Zoom becomes target for hackers
Video app facing downside as use soars
A silver lining during the coronavirus crisis for videoconferencing software maker Zoom is that demand for its product is up as millions of Americans staying at home during the coronavirus crisis have relied on the service to stay connected with family, friends, classmates and co-workers.
The downside for that burgeoning growth in users and usage is that Zoom has become a target for wrongdoers and potential hackers.
Uninvited guests who “zoom-bomb” online gatherings on Zoom have become a big enough problem that the FBI is on the case. Zoom had to update its software to prevent it from sending data from iOS device users to Facebook.
Zoom faces two additional security flaws that could be used to hijack a Zoom user’s Mac computer and access the webcam and microphone. Patrick Wardle, a former NSA hacker who works with Jamf, an Apple enterprise management software firm, revealed the bugs on his blog, first reported by TechCrunch.
Even though Zoom has become popular and critical, Wardle says, “if you value either your (cyber) security or privacy, you may want to think twice about using (the macOS version of) the app.”
This new Mac vulnerability can work similarly to a malicious app uploaded onto your phone to get inside a banking app and control it, says Zack Allen, director of threat intelligence at cybersecurity firm ZeroFOX.
A flaw identified by Matthew Hickey of cybersecurity firm Hacker House and first reported Wednesday by tech site iTnews could let a hacker get credential data and remotely access Windows computers on corporate networks.
Tech news site Motherboard reported Wednesday that Zoom was sharing the email address and photos of thousands of Zoom users who signed up with an email address sharing the same domain.
Zoom did not immediately respond to request for comment on the security flaws.
New York Attorney General Letitia James sent a letter Monday to Zoom with a number of questions to ensure
“As large numbers of people turn to video-teleconferencing to stay connected ... reports of VTC hijacking are emerging nationwide.” A warning from the FBI Boston field office
the company takes appropriate steps to ensure users’ privacy and security, a spokesman told USA TODAY.
The attorney general’s letter came after a lawsuit filed Monday, first reported by Bloomberg, charged Zoom with sharing information about the user, the device, phone carrier and other data. The suit followed Motherboard’s analysis of the Zoom iOS app, which found that when the app was used, it sent information from the device to Facebook even if the user didn’t have Facebook on the device. Zoom subsequently updated its app to prevent the sending of information, the company told Motherboard.
Zoom has never sold users’ data and does not monitor video meetings or their contents, the company said in statement posted Sunday on its blog. “Zoom takes its users’ privacy extremely seriously. Zoom collects only the data from individuals using the Zoom platform required to provide the service and ensure it is delivered effectively under a wide variety of settings in which our users
may be operating,” the company said.
Zoom-bombing disrupts connections
The zoom-bombing situation attracted attention after an Alcoholics Anonymous meeting in New York was interrupted by a man hollering misogynistic and anti-Semitic slurs and saying, “Alcohol is soooo good,” Business Insider reported.
In other incidents reported to the FBI, a Massachusetts high school online class was interrupted by a person cursing and shouting the teacher’s home address, and in a separate Massachusetts school meeting, a person appeared on video displaying swastika tattoos.
“As large numbers of people turn to video-teleconferencing (VTC) platforms to stay connected in the wake of the COVID-19 crisis, reports of VTC hijacking (also called Zoom-bombing) are emerging nationwide,” the FBI Boston field office warned.
Zoom updated its default settings, so passwords are required and teachers “are the only ones who can share content in class,” the company said in a statement to USA TODAY. “We are deeply upset to hear about the incidents involving this type of attack.”
Should you need to report a Zoom intrusion, you can do so on the Zoom website.
As more people across the globe have been told to stay at home to prevent the spread of the COVID-19 virus, Zoom has seen its traffic skyrocket. Zoom has been the No. 1 app for most of the month on Apptopia’s app store chart, the tracking firm says. In March, Zoom was downloaded approximately 40 million times worldwide, outpacing social media apps Facebook, Snapchat and TikTok.
During March, daily downloads of Zoom in the USA rose more than 1,000% from 29,802 to 339,701, Apptopia says.
In mid-March, Zoom CEO Eric Yuanlifted time limits on Zoom sessions for all K-12 schools in the USA, Italy and Japan, a move first reported by Forbes. Typically, Zoom’s free version limits video sessions to 40 minutes. The company had already lifted limits for China and other countries affected by the coronavirus crisis.
Individuals can upgrade to a Standard Pro account for $14.99 monthly for unlimited length sessions.
The latest security vulnerabilities should not stop teachers and others from using Zoom, ZeroFox’s Allen says. “WFH (working from home) cannot stop. The economy depends on it, so stopping the use of tools like Zoom will be hard for everyday users,” he said.
Tips to control your meetings
ZeroFox is working on new capabilities to help companies using Zoom for business, he says. For others, there are some simple ways to reduce risks, from ZeroFox, Zoom and the FBI:
❚ Don’t make meetings or classes public. You can require participants to use a password, or the meeting manager can make participants first appear in the waiting room.
❚ Limit screen sharing. Hosts can prevent others from posting video by changing the screen sharing options to “Host Only.”
❚ Lock the door. You can close your meeting to newcomers once everyone has arrived.
❚ Cut out the chatter. The host can disable the ability to text chat during the session to prevent the delivery of unwanted messages.
❚ Boot the uninvited. Hosts can remove a participant by putting the mouse over that name and choosing the Remove option. Allen says you can block people from rejoining meetings if they were removed.