Security/privacy issues with Zoom – is the panic justified?
April 6, 2020 7:53 AM   Subscribe

My small organization is considering whether to dump Zoom. Offhand, this seems like an over-reaction to me, but I'd like to get some other opinions.

Zoom has been the subject of many scary news stories, such as this one. Apparently, New York City schools are transitioning away from using Zoom.

The media storm has caused people at my workplace to panic and frantically start looking for alternatives. But is this really necessary? As best as I can tell, no-one is claiming that hackers are using Zoom to compromise internal networks. Based on the media reports, the single biggest concern is "Zoom-bombing", where trolls hijack a meeting and broadcast offensive content. Other areas of concern:
  • The meeting organizer can get some feedback about whether participants are paying attention or not (this attention-tracking features is based on whether the participant has Zoom open as the top window on their device).
  • Zoom has a feature that allows meeting organizers to match-up LinkedIn profiles with participants, even if those participants think that they are joining the meeting anonymously. And apparently, some of that data is sent back to LinkedIn.
It seems that some simple measures can help prevent Zoom-bombing, and that Zoom has addressed the two privacy concerns mentioned above.

My inclination is that other apps probably have their own security flaws, and that if an organization has been happy with Zoom (as has my workplace), then there is no compelling reason to switch. Thoughts?
posted by akk2014 to Computers & Internet (12 answers total) 4 users marked this as a favorite
From an IT security friend (in the following they are referring to various articles about zoom weaknesses):

tl;dr Keep using Zoom.

Risks and mitigations:
1. The headline is based on a shortcut they took to make installation easier. The existence of this shortcut is Apple's problem to solve not Zoom's. Apple will fix this and Zoom has pledged not to use similar shortcuts in next version. Bottom line for normal people, only install software from trusted sources, preferably "app stores" or "kbox" type things where available. Be aware that scumbags are phishing people with malware -- with lures including "Zoom is insecure, click here for the fix!!!”
2. Zoom chat allows people to send hyperlinks. If you have bad people in your meeting and you click a bad link and your device has other underlying issues, bad things can happen. This is the dumbest "Zoom vulnerability" reported in the current piling-on. Zoom has added filtering-out of a few classes of attacks and general advice about avoiding "bad" people, links, and devices applies. You're less likely to get attacked via Zoom than email, sms, or Facebook.
3. Bad people harassing meetings *is* a thing. Be aware that if (you post your meeting ID publicly OR you get unlucky about someone using an automated tool to try all possible numbers) AND you have no meeting password AND you don't use the waiting room or other security features AND you have not learned how to kick griefers off AND you allow (chat OR screen sharing by non-organizers without admin approval) the bad meeting attendees can do bad things. Follow any 2 of the Boolean logic blocks in previous sentence and you'll be ok.
(Zoom is silently changing some if the default settings relevant to #3)
4. Zoom does not have "end to end encryption" and in the past made misleading statements implying they did. What this means is that someone with privileged access to Zoom infrastructure, including possible law enforcement, spies, disgruntled Zoom employees, or hackers, could view or interfere with your meetings. See also #3. See also #2 -- the fact that Zoom, Google in many cases, Facebook in many cases, email antispam/antivirus sysyems, SMS cell phone providers, etc can see your messages means that they can block #2 (although just as with spam, they are not going to be perfect at that). If you are doing something requiring perfect forward secrecy from determined adversaries, use something like Signal with strict key verification practices.
The sky is not falling. Ok, it is, but keep your wits about you and you and the people you love can avoid the larger chunks.
5. If people phone in, then other meeting participants can see their phone number. In some cases this is a risk worth worrying about but at Carleton small friendly class size I think it's just a footnote.
6. Be wary of what (and whom) is in the background. Many schools require students to set virtual backgrounds (or cameras off entirely). Which itself has graffiti risk...
7. Corollary of #6, don't be creepy about proctoring.
(Finally?) this is subject to change. To control the rumor mill (and phishing taking advantage of it!) welcome feedback at a trusted central location and pledge to keep the FAQs updated. To limit duplication of effort, refer to a LIMITED number of trustworthy external references such as Zoom itself and large universities (like IU). AVOID AVOID AVOID sharing links to advertising supported news sites.
posted by correcaminos at 7:57 AM on April 6, 2020 [13 favorites]

I would consider using Zoom unless the information you are discussing falls into a particularly sensitive or legally restricted area - e.g. HIPAA, or, if the information, were it to leave the participants of the meeting, would negatively impact or embarrass those individuals. Without knowing your organization/use case, it's impossible to really advise.
posted by scolbath at 8:02 AM on April 6, 2020 [1 favorite]

Best answer: Bruce Schneier, a legend in the cyber security field, just did a breakdown on Zoom. It's long and fairly negative, but my biggest takeaway comes from a reply of his in the comment section:
"What I’m trying to figure out is if Zoom is substantially less secure than other options or if it’s just more scrutinized than the others with its explosion in popularity."

I don't know. My guess is that it's just under the microscope right now.
Does Zoom have issues? Yes. Do the other options also have issues? Yes.
posted by matrixclown at 8:04 AM on April 6, 2020 [6 favorites]

It depends on who will be using it, and if you’re already on some suitable platform.

If you use MS Office, you can use Skype for Business or Teams.

If everybody uses Google, you can use Google Hangouts.

I don’t know if Slack has anything like this; I suspect not, as I would have heard about it otherwise.
posted by Huffy Puffy at 8:07 AM on April 6, 2020

I think the only way to be truly secure is to use signal or keybase. Neither of those options have the same ease of use or polish that zoom / meet / webex have, but they are actually secure. I think signal is a bit closer in that has video group chat, whereas keybase is more like slack.

If you are concerned about oppressive government interference or corporate espionage it may be worth looking into either of these secure alternatives, otherwise, it's likely a push between any of the major meeting services.
posted by askmehow at 8:44 AM on April 6, 2020 [1 favorite]

The true answer to this question lies within your company's information security policy, which will take into account such things as industry standards and anything required for relevant compliance with various legislation when assessing whether or not certain features are required/disallowed in a virtual meeting application.
posted by some loser at 8:56 AM on April 6, 2020

The existence of this shortcut is Apple's problem to solve not Zoom's

Lol no. First off, Zoom knew they fucked up since they literally changed how their install worked the next day after this was disclosed. Second, don’t let this “IT Guy” near anything you care about since he obviously isn’t knowledgeable about his job.
posted by sideshow at 9:30 AM on April 6, 2020 [6 favorites]

Just to clarify, this is the article that my colleague and friend was responding to/nuancing.

@sideshow - ¯\_(ツ)_/¯ I've known my friend for years. He's got tons of experience, particularly in university-related IT security. But definitely you do you.
posted by correcaminos at 9:43 AM on April 6, 2020

Best answer: Opinion; Zoom is not any more insecure than anywhere else. As you note, there are further mitigations, such as meeting passwords and such.

Let's focus on the statistics.. what is the possibility, out of all the Zoom meetings going on, and if you take the general precautions, that YOUR meeting is going to get hacked into?

Take into account the volume of users, and the number of hackers actually doing this.

Next, what is the possibility that the hackers are just being disruptive versus attempting any corporate espionage? And if it is espionage, are your meetings chock full of corporate secrets?

Unlike identity theft and other sorts of purpose-based hacking of data, I can't find too many compelling reasons for hackers to hack into Zoom meetings.

First, it's a needle in a haystack issue. With data and identity, they're grabbing massive amounts of data and hoping something sifts out. Identity is very focused, and has specific target data that exists in specific places. But also a needle/haystack issue.

So, from a security risk side, the possibility of a hacker wasting that much time on random social engineering possibilities that they may pop into a useful meeting with value likely is somewhat small. And if they are doing it with purpose and being targeted.. likely they'll hack in anyway.

So, you're left with the randomness of being a needle in the haystack victim of some disrupting entity where the harm is "OK, cut the meeting and we'll reschedule" while they try and troll pron at the attendees before everyone bails.

And that risk going down with each extra measure you take that Zoom (and others) make available.

People are overreacting.
posted by rich at 10:34 AM on April 6, 2020 [5 favorites]

I'm with Sideshow here. I don't trust your IT guy if that's his analysis.

Also, it's not really so much about their security (which is bad); it's about the company's behavior. The stuff they've done on the MacOS client is a great example. They keep on doing BAD things, and then "fixing it" when they're called out.

Zoom has shown for quite a while that either

* they don't know any better than to do some very bad things (e.g., silently install an insecure web server on your computer), or

* they DO know these things are bad, and then do it anyway.

Either way, this is not a company you want to trust.

Sure, when caught and called out, they "apologize," but it's pretty clear what they've been sorry for is getting caught, not doing unethical and insecure things. I say this because they keep doing skeevy things. As the saying goes, when someone shows you who they are, believe them.

This is not a company I would trust any farther than I can throw them. I would not install the Zoom client on anything other than iOS at this point (because iOS has aggressive sandboxing, so they're limited in the chicanery they can do there).

Reading what Bruce Schneier has to say and then taking away only that "well, they're probably all flawed" is a bad summary, especially when he literally says:
In the meantime, you should either lock Zoom down as best you can, or -- better yet -- abandon the platform altogether.
posted by uberchet at 11:54 AM on April 6, 2020 [8 favorites]

I'm with sideshow and uberchet. None of the things that have come out about Zoom are dealbreakers, but it does at this point amount to a pattern of at best questionable behavior by Zoom and its developers. No individual thing that's come out has been a full stop issue for me, but they've all been bad, and all things you would do if you prioritize monetizing corporate oversight of your video chat tool over privacy at every step. As uberchat says, notice how they quickly fix these things with a full apology, but continue to not get better or more transparent about overall privacy concerns.

Distributed video chat is a tough thing to do well, and has become a lot more necessary for many people all of a sudden. I don't know that any service is doing a great job, but Zoom has done a specifically bad job of safeguarding user privacy and rights, and if you read between the lines that is not an accident, it's their business model. Use them if you like, but don't kid yourself about their priorities.
posted by lhputtgrass at 2:20 PM on April 6, 2020 [3 favorites]

A better question is, does Zoom have more potential security problems than others competing in this space likes Skype/Teams, Google Hangouts, and Webex?

The answer is indisputably yes, especially compared to the first two. Zoom has also been mistakenly routing calls through chinese servers, and many of their developers are based in China.

Now, do your meetings have content that the CCP is interested in? Unlikely, but why even bother with the headache when there are two proven, secure enterprise solutions available in the form of Skype/Teams and Hangouts?
posted by smoke at 6:26 PM on April 6, 2020

« Older Record Zoom without recording chat   |   Losing friends and moving on Newer »
This thread is closed to new comments.