From the hijinks of “Zoom bombing” to serious encryption failures, the rapidly-growing Zoom can’t seem to get through three consecutive days without a new issue popping up. As this list of security concerns grows, more and more organizations are deciding that the platform simply is not worth the risk.
Federal government agencies, school districts and major enterprises have already banned Zoom from use for work purposes. As the security concerns continue to pile up — most recently, the news that two zero-day exploits are on sale on the dark web — the list of companies that are abandoning Zoom continues to grow.
Zoom: A case study in growing too fast?
Zoom’s primary selling point is that it’s a simple, easy-to-use platform. Non-technical meeting hosts seem to have less trouble coming to grips with it than they do with comparable products. As Chris Rothe, co-founder and chief product officer for Red Canary, points out: “From the start Zoom was built to be a video conferencing platform that ‘just works.’ In order to get that ‘it just works’ user experience, they did some things that are questionable or just wrong from a security perspective. You might ask why these issues are coming to light now rather than for the last nine years while Zoom was growing like wildfire? This is a natural occurrence when an application all of a sudden gets a lot more usage, which leads to more eyes on it and more scrutiny. That leads to vulnerabilities and design flaws being identified at a faster rate.”
It’s fair to say that “just works” simplicity seems to extend to a lack of sophistication in security. To be fair to Zoom, the company had no way of knowing that it would be adopted as the world’s default conference-from-home solution during a pandemic. But there have also been warning signs since long before Zoom’s meteoric growth began. For example, in mid-2019 a security flaw was discovered that allowed the app to potentially be taken over by a malicious website.
Zoom fixed that issue fairly quickly, and has generally been responsive to the security concerns that have popped up as it grew by millions of active users within the space of a few weeks. The trouble is that this chain does not seem to have an end. When one issue seems to be under control, another pops up in the headlines.
Security concerns turn off a broad range of organizations
This uncertainty has proven to be too much for a number of high-profile organizations that require their communications to be as secure as possible.
On Wednesday, Standard Chartered PLC became the first major international bank to ban Zoom from company use. It was far from the first company with heightened data processing regulations to formally back off from the platform, however. Standard Chartered joins a list that already includes Google, Siemens and SpaceX. In some cases these organizations have been forced to switch to something with fewer security concerns, as Mark Bower (senior vice president at comforte AG) observes: “There should be no surprise organizations like SpaceX and NASA banned it immediately: they are regulated under ITAR rules, with extremely harsh violation risks including executive jail time for data leakage outside very tightly controlled ecosystems for national security control, data protection and access. Inadvertent leaks while collaborating live, especially to non-US servers or using encryption keys for data protection originating in China as reported, would be a serious compliance red flag and risk nation-state compromise with huge ramifications.”
Government organizations have also banned the use of Zoom at varying levels. India, Taiwan and the German Foreign Ministry have banned the use of it for official purposes across the government. The United States Senate has not outright banned the platform, but has issued a strong suggestion that members not use it for official communications. The Australian Defence Force has also banned Zoom after comedian Hamish Blake crashed an Air Force meeting.
In addition to government agencies and private businesses, a number of school districts around the world are now instructing teachers and students to find an alternative to Zoom for class meetings. These include the schools of New York City, Nevada’s Clark County (home of Las Vegas), Mesa (Arizona’s largest school district), and California’s city of Berkeley. In Singapore, the Education Ministry initially banned the use of Zoom in schools across the nation but recently allowed it again with some additional mandatory security protocols in place.
Can Zoom catch up?
Near the beginning of April, Zoom instated a 90-day freeze on the development and addition of new features. This time is being used exclusively to address the security concerns that have been piling up.
To its credit, Zoom has made proactive moves to address the various issues that have cropped up. The company tapped former Facebook chief of security Alex Stamos to play a central consulting role in getting the platform to a state suitable for use in discussing sensitive and confidential information. It has also contracted with Luta Security to run a “bug bounty” program. Since the beginning of April the company has also beefed up its encryption standard, fenced Chinese servers off from the rest of the world, and changed default settings to promote better security hygiene among end users.
Some security concerns remain, however, such as the potential for Zoom bombing. The incredible growth of the platform has also attracted the special attention of hackers and cyber criminals the world over; custom malware that targets the platform is beginning to be spotted by security researchers.
Given all of this, and the continuing string of security concerns popping up in the news, some organizations feel that Zoom has already failed the safety test and has moved on to more complicated but more inherently secure video conferencing services.
Safer alternatives to Zoom
The coronavirus pandemic has dramatically expanded the market for video conferencing platforms, and it is likely that a good deal of this share will remain even after the virus goes away as companies discover that “work from home” models are feasible.
Encrypted alternatives to Zoom include TeamViewer, Cisco Webex and GoToMeeting. All of these have less in the way of free features and are more complicated to use than Zoom, but also have a better security track record. Microsoft Teams is one that is seeing a major uptick in use, but Paul Bischoff (privacy advocate with Comparitech) points out that you may run into some of the same security concerns there: “Zoom also lacks end-to-end encryption, despite what it’s marketing would have you believe, though I don’t think Microsoft offers this either for group video and voice conferencing. That means Microsoft could snoop on video and voice content.”