Zoom’s Security Issues Explained

Over the last few days, many news agencies and outlets have published pieces that raise concerns about whether or not Zoom is safe for use particularly highlighting specifically:

Lack of end-to-end encryption

Zoom has claimed that it does not have access to data or keys, which it does. While Zoom should not have made this claim, it is an unreasonable ask of a system that includes calls or recordings of calls. There are only a few systems that support end-to-end encryption in general.

Vulnerabilities that put users at risk

White-hat hackers identified localized vulnerabilities that, in order to be successfully exploited, require that malware or an attacker to already have a foothold on a macOS system. Instead of disclosing these vulnerabilities to the Zoom directly, according to the industry standard Responsible Disclosure Procedure, they disclosed them to media outlets.

Zoombombing

Not a security issue, but rather a behavioral issue in which zoom attendees display content not authorized by the meeting host or act in a way that disrupts the meeting. This typically occurs in Zoom meetings where the general public is invited.

There’s No Need to Panic

Due to the expanding popularity of the platform, there have been a lot more security researchers looking at it and new users making poor privacy choices (see ZoomBombing). In security news as well as the main-stream news, click-bait, and panic reign supreme.

There’s no need to panic about the security and privacy of a platform that businesses have used for years. The security and privacy issues are not critical by industry standards and have largely already been remediated. As well, Zoom has already taken action in pushing updates to active users that solve the issues identified over the last week.

In general, Zoom is par for the course from a security perspective. Keep using it as you keep using the Apple, Microsoft, Google or another open-source operating system that you are working on. All of these platforms have had high-risk or critical security vulnerabilities patched in the last few months.

These Security Concerns Are No Different Than Those Raised About Other Popular SaaS Apps

Overall, Zoom has good corporate-grade security controls in place, including internal and external security testing. Similar to every other software system, there will be vulnerabilities found and they will be addressed. Every major software platform has regular security disclosures and patching.

Public vulnerabilities are disclosed via standard CVE (Common Disclosures and Vulnerabilities) disclosures and then patched or mitigated. More than 10,000 of these vulnerabilities were published in 2019 alone. Zoom has had its fair share of vulnerabilities over time, as has Cisco Webex and other conference platforms.

Vulnerability discovery and patching is a way of life for all software systems. As more people look at a system in different more creative ways, new ways of finding bugs are discovered.

My Take on Zoom’s Response

While there were some issues with Zoom’s response time in patching a flaw on the Mac version of zoom in mid-2019, their response to these recent vulnerabilities has been excellent in my opinion. Their blog post on the issue from yesterday (4/1/2020) is excellent in that it addresses each of the issues and the next steps. Zoom has openly stated that they will freeze all new features in order to focus on security and privacy in their “What we are going to do” section:

“Thousands of enterprises around the world have done exhaustive security reviews of our user, network, and data center layers and confidently selected Zoom for complete deployment.

However, we did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.

…

On April 1, we:

• Published a blog to clarify the facts around encryption on our platform – acknowledging and apologizing for the confusion.
• Removed the attendee attention tracker feature.
• Released fixes for both Mac-related issues raised by Patrick Wardle.
• Released a fix for the UNC link issue.
• Removed the LinkedIn Sales Navigator app after identifying unnecessary data disclosure by the feature.”

Is there anything you need to do?

There’s nothing you have to do. Zoom has automatically pushed updates, on April 2nd, for most of the technical issues that have been raised in the last few days. When you open Zoom you will see or should have seen a pop up prompting you to upgrade to the latest version – version 4.6.9 (19253.0401) on a Windows Machine and Version 4.6.10 (20041.0408) on a Mac.

Didn’t see the pop-up? Follow these instructions to install the latest version.