Threat Intelligence: A Report on Zoom’s Troubled Past
November 15, 2020
This past March, many businesses and schools transitioned to a partially or fully virtual format. Video-communication platforms like Cisco Webex, Microsoft Teams, Google Meet, and others saw significant increases in daily meeting participants. However, no company has seen such a massive increase in user base as Zoom.us, which saw its peak daily meeting participants grow from 10 million in December 2019 to 300 million in March 2020. But where did Zoom even come from?
The company was founded in 2011 by Eric Yuan, a silicon valley entrepreneur who had worked on WebEx before its acquisition by Cisco. Despite advice from constituents about entering a relatively saturated market, Zoom’s user count grew into the millions within three years, and the company became a unicorn in its field in 2017. But it was the pandemic that rocketed Zoom’s status to that of a household name, developing its reputation as an intuitive and effective solution for virtual meetings. Zoom’s price is also appealing; its most basic option is free and allows for unlimited, high-quality meetings between 2 individuals and meetings for up to 100 individuals with a time-cap of 40 minutes.
Despite its performance, Zoom has raised concerns regarding security. Consumer Reports found that Zoom’s privacy policy establishes Zoom’s right to collect and share personal data, including videos, auto-generated transcripts, and files. Zoom also possessed a feature that discretely shared data with Facebook, regardless of whether a user had a Facebook account. This feature was removed, but it’s alarming that it existed in the first place.
The Intercept investigated Zoom’s claim that meetings utilized end-to-end encryption (E2EE). E2EE is a form of encryption that only allows for data to be read only by the sender and recipient. In Zoom’s case, the data would only be accessible by the participants of the meeting and not the administrators of Zoom’s servers. However, Zoom meetings were not encrypted end-to-end. Instead, the meetings utilized a system that encrypted data in transit, but this is not considered to be E2EE. Zoom did update its encryption whitepaper to not include the misleading statement and began rolling out true E2EE, first to paid customers and then to free customers. This feature does have to be specifically enabled, however, and there are some constraints for its use. Similarly to Apple iCloud and Google Drive, Zoom is the sole holder of encryption keys. This means that, even if your connections are encrypted, Zoom could theoretically have full access, including access to recorded meetings in Zoom’s cloud storage.
From late March through April, a number of critical security flaws were discovered within the platform. One vulnerability allowed user email addresses and photos to be leaked to strangers. Another allowed attackers to gain root access to macOS computers. Yet another allowed attackers to access a company’s recorded meetings. There have also been instances where recorded meetings have been stored on unsecured servers, allowing them to be viewed by anyone, and hundreds of thousands of Zoom accounts and user records were put up for sale on the dark web. The company also processes user data in China, occasionally including encryption keys, and some calls have been ‘mistakenly’ routed through Chinese servers.
You may have heard of the term ‘Zoom Bombing,’ the practice of infiltrating Zoom meetings and causing trouble. While they may not seem overly harmful, there have been many instances of coordinated harassment, successful and attempted, involving antisemitism, racism, pornographic material, and verbal abuse. A security vulnerability also enabled attackers to develop tools to find and gain access to active Zoom meetings. However, Zoom Bombings occurred largely due to improperly configured meetings that allowed individuals to join without being vetted, meaning that these incidents were not the company’s fault. Zoom later made Waiting Rooms, a feature that prevented users from directly joining meetings, enabled by default.
As a result of these many flaws, a number of organizations and even governments have elected to restrict their employees from using Zoom. SpaceX banned the use of Zoom on April 1st, followed by a number of school districts on April 6th, the Taiwanese government on April 7th, and Google on April 8th. The German government also decided to refrain from using Zoom and advised others to do the same. Then, on April 9th, the U.S. Senate instructed its members to avoid Zoom, and the Pentagon restricted use the next day. Zoom’s shortcomings also led several lawsuits to be filed, including one by a shareholder that accused executives of covering up security issues. Finally, a report by the Department of Homeland Security’s Cyber and Counterintelligence centers found that Zoom could be vulnerable to foreign intelligence.
The pandemic saw a large increase in daily meeting participants for the entire video-conferencing industry, but security flaws disproportionately involved Zoom. Companies like Google, Microsoft, and Cisco had more mainstream solutions before the pandemic, so it’s understandable that their security standards were higher. This being said, Zoom has been around for a number of years and has had a user base consistently in the millions, not to mention its valuation of a billion dollars in 2017. While the discovery of the platform’s flaws can be attributed to increased scrutiny due to its rapid growth, the lax state of the company’s security policy, despite its resources, should be noted. To the credit of Zoom, almost all of the issues outlined in this report have been fixed. Zoom has taken visible steps to improve their security, including setting aside 90 days to focus strictly on security. There are still some privacy concerns, but these are no different from any other mainstream providers, including every Google service, Apple iCloud, Facebook, and others.
So why did so many organizations elect to use Zoom? Todd Tyler, Computer Support Technician, said, “Zoom had a great deal… and offered it to schools for free. There [were] a lot of people using it…it’s simple and easy to install, it’s simple and easy to manage, they had a lot of features that worked well, and it was free.” Tyler went on to say, “We did consider other options too… However, a lot of times when you have a solution that is A, free, and B, is already working, you’re gonna tend to lean towards that solution, and that’s what we did with Zoom. They owned their issues and fixed their issues. And it was something we had already used and been using successfully with teachers.” Tyler also noted that since fixing their security issues, Zoom has released a myriad of new features at no extra cost to the school. However, not everyone shares the same mindset. When asked about Zoom’s past flaws, Emily Fenimore ’21 said, “These issues are definitely concerning. For anyone using an online source, it’s scary [that] you don’t know if it’s safe or not, especially if there are pre-existing or previous issues… I do believe that Zoom [has] fixed issues in the past; it’s come a long way since we first had to go online, but that doesn’t know what we can’t see and don’t know, could very well still be there (sic).” There is no doubt Zoom offers a great product and deal, one that has motivated its competitors like WebEx to offer a free option, but it is difficult to forget the platform’s troubled past.
In its current state, Zoom is relatively safe for the casual user. As long as one properly uses the security features available, Zoom Bombing incidents are easily mitigated. The platform is certainly not for everyone, though. Conner Manning ’22 said, “I would definitely try out a different platform. I’ve tried a few others that have worked better [than Zoom].” While it is unfair to judge Zoom solely by their past issues, it is also unfair to judge them solely on their amazing features, price, and response to said issues. Preventative measures are better than reactive measures, and Zoom serves as an example of the importance of proper security auditing in the consumer tech solutions industry.