Zoom penetration tests have been commissioned by the popular videoconferencing service after a series of security and privacy issues were found in the company’s mobile and desktop apps.
Zoom’s problems have been a messy mixture of poor communication, sketchy marketing, rule-breaking, and actual security holes …
We recently outlined most of the issues.
Zoom made a deliberate decision to prioritize ease of use over security, and it did so knowing that this approach made sense for most users. It also made higher security available to those who wanted it.
For example, one criticism is that, by default, all meetings organised by the same host have the same meeting ID, and thus the same joining link. This means that anyone who has ever joined one of your meetings could try the link another time and be joined to any meeting currently in progress. That is true, but hosts have the option to create a meeting-specific ID (and thus link) if they choose.
Another criticism is that meetings have no password. That is again true by default, but there is the option to set one.
So effectively, Zoom’s default is to make it really easy to host a meeting, but with some security holes. In practice, not huge security holes for the average virtual get-together with family or friends, because there’s not much incentive for a bad guy to try to join, and the small numbers of people mean that an unfamiliar name joining is going to be spotted. All the same, the company should flag these to new users, and highlight the more secure options.
A third criticism is that Zoom calls don’t use end-to-end encryption. That’s not unusual: most videoconferencing apps don’t, because it’s extremely difficult to implement without compromising ease of use. What is bad, however, is that Zoom’s marketing materials lie about it. The company claims to offer end-to-end encryption when it doesn’t.
There’s other undeniably bad stuff.
Zoom was, for example, using an extremely sketchy method to make browser sessions easy. The result was that a website could potentially activate your Mac webcam even if you removed the Zoom app. That was fixed, but Zoom shouldn’t have been taking that approach in the first place.
No sooner did we did so, however, than another vulnerability was discovered.
Zoom penetration tests
The company’s CEO has now responded with a blog post outlining the steps the company has already taken, and plans to take.
A bullet-point list of actions taken to date includes a blog post on how to tighten security; removing the Facebook SDK from the iOS app; a security guide for educational users; ensuring only teachers can share screens; and correcting misleading statements about using end-to-end encryption.
The company then laid out its plans for the next 90 days.
- Enacting a feature freeze, effectively immediately, and shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues.
- Conducting a comprehensive review with third-party experts and representative users to understand and ensure the security of all of our new consumer use cases.
- Preparing a transparency report that details information related to requests for data, records, or content.
- Enhancing our current bug bounty program.
- Launching a CISO council in partnership with leading CISOs from across the industry to facilitate an ongoing dialogue regarding security and privacy best practices.
- Engaging a series of simultaneous white box penetration tests to further identify and address issues.
- Starting next week, I will host a weekly webinar on Wednesdays at 10am PT to provide privacy and security updates to our community.
A ‘white box’ penetration test means that security researchers will be given full information on the company’s IT setup and app source code, to maximize the likelihood that vulnerabilities will be identified.
If none of this reassures you, check out our ten suggested alternatives to Zoom.