Practically overnight, the nation’s populace went from normal, everyday routine to remote work to address the coronavirus pandemic. To stay in touch with coworkers, colleagues, friends and students, more people started relying on Zoom for video-teleconferencing (VTC). Zoom is popular for its ease-of-use and features. It continues to offer a robust free offering. But over the past several weeks, concerns over security has brought Zoom a lot of unwanted attention. The heightened use has uncovered a number of privacy issues around encryption, its data sharing with Facebook and a new form of harassment that entails intercepting Zoom meetings. Zoom issued a public statement to address the growing concerns.
Zoom Unprepared to Handle Security Issues From Widespread Use
Compared to December of last year, the number of customers using Zoom for daily meetings is is up significantly – from 10 million to 200 million users (free and paid). With the upsurge, security risks mounted. Zoom understated the amount of security measures needed to accommodate everyone working, learning and socializing from home.
Zoom’s stance is that the platform was designed for enterprise use, with an understanding that larger institutions using the application have the IT resources to ensure secure use. According to a statement Zoom published on its blog, the broader set of users is tapping into Zoom’s functionality in “unexpected ways,” paving the way for new challenges that the company did not anticipate.
Zoombombing the Latest Cyber Threat to Hit the Nation
One unforeseen complication, known as “Zoombombing,” occurs when a malicious actor hijacks Zoom meetings and bombards it with offensive content, such as hate speech, inappropriate images and videos, or worse. For example, trolls have Zoombombed Alcoholics Anonymous (AA) meetings, leveraging Zoom’s GIF feature to display images of people drinking. Organizations such as AA rely on the community and confidentiality to prevent the isolationism that alcoholism can inflict.
Zoombombing has become such an alarming VTC threat that the FBI, after receiving numerous notifications of disruptions, issued a statement warning Zoom users. While some might seem like offensive jokes, others are placing the privacy of targets at risk. Take for instance, a Massachusetts high school teacher who, while conducting an online class, was Zoombombed. The assailant screamed a profanity and then shouted the teacher’s home address, making the prank all at once a harassment and privacy issue.
Zoom also received scrutiny for not being clear on the level of encryption it offers customers. The company used the term “end-to-end” to describe its encryption. This may be true for all participants who are using Zoom clients, where the meeting is not being recorded. In these instances, all video, audio, screen sharing and chat content is encrypted, and won’t be decrypted until it hits the recipient clients. Zoom’s encryption does not apply to devices that aren’t using Zoom’s communication protocol, such as telephone.
Fallout From Zoom Security Issues
Zoom’s stock shares have seen a decrease since a record high of $159.56 on March 23, with a drastic drop to $111.41 on April 7, before starting to climb again. According to Reuters, Zoom has lost approximately a third of its market share. A shareholder has also entered a class action lawsuit against the company for overstating its privacy standards and failing to be accurate about its end-to-end encryption.
Increasingly, organizations have made the swift decision to deny Zoom use for VTC, stating that the application does not fulfill IT security requirements for third-party tools. School districts, including the NYC Department of Education (DOE) are banning Zoom for remote teaching. The NYC DOE is opting to go instead with Microsoft Teams.
Zoom has also come under scrutiny of New York Attorney General Letitia James, who inquired what Zoom is doing to protect all the additional users from security threats. Letitia demanded that Zoom take action to ensure customer privacy and security is protected.
How Zoom is Responding to Security Challenges
Zoom’s founder CEO issued a public apology for being unprepared to manage security issues related to a a drastic increase in application use. “ … we recognize that we have fallen short of the community’s – and our own – privacy and security expectations. For that, I am deeply sorry, and I want to share what we are doing about it.” Zoom publicly denounced Zoombombing and posted a blog post with tips on keeping uninvited guests out of your Zoom event. Advice includes not using your Personal Meeting ID for public events, and using the Meeting Room – a virtual space for guests to wait until the meeting host arrives.
Zoom Removes Facebook Login Feature Due to Privacy Issues
Zoom used Facebook’s Software Development Kit (SDK) to enable users to login with their Facebook credentials. As a policy, Zoom does not collect device information unless it is required for the application to work. But on March 25, Zoom learned that Zoom was collecting superfluous information such as:
- Mobile OS type and version
- IP address
- Device time zone
- Device model and carrier
- Screen size, CPU cores and disk space
Zoom has since removed the Facebook SDK from their iOS client. Customers can still login via Facebook through their web browsers.
Strict Security Policy for K-12 Users
The company has implemented strict “guardrails” to ensure the safety, privacy and security of K-12 students who use Zoom for education. The policy is tailored to enforce their compliance with the Children’s Online Privacy Protection Act (COPPA), the California Consumer Privacy Act (CCPA), the Federal Education Rights and Privacy Act (FERPA), among other laws. Educational subscriptions notwithstanding, Zoom prohibits any child under the age of 16 from registering for their own accounts.
Precautions to Take When Using Zoom
The FBI has issued a set of safety measures to ensure your privacy is not violated, which includes to:
- Make Zoom meetings private and closed to the public. Zoom features a meeting password requirement and control of the participant guest list.
- Limit the sharing of links to the requested attendees and do not share the link publicly via social media. If you must share the link, make sure it goes to private, restricted groups.
- Only allow certain people to use the screensharing option by changing the Zoom feature to “Host Only.”
- Keep your Zoom application updated. On April 2, Zoom released an updated to prevent malicious actors with local access from tampering with the Zoom installer (to increase privileges); also, from accessing a user’s webcam and microphone. The update also introduced a bug fix that would grant unauthorized webinar chat when the feature is disabled. Additional security updates are on the way.
Threat Modeling Facilitates Organizations to Account for Their Expanded Attack Surface
Exponential growth is a good problem to have as it introduces application adoption on a large scale. However, security should not be a blocker in order for an organization to succeed in growth. Threat modeling empowers organizations to meet physical and digital security needs. The process can help companies such as Zoom to get a handle on the requirements needed to not only ensure secure VTC, but also to scale across an organization when usage increases.
Enterprises unprepared for a global pandemic must account for the expanded attack surface of work-from-home employees. When employees are using applications such as Zoom, they can be proactively secure by understanding the nature of threats, such as Zoombombing, communicated from IT. Then, adhere to policy guidelines for security. ThreatModeler can help companies that are using Zoom to secure their IT stack for rapid adoption by consumers as early as the design stages.
Companies Like Zoom Can Leverage ThreatModeler to Secure Their Platforms
“Collaboration and communication tools such as Zoom are, at heart, web apps running over HTTP,” says Alex Bauert, Senior Director of Threat Research at ThreatModeler. “Making use of web technology, Zoom has the same kinds of exposures any other web app has. Zoom can go in and threat model their IT architecture to harden the platform.”
Alex believes that Zoom can threat model not only the security of their product, but also its delivery through the servers Zoom controls, over to the environment that supports all of these activities happening that we log in to. “Threat model the client and service, plus the environment that’s providing it over their network,” he asserts. “They should be threat modeling the entire stack.”
ThreatModeler Serves As a Practical Way to Communicate Security Issues Across the Enterprise
ThreatModeler is the only platform that introduces automation to help security architects, developers and C-Suite managers to clearly understand and articulate their security posture for a highly collaborative user experience. ThreatModeler introduced drag and drop functionality to easily build threat models. Through its bidirectional CI/CD toolchain integration with Jira, users can assign issue tickets and receive updates when an IT ticket is closed. Armed with a report that provides filterable findings, teams can present the threat model, security requirements and controls to CISOs so they can make critical business decisions with non-technical C-Suite colleagues who need to understand the big picture on their organization’s security.