Zoom's Cybersecurity Challenges

Business Insider, April 11, 2020, with comments by Satya Gupta

“Zooming” has become its own verb that everyone now immediately associates with a conference call app. Colleagues, families, friends, and until recently, schools and universities are using the app in droves to have meetings, collaborate, work and keep in touch during the unprecedented times of COVID-19. Zoom will forever be associated with this coronavirus era we are living through right now.

Zoom was around before, as the company is nine years old. But its use has rocketed to the forefront of every day life with its easy way of connecting professional and personal lives all over the globe. Days, weeks and months at home can feel less isolating during the coronavirus epidemic when we can punch a few numbers on our keypads and be instantly connected to colleagues and friends.

But Zoom’s surge in popularity has brought problems in the security area surging to the forefront as well. As the company grapples with addressing those issues as rapidly as possible, they must also walk the tight rope of trying to keep their user experience as simple and convenient as it was before.

Users like the reassurance their content, whether data or meetings, is private and secure. But users have never liked to be inconvenienced for the sake of that security. Ease of use is not something Zoom’s user base will want to give up.

Security Woes Costing Zoom Business

Before COVID-19, Zoom’s busiest day was in December of 2019 where the company hosted 10 million users. In March 2020, it hosted 20 times that much, with 200 million participants that month.

But with the popularity surge has come security violations where intruders have barged in on Zoom meetings – an event now known as Zoom-bombing. The intruders have wormed their way into meetings and ‘dropped’ offensive material on the participants. They’ve done this to students in several schools, according to the FBI who’s received two reports of incidents in Massachusetts. In the middle of a high school class hosted by Zoom teleconferencing, an unidentified person dialed in and began yelling profanity to the group. The person also yelled out the teacher’s home address.

Another Massachussets school had a negative experience. For them, the Zoom-bomber interrupted the video component of the meeting, showing swastika tattoos to the meeting attendees. Word of these types of incidents spread quickly through the education community with instructions not to use Zoom any longer because it isn’t secure. Schools and some businesses banned the use of Zoom, causing Zoom stock to drop as much as 14.5% the morning of April 6.

Zoom Has Other Problems, but Security Poses the Biggest Challenge

The security issue is significant for Zoom but it’s not the only problem to solve. Among other issues, it’s also facing a class action lawsuit that claims it revealed analytical data to Facebook without notifying users. Also, some initial calls early on in the pandemic were mistakenly routed through China.

But Zoom’s biggest challenge will be finding a solution to provide better security while still offering the convenience and ease-of-use that attracted people to it in the first place. Jumping into a Zoom session is super simple – you click on a link provided by the host and enter a meeting passcode. Adding more layers of security also adds complexities and additional steps for users, which can quickly cause frustration.

The Long Standing Trade Off of Security Versus Convenience

A couple options are already familiar. Two-factor authentication is one that’s been around a long time where a code is sent to users’ phones to verify identity. It’s a process many are already acquainted with but new users maybe not so much and it always adds time and more steps to the process.

Encrypting calls is another option. But that’s even more complex with unwelcome side effects.

Stronger end-to-end encryption could also make it harder to maintain high call quality, one of the characteristics that makes Zoom so appealing, according to Satya Gupta, chief technology officer at web application security company Virsec.

"I suspect that this is going to be a serious problem for Zoom to be able to solve because, you know, when you encrypt and decrypt, it introduces lag and latency into a call," Gupta said.

Zoom Taking Steps to Address the Issues

Zoom has been responding quickly to these issues. The CEO, Eric Yuan, acknowledged that he hadn’t given security the attention it needed.

He said in a TV news interview on April 5, “We moved too fast... and we had some missteps. We’ve learned our lessons and we’ve taken a step back to focus on privacy and security.”

They’ve put together a 90-day plan to accomplish that and put security and privacy first. These goals will go ahead of other new features. Zoom will provide a transparency report as well as work with outside experts as they assess and work to improve their security measures. One of the experts they are working with is former Facebook security chief, Alex Stamos. He will be Zoom’s consultant as they work to improve security. Zoom has made some changes already, making its security settings easier to access and requiring more password settings for its lower level free and single user accounts.

From Zoom’s website on password settings:

Zoom is enabling the password setting: require a password for Personal Meeting ID (PMI). Zoom will also be enabling the following password settings which are on by default, but previously could have been disabled:

  • Require a password when scheduling new meetings (which also applies to webinars)
  • Require a password for instant meetings
  • Require password for participants joining by phone

These settings are designed to prevent unwanted participants from joining your meeting or webinar. For free accounts, including free K-12 education accounts, and accounts with a single licensed user, the settings will be locked and cannot be turned off. This change will impact your meetings and webinars differently depending on when it was scheduled, how it was scheduled, if it uses your PMI:

  • For previously scheduled meetings with your PMI, participants will be required to enter a password when they join or they will need to be resent the meeting link with the newly embedded password. This password and updated invitation can be found in your Zoom web portal under Meetings, then Personal Meeting Room.
  • For previously scheduled meetings or webinars with a unique one-time meeting ID, there is no need to enter a password when joining or resend the invitation. These meetings and webinars will not be impacted.
  • For meetings previously scheduled with a calendar integration, you will need to resend the invitation or share the password with the participants. Invitations will not be automatically updated.
  • All newly scheduled meetings and webinars, regardless of using PMI or a one-time meeting ID, will require a password by default. This password will be included in the invitation. If a participant manually enters the meeting/webinar ID, they will be prompted to enter the password.

Read full Zoom's biggest challenge isn't just fixing its security blunders article.

Further resources:

Solution Brief: Protection Against Advanced Web Attacks

Public entities are under (cyber)attack

CYBER ATTACKS: World Economic Forum Says It’s a Top Concern, But Not Everyone Thinks So