View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Zoom Security Storm: Company Apologises, Hackers Squabble

"We've fallen short..."

By CBR Staff Writer

In December 2019, video conferencing tool Zoom had 10 million daily meeting participants on average. In March this year, that figure was 200 million.

The astonishing surge in use has come with a corresponding spike in scrutiny, as security researchers take to the airwaves to highlight a string of vulnerabilities, and school children trawl social media inviting trolls to “Zoom bomb” their lessons.

By Wednesday the pressure had mounted to the point at which Zoom CEO Eric Yuan had drafted a lengthy blog post, saying that the company would be freezing product development to focus solely on security, and apologising for “falling short of the community’s – and our own – privacy and security expectations.”

The furore has sparked a combination of sympathy and hostility in the security community, as well as a debate about just how helpful recent disclosures have been. Among the most contentious, the disclosure of two zero days, or previously unknown vulnerabilities, via Techcrunch without prior notification to Zoom.

Content from our partners
Why the tech sector must embrace faster, smarter talent recruitment
Sherif Tawfik: The Middle East and Africa are ready to lead on the climate
What to look for in a modern ERP system

Patrick Wardle, ex-NSA and now working at Jamf, shared the two vulnerabilities (which allow an attacker to tap into the webcam and microphone) on his blog on Wednesday. Despite subsequent hype, they were not RCE and would need an attacker to already have local access  (At which point, users already have problems…)

https://twitter.com/alexstamos/status/1245386120776433665

Zoom Security Storm: What’s Happened?

That disclosure came after a series of other reports that had already drawn decidedly mixed reactions from the cybersecurity community.

These included one that resulted in Zoom removing its Facebook login because Facebook’s SDK was harvesting device data, and an April 1 apology from Zoom for misleading customers about how its encryption works.

Not everyone has been impressed with the security research community swarming all over the company. As Dave Kennedy, CEO of TrustedSec put it.

Most of the findings thus far would be considered low to medium risk. Not world-ending… Dropping zero-days to the media hurts our credibility, sensationalizes fear, and hurts others. Most of these exposures wouldn’t even bubble up to a high or critical finding in any assessments a normal tester would conduct.

“Yet, it has world reaching implications to the masses that don’t understand the technical details. It creates hysteria when it is not needed.”

Others disagree, Google security researcher Tavis Ormandy saying of the zero day disclosures: “It’s a problem with the installation, and installations are spiking *now*, not in six months. Now is the time to make sure people are aware of the risks, good work @patrickwardle. This is what real responsible disclosure looks like.”

Zoom’s CEO said in his blog: “Our platform was built primarily for enterprise customers – large institutions with full IT support. These range from the world’s largest financial services companies to leading telecommunications providers, government agencies, universities, healthcare organizations, and telemedicine practices.

“Thousands of enterprises around the world have done exhaustive security reviews of our user, network, and data center layers and confidently selected Zoom.”

New, “mostly consumer” use cases and a corresponding spotlight on the company have helped uncover “uncover unforeseen issues with our platform” he added.

What’s the Company Doing?

Zoom will now enact a feature freeze, effectively immediately, and shift “all our engineering resources to focus on our biggest trust, safety, and privacy issues,” Yuan said. This will include launching a series of “white box penetration tests”, enhancing its current bug bounty programme, and “launching a CISO council in partnership with leading CISOs from across the industry to facilitate an ongoing dialogue.”

The company said it has also:

> On March 29th, updated its privacy policy “to be more clear and transparent around what data we collect and how it is used – explicitly clarifying that we do not sell our users’ data, we have never sold user data in the past, and have no intention of selling users’ data going forward.”

> Set up a guide on how to better secure virtual classrooms. On April 1, removed its controversial attendee attention-tracking feature, rapidly released fixes for a series of recent bugs, and removed the LinkedIn Sales Navigator after identifying “unnecessary data disclosure” by the feature.

To Computer Business Review, the company’s reaction has been astonishingly good under pressure: publicly appreciative of the security disclosures, patching fast, and working hard to educate users. Whichever side of the fence security specialists sit, one likely outcome of all the attention is that Zoom will soon be one of the most secure video conference platforms out there.

Banner image credit: @rtnarch, Twitter. 

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU