Zoom vows to beef up its video security
Over the past month, the Zoom videoconferencing service has emerged as the communication lifeline of the coronavirus pandemic. But the convenience fueling Zoom’s explosive popularity has come at a price.
Originally a service meant for businesses, Zoom was designed to make it easy for company employees, sales representatives and clients to hop on meetings. When consumers flocked to the service for school and socializing, however, those conveniences also made it easy to hijack videoconferences and harass participants in online attacks known as Zoombombing.
Now San Jose the company is scrambling to deal with privacy and security issues that keep popping up. On Wednesday, Zoom announced that it had formed a council of chief information
security officers from other companies to share ideas on best practices. The company also announced that it had hired Alex Stamos, the former chief security officer of Facebook, as an outside adviser.
Eric Yuan, CEO of Zoom Video Communications, said in an interview Tuesday that his greatest regret was not recognizing the possibility that one day Zoom might be used not just by digitally savvy businesses but also by tech neophytes.
“We were focusing on business enterprise customers,” Yuan said. “However, we should have thought about ‘What if some end user started using Zoom’ ” for nonbusiness events, “maybe for family gatherings, for online weddings.” He added: “The risks, the misuse, we never thought about that.”
Yuan said Zoom never felt the need until now to rigorously examine the service’s privacy and security implications for consumers.
“If not for this crisis,” he said, “I think we would have never thought about this.”
In addition to the Zoombombing episodes, Zoom has reacted with surprise to press reports that the company’s iPhone app leaked user data to Facebook, and to criticism that the service had allowed certain users to covertly access the LinkedIn profile data of other participants.
Four months ago, Zoom was a niche business tool with 10 million daily users, many of them people working in offices or at home. Today, it has emerged as a fundamental online utility, with 200 million daily users — including family members gathering to celebrate holidays, teachers leading online classes for students and members of Alcoholics Anonymous holding meetings.
Last week, Zoom said it is suspending work on features for the next 90 days to devote all of its engineering resources to shoring up its security and privacy practices.
Security researchers also discovered that, despite its marketing promises, Zoom encrypted users’ communications but not with endtoend encryption — a system that prevents third parties from accessing private communications. Yuan noted that endtoend encryption is significantly more difficult with many users communicating simultaneously instead of something like Apple’s FaceTime, which is typically used by a handful of people at the same time.
Last week, the office of New York’s attorney general sent a letter to Yuan, questioning whether Zoom’s current security practices were capable of handling “the surge in both volume and sensitivity of data being passed” through its network.
Several days later, the FBI issued a warning saying that it had received multiple reports of Zoombombing, including incidents in which school meetings were hijacked by strangers posting pornography and using threatening language.
Zoom quickly announced that it was removing the Facebook software from its iPhone app and eliminating the LinkedIn datamining feature. To hinder Zoombombing, the company just introduced default settings that will require kindergarten-through 12 th grade schools to individually admit participants to videoconferences from virtual waiting rooms.
Yuan said Zoom is making user privacy and security its top priority and was shutting down enterprise features that could present risks to consumers.
“This is a turning point. We have to raise the bar,” he said. “Whenever there’s a conflict, privacy first.”
Yuan, a former executive at Cisco Systems, founded Zoom in 2011. He has often described the company’s mission as “making video communications frictionless.”
Before the pandemic, Yuan said, Zoom used a number of security measures to identify vulnerabilities and invited hackers to probe its service for payment awards, through a bug bounty.
It also developed security and privacy features that could have prevented Zoombombing. But Zoom left it to business customers, which included some of the biggest names in the cybersecurity industry, to decide how they wanted to configure privacy and security settings.
Some cybersecurity and privacy experts said the time for Zoom to reassess its privacy and security was last year, after Jonathan Leitschuh, a cybersecurity researcher, discovered a flaw that attackers could use to activate a Zoom user’s webcam without their permission. Even when users tried to remove the app from their computers, researchers discovered Zoom would secretly reinstall itself.