Complex Made Simple

Does Zoom really pose a security threat?

As Zoom gets its first taste of mainstream success and a whole lot of riches, it realizes it all comes at a price of increased scrutiny and accountability.

Some user data is handled in China, which has caused rising concerns amongst regulators and users Originally, Zoom was selling user data to Facebook when people used its iOS app The video conferencing service has also seen a surge of what is known as "Zoombombing"

This week, we explored the rise of Zoom Video Communications (shortened to Zoom), exploring how a relatively unknown tech unicorn secured itself the 2nd best performing tech IPO in 2019, as we all exhibiting a 1900% increase in users in just 4 months thanks to an odd boom resulting from mass worldwide quarantines, courtesy of the coronavirus pandemic.

However, as with all things, there’s always a Yin and a Yang. With Zoom, the dark Yin is its security fallibility. Plenty of news report have already surfaced bringing the security of this burgeoning brand to question. This is especially important when you hear stories like the fact that U.S. agencies handling the coronavirus response had spent a collective $1.3 million on Zoom tech, as per Forbes. Even in the Middle East, we are seeing deployment of the tech at the state level. In Kuwait, for example, health press conference was hosted by the state on Zoom with reporters and others attending virtually. 

So if governments are making use of this technology, it must be secure, right?

The Chinese route

Well, the truth is, it’s not quite clear yet, and governments should especially be wary. 

“Zoom… handles user data [in] China, according to researchers,” Forbes reported. “That information, on occasion, also includes encryption keys, the chunks of data that can unlock conversations, even if the participants aren’t based in China, academics found in their tests of the software.”

According to Forbes, China plays a major role in Zoom’s operations, where lots of their R & D occurs, with Zoom increasing their workforce in the Asian country from 500 employees to 700 in the space of a year. The founder and CEO of the company, Eric Yuan, was born in the country and even studied there, though has lived in the US since the 90s. 

Still, the company has always been transparent about its ties to China, detailing it in SEC documents for example. 

Controversial terming?
But a Chinese connection isn’t the only thing researchers are worried about. There is significant concern about Zoom’s controversial definition of the concept of end-to-end encryption. 

Let’s see how Whatsapp explains it, having switched to the security protocol in recent years: “WhatsApp end-to-end encryption ensures only you and the person you’re communicating with can read what’s sent, and nobody in between, not even WhatsApp. Your messages are secured with locks, and only the recipient and you have the special keys needed to unlock and read your messages. For added protection, every message you send has an unique lock and key.”

In terms of Zoom, this would mean video streams should be accessble by the conversing parties, and no one else, not even Zoom itself. However, a report by The Intercept found otherwise. 

“The service actually does not support end-to-end encryption for video and audio content, at least as the term is commonly understood,” the news site said. “Instead it offers what is usually called transport encryption.”

To keep things simple, with this encryption method, Zoom and threat actors are able to access the information (i.e. audio and video) while in transit and learn government agendas, business secrets, and more. The only Zoom feature that is truly end-to-end encrypted is its text chat feature, however.

So what does Zoom do with our information then? Well, one reported instance is the transfer of user data to Facebook from its iOS app. Eventually, this was phased out, with Zoom telling news site Motherboard that “the data collected by the Facebook SDK did not include any personal user information, but rather included data about users’ devices such as the mobile OS type and version, the device time zone, device OS, device model and carrier, screen size, processor cores, and disk space.”

Regardless, the seeds of mistrust had been sown in users’ minds by then. 

Convenience backfires

One of the draws of Zoom has been its use of meeting IDs, 9-digit codes that anyone can use to enter meetings, This convenience feature, however, has been utilized by threat actors to “Zoombomb” ongoing video calls, where the hackers enter the meeting and then flood it with inappropriate or offensive imagery. 

“It can be easy to Zoombomb a meeting,” CNET warns. “In many cases, a simple Google search for URLs that include “Zoom.us” can turn up the unprotected links of multiple meetings that anyone can jump into. Similarly, links to public meetings can be found scattered across organizational pages on social media.” 

CNET highlights some tricks and tips to make yourself less likely to be Zoombombed, here

Since then, and after facing a handful of lawsuits, Zoom has admitted it could not predict the massive surge of users they experienced (and probably the scrutiny they’d face when they would become mainstream), and has addressed some of these to some capacity. 

In the meantime, experts and media are suggesting that if you have to use Zoom, restrict it to casual or non-sensitive meetings only, as both the world and the company itself come to terms with the app’s monumental surge.