Hacked videoconferences lead some users to drop star provider
The coronavirus pandemic has dramatically changed the lives of people around the world. It has changed how we socialize, where and how we shop, the way we teach and study, the way we provide and receive customer service, and the way companies, organizations and institutions of higher education are run.
The use of Zoom and other digital communications platforms, such as Microsoft Teams and Google Meet, has skyrocketed and become popular with companies, politicians, employees and millions of individuals who have found themselves forced to work from home.
As for Zoom, it has suddenly become synonymous with videoconferencing.
Daily meetings by participants on the platform have surged from 10 million in December to 200 million in March. Yet Zoom has faced safety and privacy concerns as users across the world are “zoombombed.”
These so-called Zoom raids – unwanted intrusions − are characterized by profane images posted during videoconferences, and racist and anti-Semitic illustrations drawn with a writing tool across slides. These severe breaches of privacy have led to a wave of bans.
Singapore banned the platform’s use at schools following the posting of obscene images. The UK Ministry of Defense banned it due to security concerns. The US Senate and the Pentagon have also banned its use. Last week, schools in New York City were told they could not use it for distance learning. Google has banned its use on employees’ work-sanctioned laptops.
The security breaches discovered in Zoom triggered lawsuits against the company. One investor filed a class-action suit, saying the publicity concerning the app’s security flaws had lowered the company’s stock price.
According to Oleg Brodt, R&D director of Deutsche Telekom Innovation Labs Israel, Zoom is a relatively new company focused on creating a simple, user-friendly videoconferencing app. But this simplicity created security vulnerabilities, with software developers producing extreme usability at the cost of overlooking user security.
Brodt shared with The Media Line some of the security breaches discovered over the past few weeks:
End-to-end encryption is intended to ensure that a conference call between parties is secure. The feature is the default in most social media software such as WhatsApp. Zoom’s claim to employ end-to-end encryption was discovered to be misleading just about a week ago. Zoom’s reliability was also undermined when it was discovered to have shared user data with Facebook regardless of whether a user has a Facebook profile.
Upon downloading the Zoom app, the Zoom local client web server is installed as well. Not only is the server active in the background while the Zoom app is used, but it continues to run even if the app is uninstalled from the customer’s computer. The installed server exposes users to cyberattacks.
Successful attacks enable hackers to take control of users’ computers and turn the webcam on, thereby compromising their privacy. Jonathan Leitschuh, a security researcher, brought the issue to the attention of Zoom back in March 2019.
Leitschuh gave the company 90 days to fix the bug before he went public with it. This is common practice in the cybersecurity industry. Zoom attempted to shrug off Leitschuh’s claim of a security vulnerability. “Approximately two weeks following the expiration of the 90-day deadline, the security breach was made public as Zoom failed to resolve the discovered security breach,” Brodt said.
He said the security breaches found in Facebook were not as serious as the ones discovered in Zoom. Back in April 2019, a security researcher discovered that Facebook misused user data. However, the Facebook app did not expose users to cyberattacks in which hackers could gain control of their computers.
Will the recently discovered security vulnerabilities take a bite out of Zoom’s user base? Experts seem to be divided over the question. According to Brodt, this is unlikely to occur.
Zoom has come to realize that it cannot afford to sacrifice security for the sake of usability, but rather must balance the two.
However, Dr. Lior Solomovich, an expert on Information and communications technology at Kaye College in Beersheba, said, “Zoom claims that user privacy is its top priority and the reason it allowed users to access Zoom through their Facebook account was solely for their convenience. It also claims it wasn’t aware of the fact that Facebook was using its users’ data. Nonetheless, the public seems to be skeptical of Zoom’s claims and seems to believe that the sharing of data was intentional.”
While it is still unclear how individual users will react to the latest breaches of privacy, it seems that the app updates outlined below together with a 90-day plan laid out by Zoom to make its software a “security- and privacy-first product” seem to have soothed the concerns of government bodies. Bans imposed on the use of the platform are slowly being lifted. According to a report published in The Straits Times posted on April 13, Singapore’s Ministry of Education has withdrawn the ban on the use of Zoom by schools across the country.
In Israel higher education, Zoom remains the preferred platform for both individuals and institutions. In an attempt to address the public’s concerns, Zoom recently introduced a number of upgrades designed to strengthen the platform’s security and privacy features.
The Media Line reached out to Zoom but they were not available for comment.
Zoom now has an option that puts its in-meeting security controls in one place. The meeting ID no longer appears in the title bar of the meeting window. The feature that enabled notifications to be sent to the host via email while participants were waiting for the host to join the meeting has been disabled.
The attendee attention tracker feature has been removed. Third-party file transfers in Meeting and Chat are temporarily disabled. The Waiting Room function is now on by default. Hosts need to let their guests into a meeting manually; this is to prevent Zoom bombers from unexpectedly breaking in.
Brodt said users needed to become more digitally responsible. In other words, they need to take data security more seriously and protect their digital property (files, pics, videos, etc.) just as they would protect their physical assets such as a smartphone, car or wallet.
He advises users to choose well-established platforms. The longer a product is on the market, the safer it is likely to be, he said.
“If a product (app) is free, then you’re the product,” Brodt added.
In other words, if an app provider is not getting revenue directly from subscription fees or paid downloads, it is probably reselling or commercializing user data. Unfortunately, however, paying a subscription fee is no guarantee that a company will not resell and commercialize user data.
According to a report in Forbes, in the summer of 2018, the data of Verizon subscribers were resold and commercialized despite the fact that the subscription fee was in excess of $100.