guests. 

Zoom's response was "best-in-class," Keeler said. Its statements acknowledging the issues were transparent, he said, and it "rapidly put out patches for each of the flaws." Keeler believes that the new default options—the Waiting Room feature and password-protected meeting—reinforce best practices, and will prevent Zoom bombing.

SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium) 

Not all security experts believe the response is adequate—Craig Malloy, CEO of Lifesize, said Zoom's response was "disingenuous BS" on his LinkedIn blog post. "Zoom is only sorry they got caught," he wrote. "Data security and privacy is either embedded in your company culture, or it's not. It's a decision; a choice. No one is blowing up Google Hangouts or Lifesize, whose usage is way up as well, for business and personal use."

Still, the key takeaway is that while these security breaches have targeted Zoom, it could happen to any platform that hasn't taken the proper measures to protect itself. 
 
"These recent vulnerabilities present a much larger threat to organizations than many realize," said John Abel, CIO, Veritas Technologies. "Without end-to-end encryption, businesses are susceptible to hackers listening in on or gaining access to sensitive information shared over the platform."

Abel continued, "Today's generation of malware is even sophisticated enough to customize with specific target environments, such as the critical backup and recovery infrastructure." The only way to address this, he stressed, was with a "holistic data protection strategy" that can spot and respond to a range of different threats, as well as streamlining security management across an organization. 

Also see

How to become a cybersecurity pro: A cheat sheet (TechRepublic)
Mastermind con man behind Catch Me If You Can talks cybersecurity (TechRepublic download)
Windows 10 security: A guide for business leaders (TechRepublic Premium)
Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
All the VPN terms you need to know (CNET)
Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)

screen-shot-2020-03-30-at-4-38-50-pm.png

Image: CNET