Zoom and Security - Should you be concerned?

The Headlines

In December 2019, Zoom had 10 million users. In April 2020, they surpassed 300 million! (Incredibly, they scaled 30x in 4 months without a single major service interruption - a headline in itself.)

With Zoom's sudden popularity, it quickly became the focus of high profile security researchers who inspected the product and identified a number of concerns. The main criticisms have focused on one or more of these specific issues:

  1. Zoombombing: Meetings by default were created without passcodes unless the host enabled them. This resulted in uninvited guests joining ("bombing") the meeting. This, very unfortunately, hit a tipping point when racist attacks and pornography entered the picture.
  2. Broad privacy policy: Zoom's privacy policy was overly broad and there was some analytical data sharing with Facebook (not content of communications) as a consequence of libraries bundled into their apps. (more detail)
  3. Lack of strong end-to-end encryption: The communications sent to each participant are not encrypted in the most secure way and could theoretically result in eavesdropping by an attacker or Zoom itself. (more detail)
  4. China: Researchers found that occasionally meetings were run through Zoom servers located in China, even though no participants were in China.
  5. Technical Vulnerabilities: Some new technical vulnerabilities were found in Zoom's software. (more detail)

Zoom's Response

The threat model and product requirements for Zoom changed dramatically in 4 months and they now face new threats and scrutiny. To its credit, Zoom has responded swiftly and decisively thus far.

Meetings are now password protected by default, and also have a waiting lobby enabled so that the host must approve each participant as they join unless the feature is disabled. This effectively mitigates the Zoombombing issue.

They removed the Facebook SDK from their iOS application and updated their privacy policies, effectively mitigating the privacy concerns.

Zoom has released fixes for the technical vulnerabilities and has committed to radical improvements to their security program and transparency over the next 90 days. They also added controls so hosts can decide how their data is routed to avoid countries of concern.

Full strong end-to-end encryption is also due to be released any day now.

While not mainstream news, Zoom has also hired Alex Stamos as a consultant, among others, as part of a CISO advisory council to guide response efforts. Alex in particular is a highly respected name in the security industry. As CSO at Yahoo he cleaned up after their record-breaking breaches, and as CSO of Facebook he dealt with the aftermath of the Cambridge Analytica scandal.

Our Verdict

As with any business application, Zoom must be properly configured and managed for secure business use. Using a Zoom alternative doesn't avoid this responsibility, which is why it is essential to involve IT experts in decisions involving any technology solution.

Our opinion is that Zoom was deserving of being called out for these oversights, and is now doing as good a job as could be expected in their response. With a global community of information security professionals now holding them accountable, we are optimistic that Zoom will swiftly and transparently resolve their remaining issues. Zoom has an opportunity to transform themselves into the most secure, transparent, and trustworthy video conferencing tool available - and so far that appears to be their goal.

What adds to our optimism is the unbelievable engineering job that Zoom has done at scaling their product in the wake of unprecedented demand. This is possibly the biggest scaling success in the entire history of the internet. (even Twitter notoriously had growth challenges) If Zoom's engineers can manage that, they can surely manage these security issues, now that they are focused in the right direction.

Ultimately, it's important to maintain perspective. These vulnerabilities are generally beyond the concern of a typical small to midsize organization. Practically speaking, if Facebook or China desires to individually spy on your communications, they will succeed whether you use Zoom or not. Most of the real damage that could have been done would have been prevented by following best practices in using the product.

Many (most?) smaller organizations still struggle with basic practices like patching computers, preventing phishing, and eliminating "Winter2020!" as user passwords. Our advice remains if there is organizational concern for security, it should first focus on the fundamentals.

Things change fast with technology. We would not dissuade any of our clients from using Zoom strictly as a result of these headlines. If it remains the best tool for you in terms of features and functionality, and is configured and used properly, it remains a viable and reasonably safe solution.

A Final Note

One thing that the Zoom saga demonstrates is the importance of using mainstream technology platforms and providers. Smaller competitors, of which there are many, don't benefit from the public scrutiny directed at large players like Microsoft, Apple, Google - and now Zoom.

While it can be alarming to read panicked headlines about security issues - these issues are being found and corrected. A smaller competitor may be able to say they haven't had issues like Zoom with a lot of fancy marketing, but they also haven't been tested like Zoom either. The more we know, the less we don't know, which is a valuable thing in technology.

This is a great example of why it is important to carefully select reputable, mainstream platforms for important IT infrastructure - and especially crucial to minimize the amount of technology that is hosted or operated in-house. Outages, failures, bugs, and security vulnerabilities are inevitable. With smaller providers, things more easily go unnoticed or are covered up. By leveraging trusted mainstream name-brand providers, you can rest assured that service problems are reliably identified and fixed in a timely manner without your involvement thanks to public accountability.

If you're considering adopting a new video conferencing technology, or remain concerned about what is happening with Zoom, please contact us. Every organization's situation is unique, and we can help determine what works best for your circumstances.