Feature: How coronavirus burst Zoom’s bubble

Last Updated on

Out of adversity great things can be born. It can also lead to an unmitigated disaster. Zoom has gone from a little known app to household name, to household pariah, all in the space of a couple of weeks. Ella Glover investigates what’s happened to one of the Internet’s brightest prospects.

Singapore recently ruled to ban the use of Zoom by teachers. Thanks to the shift towards remote working around the globe amidst the coronavirus lockdown, popular video conferencing tool Zoom – which is used for corporate and government meetings, remote teaching and group hangouts – rapidly became a household name. In the last month alone, Zoom has seen a 535% rise in traffic, and there’s no surprise; Zoom felt like the perfect solution being that it is extremely convenient, reliable and easy to use.

The ban, however, came after the reported hacking of a first-year, secondary school live class conference by two men. According to the BBC, obscene images appeared on the screen before the perpetrators asked young girls to “flash”. The Singaporean government were extremely concerned and told teachers to suspend their use of Zoom as a precautionary measure. This type of security breach has come to be known as ‘Zoom Bombing’ – incidents of video hijacking in which hackers infiltrate video meetings, often shouting offensive slurs or threats – and is being investigated by the FBI.

This isn’t the first time Zoom has come under fire for security issues and privacy leaks. Security researcher Arvind Narayanan took to Twitter to criticise Zoom, branding the app a “privacy disaster”, as it became evident that the app had fallen short in a number of areas involving security.

Zoom had falsely advertised the utilization of end-to-end encryption for video and audio content which, they now claim, is not “currently possible” but Zoom video meetings are currently supported by a combination of TCP and UDP. End-to-end encryption is widely recognised as the most secure and private form of internet connection and was advertised by Zoom on its app, website, and security white paper. While Zoom video meetings are private from anyone attempting to hack your WiFi connection, they are not private from the company itself. Although Zoom claims it does not directly access any of its users’ data, with the number of high profile users such as prime minister Boris Johnson, this fact is a definite cause for concern.

It was also revealed that one vulnerable feature of Zoom  – a hidden web server – allowed users to be added into a video call without their permission. Apple has released a silent update blocking this feature from Mac. Video call administrators were also able to access the personal information of participants, such as their IP address, location data, and device information. Zoom implemented a range of new security measures to combat these issues including the enabling of passwords to access a call and turning on the Waiting Room feature as a default, which will prevent participants from joining until the host is ready and removing the meeting ID from the title bar to prevent the accidental sharing of this information through screenshots.

Such faults saw Zoom hit by an investor lawsuit, in which shareholder Michael Drieu alleged that Zoom had “significantly overstated” the extent of the encryption on the platform and that the admission of this discrepancy accounted for a significant drop in the company’s share prices.

This wasn’t Zoom’s first lawsuit, however. The company is also being sued in California over further privacy issues involving the sharing and selling of user data through the iOS version of the app to third parties such as Facebook – even if a user does not have a Facebook account. Motherboard reported that, while this sort of data sharing is common, Zoom was not explicit about its use of user data in its privacy policy, meaning that many users of the app don’t realize that “by using one app, they’re providing data to another service altogether”. Zoom’s actions violated California’s Unfair Competition Law, Consumers Legal Remedies Act, and Consumer Privacy Act. Zoom claimed to have been unaware that their ‘Login with Facebook’ feature had caused the unnecessary collection of device data and have proposed to remove the Facebook software development kit (SDK) from their app and reconfigure the feature in order to allow users to log in through Facebook via their browser.

A further revelation showed that hackers were able to access a users’ Windows login name and password when users clicked a specific link in Zoom’s chat functionality. Hacker, Matthew Hickey, stated that this vulnerability can allow access to launch programs on your machine, providing it passes the security warning. Luckily, this feature can be blocked by following a few simple steps.

Principle security researcher at Jamf, Patrick Wardle, exposed another two bugs that can be used to take over a user’s Mac, including accessing their webcam and microphone. Wardle reported that the bugs in question are local security issues, meaning that in order to be utilized, “they required that malware or an attacker already have a foothold on a macOS system”.  Zoom has not yet issued a claim in response to Wardle’s findings and have made no comment on how these bugs will be removed.

Following it’s sudden and sharp rise in popularity, it’s no surprise that Zoom has encountered some security and privacy problems. Founded in 2020, Zoom saw a 67% rise in usage from the start of the year to mid-March and has provided countless high profile companies and figures with easy access to business as usual. Raul Castanon, a senior analyst for workforce collaboration at 451 Research / S&P Global Market Intelligence, told ComputerWorld that founder, Yuan’s efforts to “skilfully navigate” these “unprecedented” challenges should not go unacknowledged and these measures along with hiring former Facebook CSO Alex Stamos as an outside adviser should help “Zoom improve its security and privacy practices”.

That being said, with multiple security breaches left unacknowledged, it may be advisable to find a more secure alternative to Zoom until all of their problems have been solved.