During the coronavirus pandemic, it seems as if everyone is connecting with Zoom’s videoconferencing app — including, on occasion, unwanted visitors.
Online trolls have been sneaking into web meetings and disrupting them with profanities and pornography for at least the better part of the last month. Cybersecurity researchers fear these disruptions could be a precursor to more harmful attacks allowing hackers to commandeer connected machines to access secure files or other corporate software.
“Much of our current reality is unchartered territory, and this growing dependence on Zoom at home is just another one,” said Mark Ostrowski, regional head of engineering for Check Point Software Technologies Ltd. “As soon as a platform’s attack surface gets big enough, you can only expect that they’ll become more interesting to attackers. That’s what’s happened to Zoom.”
In a Wednesday blog post, Zoom said that it takes security concerns “extremely seriously” and that the company is “looking into each and every one of them and addressing them as expeditiously as we can.”
But there’s good news. Users don’t have to follow Elon Musk, whose SpaceX has banned the use of Zoom Video Communications Inc. amid privacy concerns.
There are a few simple steps to host secure video meetings, according to security experts. For instance, ensure your meeting is password protected, and don’t share meeting IDs and passwords on social media, where criminal hackers may grab the credentials.
Zoom appears to have been designed with security as an “afterthought,” Wardle said, adding that it was a common phenomenon among startups primarily focused on users and funding.
But Zoom’s meteoric popularity has drawn additional scrutiny.
“We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home,” Zoom said in the blog post. The influx of new users has presented the company with “challenges we did not anticipate when the platform was conceived” and that company “committed to learning from them and doing better in the future.”
On March 30, the FBI issued a warning about so-called “zoom-bombing,” urging users not to make classes or meetings public or share links to teleconferences on social media.
That same day, a Zoom user sued the company claiming its services were illegally disclosing personal information.
Zoom acknowledged that it shares data with Facebook in a blog post on March 27.
In addition, New York State Attorney General Letitia James wrote a recent letter to Zoom that included “a number of questions to ensure the company will take appropriate steps to ensure users’ privacy and security is protected,” according to a spokesperson for the attorney general’s office, who declined to share a copy of the letter.
Concerns over Zoom’s security practices aren’t new. Last year, a researcher named Jonathan Leitschuh discovered that the desktop version of Zoom for Macs quietly installed a web server — one that remained on systems even if the app was removed — that presented a new way for hackers to access webcams, he said. Apple Inc. released an update in July that plugged the security hole.
Holding Zoom’s “feet to the fire” around security and privacy amid the app’s new popularity will create incentives for the company to adapt, Leitschuh said in an interview.
Discussion about this post