Is Zoom Safe?
It’s no news that companies and classrooms are heading online to continue work and school amidst the COVID-19 outbreak. People are finding themselves less in offices and more in virtual rooms and voice channels. Zoom is one of the most popular video conferencing platforms with its wide availability and ease of use, with its user base exploding from 10 million in December to 200 million in March according to Zoom CEO Eric Yuan. But with its increase in popularity, Zoom has become a juicier target for hackers. The question that has been on everyone’s mind is, is Zoom safe?
One phenomenon that has been blowing up is the Zoom Bomb, where uninvited guests join an existing meeting with the intent of disrupting it, typically with obnoxious or explicit videos. By default, anyone with a Zoom meeting ID can join that meeting, allowing a student’s friend, for example, to enter a classroom meeting and enlightening its guests to the wonders of Rick Astley’s Never Gonna Give You Up. However, pranks like this have been around for decades, from chat channels to VoIP servers, and has more to do with hosts being inexperienced or unmotivated to use Zoom’s built-in features like password requirements and waiting rooms than a security flaw.
However, there’s more to the story. Patrick Wilde, ex-hacker for the NSA, explains that the Zoom app installs on Macs without requiring permission, so a crafty programmer could inject code into the installer and gain elevated privileges. Wilde says that one is able to trick the Zoom installer to execute arbitrary code to, say, record cameras and record audio at will. While alarming, this sort of attack typically requires the attacker to be local, meaning physical access to the device, and as anybody who is in the know about cyber security, physical access is root access.
Even so, this does not bode well with Zoom’s security track record. In 2019, Zoom faced a security scandal where the app would install a web server on a device such that, even after Zoom was uninstalled, a user would click on a link and suddenly find themselves in a new meeting with camera and microphone enabled after Zoom reinstalled itself.
CEO Eric Yuan initially defended these features, balancing ease of use in favor of an overly cumbersome authorization check, which forced Apple to push out a fix to their devices to disable the 2019 scandal’s feature. Yuan has since apologized for Zoom’s security flaws, recognizing their growth with the platform’s popularity, unprecedented since inception. He has announced a 90-day freeze in feature production in order for Zoom’s engineers to focus on addressing its current problems. But once that’s done, how long will it be until the next major security disaster, and how many people will be affected before it’s addressed? More and more organizations aren’t willing to take the risks and are jumping over to alternatives such as Microsoft Teams and Discord. Is the ease of use and ubiquity of Zoom enough to justify your continued use, or will you also abandon ship?
Sources:
- https://www.theguardian.com/technology/2020/apr/02/zoom-technology-security-coronavirus-video-conferencing
https://www.theguardian.com/technology/2020/apr/02/zoom-says-engineers-will-focus-on-security-and-safety-issues - https://techcrunch.com/2020/04/01/zoom-doom/
- https://www.cnet.com/news/zoom-boss-says-itll-freeze-feature-updates-to-address-security-issues/
- https://it.cornell.edu/zoom/keep-zoom-meetings-private-and-reduce-odds-zoombombing
