With its sudden surge of users, Zoom security practices come under scrutiny
Zoom has exploded in popularity as people turn to video calling software amid the ongoing coronavirus pandemic. The moment of huge growth has seen Zoom rocket to the top of iOS and Android app stores as people gather around it for yoga classes, school lessons, and virtual nights out. Even the UK government has been holding daily cabinet meetings over Zoom.
With all this extra attention, Zoom is now facing a huge privacy and security backlash as security experts, privacy advocates, lawmakers, and even the FBI warn that Zoom’s default settings aren’t secure enough. Zoom now risks becoming a victim of its own success.
The app is also apparently leaking some email addresses, user photos, and allowing some users to initiate a video call with strangers because of an issue with how the app handles contacts that it perceives work for the same organization, according to a report by Vice.
Zoom has battled security and privacy concerns before. Apple was forced to step in and silently remove Zoom software from Macs last year after a serious security vulnerability let websites hijack Mac cameras. In recent weeks, scrutiny over Zoom’s security practices has intensified, with a lot of the concern focused on its default settings and the mechanisms that make the app so easy to use.
Each Zoom call has a randomly generated ID number between 9 and 11 digits long that’s used by participants to gain access to a meeting. Researchers have found that these meeting IDs are easy to guess and even brute forceable, allowing anyone to get into meetings.
Privacy advocates have also raised issues over an attendee tracking feature that lets meeting hosts track whether participants have their Zoom app in view on a PC or whether it’s simply in the background. A digital rights advocacy group also called on the app makers to release a transparency report last month, to share the number of requests from law enforcement and governments for user data. Zoom has only said the company is considering the request and has not yet published a transparency report.
Part of this ease of use has led to the “Zoombombing” phenomenon, where pranksters join Zoom calls and broadcast porn or shock videos. At fault here are It’s default settings which don’t encourage a password to be set for meetings, and allow any participants to share their screen. Zoom adjusted these default settings for education accounts last week, “in an effort to increase security and privacy for meetings.” For everyone else, you’ll need to tweak your app settings to ensure this never happens.
Zoombombing was the first of many recent security and privacy concerns, though. Zoom was forced to update its iOS app last week to remove code that sent device data to Facebook. The app developers then had to rewrite parts of its privacy policy after it was discovered that users were susceptible to their personal information being used to target ads.
Perhaps the most damning issue came to light yesterday. While the video conferencing app still states on its website that you can “secure a meeting with end-to-end encryption,” the company was forced to admit it’s actually misleading people. “It is not possible to enable E2E encryption for Zoom video meetings,” said a Zoom spokesperson in a statement to The Intercept, after the publication revealed Zoom is actually using transport encryption rather than end-to-end encryption.