By now, you have most likely heard of, or used, Zoom, the video conferencing service. Due to the coronavirus pandemic, Zoom has experienced an enormous spike in use over the past few months.
As the world prioritizes remote and virtual communication to manage the risk of COVID-19, Zoom’s user-friendly platform quickly became the popular choice for personal and professional video conferencing.
Unfortunately, that same ease of use seems to have led to a variety of security and privacy issues. Zoom’s platform was designed to be user-friendly first and foremost, which made them a leader in the industry under normal circumstances.
However, we now find ourselves in the remarkably unusual circumstance of a global pandemic. Zoom’s COVID-19 induced user surge exposed the company’s shortcomings regarding user protection.
Zoom does not deserve all the blame in this situation.
The coronavirus emergency has been an unprecedented challenge for all industries. The company could not have predicted the immense increase in demand for their video conferencing solution that happened virtually overnight.
Plus, Zoom has owned up to their security failings, vowing to make the necessary changes to deliver its customers a secure service.
With that being said, the way Zoom’s pre-pandemic infrastructure cracked under the pressure of COVID-19 is still troubling.
The company’s missteps demand an investigation of their privacy practices. Customers deserve to know where the company went wrong so they can make informed decisions about Zoom’s initial transgressions and incoming improvements.
As a result, we have compiled a list of Zoom’s security and privacy issues that were exposed over the last month.
Zoom Security Issues During the Coronavirus Pandemic
1) Zoom Fails To Implement End-to-End Encryption
End-to-end encryption is widely considered to be the most secure way to communicate online.
In short, Zoom’s meeting encryption exhibited less than “end-to-end” fortitude. In line with their privacy practices, the video and audio content during a Zoom meeting would remain private from any outsider (i.e. hackers).
However, the company itself would have technical access to unencrypted content from any meeting. Thus, the meetings were not completely encrypted.
Zoom asserts that they do not collect or sell any user data. The company retains that access to ensure the quality of their service by collecting technical data like IP addresses and device details.
Critics assert that claiming meetings are end-to-end encrypted while Zoom had unencrypted access to meeting content was dishonest.
Though this practice is not uncommon, the concern here was that users were not given proper notice of this data transfer. In response to these findings, Zoom was sued for an alleged illegal disclosure of personal data.
Zoom has since updated its iOS app so that this data is no longer sent to Facebook.
3) Internet Harassers “Zoombomb” Public Zoom Calls
Due to a default setting on Zoom, any meeting participants are free to share their screen. This allows participants to project their desktop view to the entire meeting without the host’s permission.
Also relevant here is the fact that anyone with the link to a public Zoom meeting can join it.
Enter the “Zoombomb,” a disturbing way internet trolls and hackers have exploited Zoom’s relatively lax security protocols.
With the vast increase in Zoom users over the past few months, a burgeoning meeting link trade has emerged online. Internet mischief makers have taken full advantage of these conditions by uncovering public meeting links and crashing Zoom calls.
There have been many reports of internet trolls joining public Zoom meetings and sharing inappropriate graphic content with unsuspecting meetings.
Zoombombings quickly became a highly uncomfortable and disruptive hazard for Zoom users trying to connect with loved ones or conduct business meetings.
Zoom has made clear that the hosts of public meetings can prevent Zoombombings by choosing a setting that only allows them to share their screen.
It appears that Zoom was simply unprepared to address the abuse and misuse of their platform that came with the addition of millions of users and a new cultural awareness. The fact that Zoombombing occurred at all suggests that the company’s emphasis on ease of use pre-pandemic may have jeopardized its users’ privacy and safety in the present.
4) Zoom Adds Strangers to Public Contact Lists, Compromising Personal Emails and Profile Pictures
A Zoom feature called “Company Directory” automatically adds users to a public contact list with other users who share the same email address domain.
Note that known and/or popular domains such as Gmail, Outlook, or Yahoo are not included in this feature.
The idea behind the “Company Directory” is a good one. In an ideal scenario, it would conveniently group the Zoom accounts of people working in the same organization.
In a worst case scenario, like we saw earlier this month, total strangers were added to public contact lists because Zoom recognized them as being from the same organization.
The COVID-19 crisis has caused an incredible influx in Zoom users. And we mean incredible. Zoom reported 200 million daily users in March. In December, that number was 10 million.
Imagine the influx of new domains into the “Company Directory”.
As a result, users were added to large contact lists because their personal emails shared the same domain. Not only were email addresses and profile pictures (if a user had uploaded one) made public to everyone that was automatically added, users could also video call anyone on the list.
Zoom has since made efforts to prevent users from being grouped by public domains. However, this is a good example of how the company’s infrastructure and privacy practices were overwhelmed by their dramatic increase in users.
5) Zoom Meeting IDs Easily Generated with Hacker Tool
Each Zoom call uses a 9 to 11 digit Meeting ID. If a meeting was not password protected, anyone with a valid Meeting ID could join that Zoom call.
Benevolent hackers exposed how easy it could be for someone to automatically generate possible Meeting IDs with a tool called “zWarDial.”
This particular tool was able to successfully guess the random ID for an average of 110 public Zoom meetings per hour. The creators of “zWarDial” claimed that it had a success rate of about 14%, meaning that each random ID it generated had a 14% chance of being a valid public Meeting ID.
Not only did they reveal the relative ease with which valid Meeting IDs could be generated, they also show that simply having a valid ID could expose:
- The meetings date and time
- The meeting organizer’s name
- Information provided by the meeting organizer regarding topics of discussion
The creators of “zWarDial” built the tool to test the strength of Zoom’s security. Considering the recent surge of Zoombombings, it reasons that hackers are using similar tools with malicious intent.
Zoom has updated its password settings so that meetings are better protected.
6) Personal & Business Zoom Video Calls Made Viewable on Open Web For Anyone To See
Zoom users with a paid subscription have the ability to record meetings, which can be saved to the company’s cloud service.
However, if users download these meetings to their personal computer, and then upload them to another open cloud service, those videos could be accessed by anyone on the internet.
It is not uncommon for users to upload Zoom meetings to a non-Zoom cloud service. For example, it can be beneficial for businesses to make past meetings available to employees in this way, or for an educator to upload a lesson to an open cloud service so their students can access for review.
The problem here is that Zoom names the recorded meetings in an identical way. If the host uploads a meeting to an unprotected cloud service without changing the name of the file, anyone can search, download and watch it.
As a result, thousands of Zoom calls ended up on the open web, viewable to anyone who was aware of the way the company names the files.
Reports of intimate and confidential meetings and information being exposed online are quite concerning, which include:
- Private therapy sessions
- Business meetings
- Company financial statements
- Elementary school online class sessions (exposing personal information, voices and faces of children)
In many cases, those that hosted or participated in such meetings did not find out that their Zoom calls could be seen online until after the fact. At best, this came as a surprise. At worst, it presented legitimate professional or personal risk.
This seems to be another instance where Zoom prioritized user-friendliness ahead of comprehensive security measures.
Other video conferencing services require users to choose a unique file name before saving a recording to avoid the issue we are seeing here.
7) Data-Mining Feature Revealed Users’ Data From LinkedIn Profiles
This problem had to do with the LinkedIn service, LinkedIn Sales Navigator.
If a Zoom user was subscribed to the service, a LinkedIn icon would appear next to the names of other participants in the Zoom meeting. With a simple click, these users could view LinkedIn profile information such as job titles, location data and employer names. The other participants were not asked permission, or notified at all.
This was due to the fact that when participants signed in to a Zoom meeting, the platform automatically collected their name and email address so it could match potentially link their LinkedIn profile.
Critics were concerned by this additional instance where Zoom failed to properly notify its users how their personal information was being handled.
After this was revealed by The New York Times, Zoom permanently removed the LinkedIn Sales Navigator app, citing, “…unnecessary data disclosure by the feature.”
8) Hackers Post Zoom Accounts on the Dark Web
Sixgill, a cybersecurity firm, found that 352 Zoom accounts had been compromised and posted on the dark web. The links to these Zoom accounts revealed the following information:
- Email addresses
- Zoom meeting IDs
- Host names
- Type of Zoom account
Sixgill notes that most of the accounts were personal, but a major US healthcare provider, several educational institutions and a small business were also included.
It appears that the hacker who posted the accounts and those that interacted with the link were interested in trolling and making mischief rather than profiting off the stolen data.
However, the credentials available in these links could also be used for malicious purposes, such as corporate spying or identify theft.
Should I Still Use Zoom?
That is a decision that is ultimately up to you.
Earlier this month, Zoom’s CEO announced that the company froze all work to add new features for 90 days so it can address their current privacy issues.
Considering the abundance of scrutiny placed on Zoom in the past few months, it reasons that the company will be a very secure and transparent video conferencing solution in the near future.
In order to win the world’s trust back, Zoom will need to redesign its platform with exemplary security and privacy standards.
If you plan on using or continuing with Zoom, make sure you are informed about how to secure your meetings.
If you are concerned with the way that Zoom was handling their users’ privacy before COVID-19 exposed their shortcomings, we may have an alternative that would interest you.
Critics of Zoom argue that the company favored business growth over user protection.
Perhaps a more sympathetic interpretation is that Zoom never expected, or prepared, to be the hub of socialization it has become.
Zoom launched its platform in 2012, originally designed to support business communications. In a way, this represents their current shortcomings – a lack of experience to have sufficient practices in place and a lack of infrastructure to accommodate the massive increase in users.
In addition to powerful tech, Sigmund Software also knows software security. Seriously – “security” could be our middle name.
We protect private health information by trade, which is some of the most sensitive data on the internet. As an EHR company, we are responsible for transmitting huge amounts of personal data securely and efficiently.
For starters, Sigmund has complied with HIPAA’s stringent security protocols for the last two decades. But we have worked hard over the years to keep our privacy measures current and innovative in other ways, too.
As a result, AURA TeleHealth benefits from the fruits of our security labor. Frankly, we wouldn’t release the feature if we didn’t feel it was up to our high company standards. We are proud to offer our customers a video conferencing solution they can trust during this time.
If you would like to see what AURA TeleHealth can offer your business, we would love to talk to you about it.