Is Zoom Video Conferencing Secure?

Diving into Zoom, its Founder Eric Yuan, and plans to combat security challenges at scale

9
Zoom Security
Collaboration

Published: April 7, 2020

Ian Taylor Editor

Ian Taylor

Editor

Since the world came to a virtual standstill due to forced home-quarantine aimed at fighting the spread of the novel Coronavirus nearly three weeks ago, video conferencing entered the mainstream. And a host of security concerns have since been unearthed, including ones that tied Zoom up with a lawsuit by the New York Attorney General. They’ve accused Zoom of allegedly and illegally sharing personal data with Facebook.

Photo Credit: Reuters
Eric Yuan – Photo: Forbes

There are a host of other security concerns associated with video conferencing systems, though. We have to take into account human error, and the blunders Zoom users will make whilst learning the software, namely the tens of millions of new users who’ve signed on in the past few weeks.

Now that the technology is more widely used outside of an enterprise setting for hosting official government and executive meetings where security, financial, as well as conversations transpire, a lot of people who never worked with such software have some catching up to do. The fact of the matter is, individuals, companies, and government entities now depend on the robustness and security of video conferencing software like Zoom to manage ‘business as usual.’ For these users, security’s taken more seriously, but one could argue that most users operate based on assumptions.

That is to say, it is a given that video conferencing systems are secure, right? Many of the vendors producing video conferencing software and hardware learn of the shortcomings of the systems that have entered the mainstream as millions work from home, leaving VCaaS companies to see record-breaking usage figures in the wake of the virus. One Zoom user recently told BuzzFeed News whilst waiting for a meeting to start, out of nowhere, dozens of unknown people popped up shouting bigoted slurs at her.

Deemed ‘Zoombombing’ by the broader social media community, the FBI’s gotten involved at this point, but not in an official capacity. It said it is offering tips on securing online meetings, adding: “The FBI’s received various reports of conferences disrupted by pornographic, hate images, and/or threatening language.” Many posts have disseminated throughout social media displaying ‘Zoombombing’ in action. The phenomenon even made an appearance during online courses held by universities, adding students to the list of targets.

It was also social media that last week exposed a human error that could mean unwanted visitors in virtual government cabinet meetings. Great Britain’s Prime Minister, Boris Johnson, led a cabinet meeting using Zoom recently. There is photo evidence to showcase the historic moment: Great Britain’s first Cabinet meeting held online. One puzzling bit, yet, the photo revealed the meeting ID which would, in theory, allow anyone who saw it access to the confidential meeting.

Photo Credit: Reuters
Photo Credit: Reuters

According to BrandShield, there were over 2000 new phishing domains set up in the past month – the majority, 67 percent created in March. The sites try to install malware on user devices and steal money as well as intrude on private Zoom calls. All this prompted many to examine, are video conferencing tools like Zoom secure? It also made a host of companies effectively ban Zoom company-wide, including SpaceX founder, Elon Musk. He told employees they could no longer use Zoom.

Late last month, Zoom experienced another interruption due to a faulty Windows client exposed against UNC path injections located in the client’s chat feature. The exposure could have let cyber attackers get the Windows credentials of users who click on a link, Zoom has since corrected the fluke.

Now, let’s take at the man who started it all,  Zoom’s founder, Eric Yuan. Yuan is number 192 on Bloomberg’s Billionaire Index. Before 2020, Yuan wasn’t on the list. Today, his net worth is 7.5 billion dollars. Yuan is the Chinese-American mastermind behind Zoom Video Communications, and a veteran of Webex, a company eventually acquired by Cisco Systems in 2007. During his tenure at Cisco Systems, Yuan worked his way up to VP of Engineering before founding Zoom.

In 2019, former UC Today Presenter, Patrick Watson, sat down with Yuan in California. Yuan came off as a genuine chap who appreciates the joy of his employees, as he put it. You receive a glimpse into his leadership style as well as Zoom’s culture. He’s the kind of guy who said he’d rather be a dog if he could be any animal, because “Dogs are loyal.”

See the full interview here:

UC Today‘s news crew also traveled to Silicon Valley for an extended interview last year, shortly after Zoom made its initial public offering (IPO). The interview uncorks Yuan as an inspiring and down-to-earth leader. At least, that’s the feeling I had after watching our in-depth interview with the man who, four months into 2020 made a reported three-and-a-half billion dollars.

You can view that full interview here:

 

Yuan’s developed the $35 billion video conferencing empire in nine years, and the 49-year-old has a net worth that’s surged 112 percent during the past three months to over 7.5 billion dollars, according to Business Insider. This year and last year was transcendent for Zoom, a company with a history of security vulnerabilities.

Late last week, Yuan issued what seemed like a heartfelt apology in a company blog post, addressing Zoom’s lapses in security. In the statement, Yuan said Zoom takes security seriously and outlined a timeline for when the company would fix its shortcomings.

On Saturday, April 4, 2020, Zoom faced more scrutiny for security concerns when researchers at Citizen Lab reported, some Zoom calls were routed through China. Some calls, along with encryption keys from calls made in North America got routed to China. Zoom said this was an attempt at accommodating the company’s now 200 million users per day (March 2020). This is up from 10 million in December 2019. Offering up an explanation of why and how this happened, Yuan told TechCrunch:

“During normal operations, Zoom clients attempt to connect to a series of primary data centers in or near a user’s region, and if those many connection attempts fail due to network congestion or other issues, clients will reach out to two secondary data centers off of a list of several secondary data centers as a potential backup bridge to the Zoom platform”

“In all instances, Zoom clients have a list of datacenters appropriate to their region. This system is critical to Zoom’s trademark reliability, particularly during times of massive internet stress,” he continued. Yuan added: “Over the next 90 days, we’re committed to dedicating the resources needed to better identify, address, and fix issues proactively. We are also committed to being transparent throughout this process. We want to do what it takes to maintain your trust.” He said this includes taking creative measures to ensure fewer security breaches in the future, including the following:

  • Enacting a feature freeze, effectively immediately, and shifting all engineering resources to focus on its biggest trust, safety, and privacy issues
  • Conducting a ‘comprehensive review’ with third-party experts and representative users to understand and ensure the security of all new Zoom consumers and their use cases
  • Preparing a transparency report that details information related to requests for data, records, or content.
  • Enhancing Zoom’s current bug bounty program
  • Launching a CISO council in partnership with CISOs from across the industry to facilitate a dialogue on security and privacy best practices
  • Engaging a series of simultaneous white box penetration tests to further identify and address issues
  • Starting this week, Yuan will host a weekly webinar on Wednesdays at 10 am PT to provide privacy and security updates for Zoom users

All this implies Zoom hopes to maintain the trust of now 200 million users worldwide who use Zoom daily. Yuan further shared, Zoom offers training sessions and tutorials, along with free and interactive daily webinars for users.”We have proactively sent out many of these resources to help familiarize users with Zoom including training and tutorial webinars, live daily demos upcoming webinars, video training, webinar sign-ups for various platform training, we are also taking several steps to minimize customer support wait times,” Yuan added.

During a virtual chat about the future of work with Cisco Collaboration, CMO Aruna Ravichandra, industry analysts Zeus Kerravala, along with Dave Michels touched on security and privacy. Kerravala made a valuable point about security, stating, from a company perspective, managing a distributed workforce can be a challenge. It is not impossible, though. “It is tough to manage security when you’ve got the hard shell around your perimeter, now that the perimeter is everywhere, enterprises have to reconsider the tools they use.” He added ones with multi-factor authentication enable simple passwords while maintaining high levels of security.

VPNs are another part of the story, and they only (partially) do the job, cloud tools have higher levels of security in most cases, according to Michels. The analyst best-known for TalkingPointz continued stating, cloud-based video conferencing and collaboration tools work the same if you’re at work or home, and extend that security to the devices they are on.

“Where a lot of companies get into trouble is when their VPN infrastructure is not built to scale and enable all users to access it at once”

This could cause lag and lead to a lot of other issues for workers if your systems are not built to scale. Michels also said BYOD (bring your own device) is another potential point of entry for intruders, one that’s left companies scrambling to outfit employees with devices they have better visibility into. “These are the things that seem to cause gridlock in the push for work from home.”

William MacDonald, CTO, StarLeaf, told UC Today, said security works two ways, and users have to be wise about what they share online. He offered some guidance on how to avoid mistakes that could expose companies to intruders, telling me: “With video conferencing tools, users have to be aware of both what is around, as well as any on-screen information. Much like telephone conferencing, video meeting IDs are a sensitive piece of information that allows anyone with access to the ID to enter the meeting.”

William MacDonald
William MacDonald

There is a built-in safe for users. “By default,” he added, “Video conferencing services that allow users to lock meetings, have an advantage here.” Such systems let meeting hosts stop unwanted participants from joining Zoom calls. He presented another complexity, remote working. Today remote work is a hot topic, hitting the mainstream with a boom. And employers now witness workers publicizing their newfound work-from-home experiences on public social channels like Twitter. “While you should never discourage employees from showcasing their experiences, you should encourage them to be responsible with what they share.”

Video conferencing can be safe, to answer a question I posed earlier in this piece, it takes some effort on the part of organizations and employees. There should be transparency from businesses as well as clear and established rules, MacDonald added. “Displaying a user’s ID could compromise an organization.” He said – this needs to be clear from the beginning. It’s important when using a video meeting system, users are aware of all its capabilities, including the display and security measures in place” If you need further peace of mind the video conferencing system you have is secure, ask four vital questions,” he added:

  • Where is the company based, and where is its engineering developed?
  • Which third-party security certifications have the provider achieved?
  • What data jurisdiction, if any, does the organization offer?
  • What is the provider’s privacy policy?

In the end, it may come down to a mixture of human caution and corporate responsibility that could ensure Zoom works without the worry of unwanted intrusion. It is only a matter of time before new Zoom users learn the platform as well as the dos and don’ts of video conferencing in a digital age. The rest is up to Zoom, and ensuring quality experiences is no small undertaking but one the company seems up for.

According to Apptopia, Zoom’s number of active mobile users in March was 151 percent higher than the previous year, making it more widely used than Microsoft Teams at this point. We reached out to Zoom for comment, but the company hadn’t responded by the time of publication. We do plan to update you once we hear back from Zoom.

 

Customer ExperienceFuture of WorkSecurity and ComplianceUser ExperienceVideo Conferencing
Featured

Share This Post