With much of the world in lockdown, and many people working from home, video-conferencing tools have become essential to hold meetings, and to chat with family. There are a number of such tools, but one, Zoom, has suddenly become the go-to app for hundreds of millions of people.
Yet Zoom has recently been found to have had numerous security and privacy issues, and this platform is now seen as a risk by many governments and companies. In this article, I’ll look at the many issues plaguing Zoom, so you can decide if you want to host or participate in calls using the service, and what precautions you can take.
What is Zoom?
Zoom is an audio- and video-conferencing tool that is available on multiple platforms. You can get apps for Mac, Windows, iOS, and Android, extensions for web browsers, an even add-in for Microsoft Outlook.
In 2020, the idea of Internet-based video meetings is by no means revolutionary; Skype, now owned by Microsoft, has been around since 2003. Apple’s FaceTime was released in 2010. Google has its Hangouts—or is it Google Meet? or Google Hangouts Meet?—this service has been rebranded so many times it’s hard to keep track. And there are plenty of other apps and services you can use for both audio and video conferences, such as GoToMeeting, RingCentral, and WebEx, just to name a few.
Zoom has one advantage: users don’t need to create accounts to use it. To use Skype, you need to set up an account, and you need to know the user names for each person you want to invite on a call. FaceTime only works with Apple devices, and, as with Skype, you need to manually add each person to a call or meeting by adding them from your contacts, or, if they’re not in your contacts, by entering their Apple ID email address or phone number.
With Zoom, one person creates an account, sets up a meeting, then sends a link to others. Participants can either download the Zoom app to join the meeting, or do so in their web browser. (Though in my experience, it’s not always possible to join meetings in a browser.) For ease of use, especially among non-tech savvy users, Zoom clearly wins. And, the quality of Zoom calls is generally better than that of Skype or Hangouts; if you’re a regular user of either of these services, you know how annoying they can be.
But recently many privacy and security issues with Zoom have come to light, and it’s also difficult for users to know how to configure the service to make their meetings safe.
Zoom and privacy
Zoom was initially designed for enterprise use, so one would expect that with a client base of large companies, the company would be attentive to privacy. That doesn’t really seem to have been the case, at least from certain perspectives. Zoom meetings can be recorded and saved in the cloud, and the service can even make transcripts of meetings, but users may not be aware of this. And text messages sent during meetings are saved, even if they are not sent to the entire group on the meeting, but only between individuals. So if you say something about your boss to a colleague, your boss can see this message after the meeting is over—and this is not made clear to users before they send a direct message (which one normally assumes to be a private communication between only the two parties).
Zoom also collects a lot of data about users, and, until there was outcry from privacy advocates, the service sent data to Facebook, even if you didn’t have a Facebook account. Zoom still uses third-party trackers to collect data, even though there is no need to do this to run the service.
Zoom and security
Security and privacy go hand in hand, and with Zoom, weaknesses in one area bleed into the other. A number of issues have been discovered with the Zoom app and the way it communicates.
In July 2019, a security researcher discovered that Zoom installed a hidden web server on Macs, that launched on login and ran in the background all the time, and that allowed the software to enable the webcam in Macs without users’ knowledge. This was so serious that Apple opted to use an emergency malware removal procedure to mass-delete the software from Macs—an unprecedented move by Apple. Zoom has since changed the way the app works on Mac, so this particular issue is no longer a concern in 2020, but it’s worth mentioning that the recently discovered issues are not the first major security problems that have been found in Zoom software.
Zoom has also made claims about its security that are not accurate. The company said that it uses “end-to-end encryption” for its meetings, but this claim is misleading at best. While meetings are encrypted in transit between the end users and the Zoom servers (which is “transport encryption”—comparable to loading a Web page over HTTPS), Zoom has access to the unencrypted video and audio content as it traverses their service, meaning it isn’t actually end-to-end encrypted from user to user. This means that sensitive discussions over video or audio may be accessible to Zoom employees.
The only part of the service that can optionally have true end-to-end encryption enabled is in-meeting text chat—but this functionality must be enabled by whomever manages your organization’s Zoom account—and therefore, as mentioned previously, your seemingly private chat messages may be accessible to your employer without your knowledge or consent.
An issue was discovered where Zoom on Windows could be leveraged to steal user account credentials, which could be use to access shared network resources.
Zoom displayed data from people’s LinkedIn profiles, allowing participants to potentially snoop on others.
A phenomenon called “zoombombing” allowed people to enter meetings they’re not invited to, potentially sharing pornographic or hate images or shouting profanities. This was so serious that the FBI issued a warning to schools.
In the wake of this, a number of international government agencies and organizations have banned the use of Zoom: this includes Google (since they have their own product, this is understandable), SpaceX, NASA, the New York City Department of Education, and the United States Senate, just to name a few.
Zoom and user configuration
Zoom settings can be confusing, and initially, Zoom meetings did not require passwords. This led to zoombombing (see above), and also Zoom “wardialing,” where people would use software to search for active Zoom meetings to crash. Even if they don’t disrupt the meeting, they could listen in on discussions that may be personal, or may contain sensitive business information.
Zoom now requires that meeting organizers use a password by default, so to enter a meeting you need to have both a link and a password. The ability to use passwords was present before, but Zoom’s settings are particularly opaque, and most users didn’t even think of the need to protect their meetings. To understand how to ensure security in Zoom meetings, see the company’s Complete Guide to a Secure Zoom Experience.
Faced with the avalanche of issues around the software, Zoom’s CEO Eric Yuan replied to this criticism in a post on the Zoom blog. It’s obvious that they’re taking these issues seriously, but some of his statements are head-scratchers. He said, “our platform was built primarily for enterprise customers,” and then that,
“…we did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.”
One would think that if Zoom was designed to be an enterprise product, then security and privacy would be extremely important, but this statement almost seems to suggest that security and privacy may not have been a priority for Zoom until after their reputation had been marred.
The company has since addressed and mitigated some of the issues mentioned above, and in a few cases the speed of Zoom’s response was impressive. Nevertheless, the fact that there were so many serious issues, most of which were discovered just days apart from each other, is worrying.
For now, if you’re just using Zoom to keep in touch with family, you don’t need to worry too much; but do make sure your meetings are password protected. However, if you’re in a business that holds highly sensitive meetings over Zoom, you might want to try to find a service that has more of a focus on security and confidentiality (Microsoft Teams is often suggested as an alternative, and there are many others). The recent issues were serious enough for the FBI to issue a warning about the software, and any business that uses Zoom needs to be aware of the risks.
If you use Zoom, be sure to keep your Zoom software updated frequently in the coming months, as new issues are discovered and addressed.
Where can I learn more?
You can hear more about Zoom in episode 129 of the Intego Mac Podcast, and in subsequent episodes, where we discuss the latest revelations about the software.
Subscribe to Intego’s e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple, security, and privacy news.