Zoom has always been regarded as one of the most popular remote conferencing tools in the business world. With the advent of the COVID-19 pandemic, the application has seen a meteoric rise in popularity. It seems like everyone is using Zoom nowadays, from service giants like Uber and colleges like John Hopkins University to software development providers such as BairesDev.
But those fifteen minutes of fame came with a price. More and more users are reporting that their meetings are getting hijacked by internet trolls in what has been called “Zoombombing”. Basically, this means that unwanted individuals join conferences and interrupt with insults, pornography, or racial slurs.
While this may seem like just another internet prank, users and governments alike have been taking this rather seriously, putting into question just how secure Zoom really is.
On March 30th the FBI released a warning describing some of the reports they had been receiving throughout the month as well as security tips for people who use the service. Security concerts have caught the attention of schools and governments alike as well.
New York took the first step
On April 4th the New York City Department of Education issued a ban against using Zoom after reviewing several allegations of security concerns. The ban came mere weeks after over 1,000,000 students and 1,800 schools started using Zoom for online classes as a social distancing measure to stop the growing threat of the COVID-19 pandemic.
The Department of Education has recommended all schools to shift over to Microsoft Team, stating that it offers the same functionalities as Zoom with better security. This information came from a memo sent to the school principals shared with Chalkbeat.
While the Department didn’t set a deadline for the transition, they are pushing for a quick change, hoping that by next month most schools will abide by the ban.
The Washington Post notes that mere days after New York taking the first step, Clark County Public Schools in Nevada have also decided to stay away from the application. And it may seem like Utah and Washington may follow suit in the coming weeks.
Concerns about China
Zoombombing may have gotten the ball rolling, but it turned out that it was just the tip of the iceberg. Rumors started spreading that Zoom actually routed information through China, a country whose surveillance policies are highly questionable for privacy advocates.
It turns out the rumors were true, as the University of Toronto Citizen’s lab found that data was effectively being routed through China, even when all participants were in the U.S. Said data includes the AES-128 encryption keys necessary to decrypt the contents of the conference, which is often delivered through Chinese routers.
The researchers also brought attention to the fact that Zoom has three different companies in mainland China, with 700 employees. An arrangement that, in the researcher’s own words: “may make Zoom responsive to pressure from Chinese authorities”.
In response, Taiwan issued a ban to all their government agencies, quoting security concerns. Not surprising, considering the historic relation the country has with China. Just like New York City, the Taiwanese government has recommended the adoption of Microsoft services such as Skype or Team.
Shortly after the Toronto Citizens Lab’s report, Zoom’s CEO Eric Yuan admitted in a blog post that the report was accurate, stating: “In our urgency to come to the aid of people around the world during this unprecedented pandemic, we added server capacity and deployed it quickly — starting in China, where the outbreak began. In that process, we failed to fully implement our usual geo-fencing best practices. As a result, it is possible certain meetings were allowed to connect to systems in China, where they should not have been able to connect.”
The CEO further said that a solution has already been put in place to prevent further traffic from going through China. He also recognized the allegations about the weak encryption used by Zoom and stated that they would be working to improve their security in the following weeks.
On April 1st, the company posted a second blog post detailing some of the steps the company had taken to address its most pressing security concerns, including:
- Advice on how to prevent Zoombombing
- Removed the Facebook SDK from their IOs implementation
- Removed the attendee attention tracker feature.
- Giving webinars and tutorial for newcomers
- Promising further actions on a bigger scale.
On April 8th, another blog post was published with a follow up to the situation as well as a 90-day plan going ahead to improve Zoom’s security. As part of Zoom’s plan, the company formed a security council with some of the biggest CISOs in the business from places such as HSBC, NTT Data, Procore, and Ellie Mae.
They also brought Alex Stamos as a security advisor. Stamos, the Director of Stanford’s Internet Observatory, is a well-known figure in cybersecurity who was pretty vocal on social media about Zoom’s vulnerabilities. He has stated that he isn’t in any way working under the company and it’s just giving advice as a consultant.
While it may be that Zoom is trying to turn things around, it’s not going to be easy for the California-based company. Whatever actions need to be taken are going to take time. Competitors like Google Meet and Microsoft Team are quickly gaining ground as more and more people express doubt in Zoom’s ability to provide a safe experience for students and businesses alike.