Zoom is a victim of its own success, not a dangerous product

Zoom’s meteoric rise in popularity following coronavirus (COVID-19) lockdowns is well-documented. From an average of 10 million daily users in January and February of this year, the platform hit more than 300 million per day in April. Governments around the world, corporations in all sectors, educational institutions – from primary to university – and more, have flocked to video conferencing solutions to conduct their sittings, meetings, and classes. And Zoom has led the way, despite being one of the most recent additions to the video conferencing space.

The platform has come under incredible scrutiny from all angles: citizens, politicians, businesspeople and, crucially, security researchers. Over the last six to eight weeks, a host of issues have been brought to light causing many to ban Zoom in the workplace. Google, SpaceX, and NASA, the US Senate, the Pentagon, and the Taiwanese and German governments, have all advised their employees to use different video conferencing solutions for official business. Clearly there have been issues with Zoom and these have been widely covered by media outlets keen for a story that has nothing to do with the ongoing pandemic.

To its credit, Zoom has acted quickly and responsibly to address newly discovered security flaws, moving to prioritise the safety of its users over ease of use, and readily acknowledging when it has gone wrong. This is relatively unusual in the tech space. All too often, companies seek to lessen the impact of vulnerabilities on their product not by addressing the issues, but by ignoring them or pushing them out of the news. This has sometimes taken the form of intimidating researchers – as happened when a security audit by MIT researchers of the Voatz voting app revealed several bugs.

The app was used for online voting during the US midterm elections in 2018 and is scheduled to be deployed in the 2020 presidential election. Voatz acknowledged the vulnerabilities, but claimed the researchers were attempting to “disrupt the election process, to sow doubt in the security of our election infrastructure, and to spread fear and confusion.” [1] In 2018, the company reported another researcher to the FBI, claiming that his dynamic analysis of the Voatz backend had, in fact, been a ‘hacking attempt’. Other companies have chosen the ‘ignore it and it will go away’ strategy.

Zoom should be applauded for being open, honest, and active in its bug-fixing process – particularly when it was not just a couple of vulnerabilities found; it felt like two or three, every week, from the beginning of March to late-April.

It is one thing dealing with one or two vulnerabilities in a product that is being used by a small section of society or not generally going to make headlines. It is another thing entirely to have problems made public when your product becomes inter-sectoral, intergenerational, and international almost overnight.

The issues were as diverse as they were numerous, including thousands of recorded Zoom meetings being exposed on the internet without any password protection, and certain meetings held by non-Chinese Zoom users having been routed through systems in China. In early April, the company admitted to using less secure encryption than it had claimed to have implemented. Later in the month, two major vulnerabilities were offered for sale on the darknet. They affected Windows and macOS, with the Windows bug offered for $500,000. The flaw was described as “perfect for industrial espionage.” [2] And this is before we’ve even mentioned ‘Zoom-bombing’.

For most, Zoom-bombing would not have meant anything before March 2020. With Zoom’s growth, however, and its consistent coverage in the western media, the phenomenon of Zoom bombing became a hot topic of conversation around the water cooler – virtually, of course. Zoom-bombing sees an uninvited user break into and disrupt group chats having guessed the unique meeting ID of nine to 11 digits that each Zoom meeting is assigned. Whilst it would take a long time to guess a specific meeting ID, there is nothing stopping malicious actors from simply guessing a number and seeing if it works.

Prominent Zoom-bombing attacks have included a virtual Holocaust memorial service held by the Israeli Embassy in Germany which was Zoom-bombed with anti-Semitic slogans and photos of Adolf Hitler; and a US House Oversight Committee meeting on women’s rights in Afghanistan which was disrupted at least three times. Narcotics Anonymous and Alcoholics Anonymous have also been repeatedly targeted; pornographic images have been displayed in school Zoom classrooms.

At the beginning of April, a tool was revealed that could automate the guessing of meeting IDs. zWarDial was created by researchers to demonstrate a flaw in Zoom’s attempts to stop automated scanning and gives threat actors the ability to find non-password protected Zoom meetings. Incredibly, the creators said that “multiple instances of [zWarDial] running in parallel could probably discover most of the open Zoom meetings on any given day.” [3]

The company has made several changes in the last two months to protect its users. Zoom 5.0 was released on 27 April as part of a 90-day plan to improve security and privacy on the platform. [4] Zoom 5.0 will default users to a “waiting room” feature, which requires participants to be approved to enter a meeting; all meetings will now require a password to enter; AES-256 GCM encryption has finally been added. Are the bugs outlined above specific to Zoom? Or will issues like these have affected other similar products early in their development?

There are numerous video conferencing solutions, many of which have existed for far longer than Zoom. Skype, for example, was once the preeminent player in the field. It was used for business and pleasure, alike. But a lack of care from Microsoft – which bought Skype for $8.5 billion in 2011 – coupled with the rise of other forms of communication such as WhatsApp, made Skype less popular in recent years, except among Microsoft users. In 2020, there is a wealth of other options – Cisco Webex, Slack (via Skype integration), GoToMeeting, Google Meet, and more. Are there problems with these video conferencing platforms, too? The answer is a resounding, ‘yes’.

In mid-March, Cisco released two patches for serious vulnerabilities in Webex, the “leading enterprise solution for video conferencing”, according to the company. The issues both stemmed from the WebEx recording facility and could have allowed a malicious actor to execute code remotely with the same privileges as the user. Remote code execution bugs are at the scarier end of the threat scale because, as the name suggests, they do not require physical access to a device for an attack to be successful.

Earlier this year, another high severity vulnerability in Webex could have allowed an unauthorised user to access password-protected meetings. This bug is perhaps most pertinent to the criticism that Zoom has been receiving. Zoom-bombing can have upsetting, offensive, or revealing consequences. Most users would assume that implementing a password requirement for meetings would keep them safe. But in the case of the Webex vulnerability, even password-protected meetings were at risk if the threat actor knew the meeting ID. This issue was fixed in a timely manner by Cisco but was barely covered in any press and is unlikely to have affected the uptake of the product by prospective customers or to have negatively impacted Cisco’s reputation. Compare this to the hundreds of pieces on Zoom-bombing that a cursory Google search throws up and the imbalance is clear.

A critical vulnerability was revealed in Slack in mid-March whereby an attacker could automate the takeover of accounts to gain full control of them, facilitating data theft. This issue was patched 24 hours after its discovery. Last December, vulnerabilities were reported in GoToMeeting that allowed attackers to “insert their own code into a given program, pose as genuine users or crash a given program.” [4] These bugs, too, were addressed swiftly. In neither case was there a significant amount of publicity. This is not because they were any less severe than the issues affecting Zoom. It stems instead from the fact that the programs were not in the public consciousness to an extent that it would have been worthwhile for the media to cover them.

In the development of any piece of software, coding mistakes are made that could endanger users. These are frequently found in testing or beta builds that are released to a smaller audience with a view to overcoming any initial teething problems before the main rollout. Since the beginning of March, however, we have seen a process that normally takes months or longer happen in just a few weeks. In Zoom’s case, its ability to scale up quickly was a significant problem, and its emphasis on ease of use left its users open to abuse.

There are alternatives to Zoom, all of which do fundamentally the same thing and, for casual users and businesses, will allow them to see their friends or colleagues. These platforms have all faced similar issues in development but were able to fix them on a normal timeline without the glare of the media and governments around the world. That Zoom has managed to remedy many of the concerning flaws so quickly is unusual; that there were problems in the platform to begin with, is not.