(Revised April 10) Beginning in late March and accelerating in early April, a lot of uncertainties came to light about Zoom, the videoconferencing service whose time in the spotlight has coincided with the coronavirus.
First came news that Zoom was sharing personal information with Facebook, without adequate notice to users (for which Zoom’s CEO has apologized). Then, reports surfaced that Zoom sessions could be intercepted and decrypted, counter to the promise made by Zoom (which has reportedly since dropped the term ‘end-to-end’ encryption). Then came a report that decryption keys and other traffic are routed through China, where Zoom may be “legally obligated to disclose these keys to authorities” (which Zoom says it’s addressing).
Here’a a grab bag of recent headlines that caught our attention last week, linked to their full news stories.
- Zoom meetings aren’t end-to-end encrypted, despite misleading marketing – The Intercept, March 31, 2020
- Hackers are posting verified Zoom accounts on the dark web – Yahoo Finance, April 6, 2020
- Do you know how Zoom is using your data? You Should. – The Guardian, April 1, 2020
- Lawsuits Target Zoom over Facebook Data Transfers – Law.com, March 31, 2020
- Move Fast and Roll Your Own Crypto: A Quick Look at the Confidentiality of Zoom Meetings – Citizen Lab, Munk School, University of Toronto, April 3, 2020
- Every security issue uncovered in the Zoom app – C|Net, April 7, 2020
Where do things stand now, and what should you do?
To Zoom’s credit, the company has instituted a 90-day plan to address the not-so-flattering publicity.
- Download Zoom’s latest software here
- Subscribe to the company’s blog for their latest news.
- There are multiple alternatives to Zoom.
Why it matters
Although we haven’t (yet) seen any piracy-specific reports relating to Zoom, one of the basic capabilities of streaming, chat and conferencing applications is to open a communications session between an end user and a service infrastructure. Many services are also designed to install software components on the end user’s device automatically.
Innocent errors can occur, due to faulty implementation of a third party APIs or infrastructure technologies by a video provider. Or due to incomplete testing by a systems integrator. Or incorrect mapping between sessions and virtualized or physical resources. Sessions left open, servers left exposed, and other situations that can often be attributed to error.
But also, purposeful “errors” can leave the end user’s device vulnerable to sessions that can intercept personal data or used to implant malware. Or, leave a video provider’s servers open to robbery.
Again, this is not to cast indictments at Zoom; but users should be alert to risks of exposure – no matter whether it’s through Zoom or via any other streaming, chat or conferencing app – and enterprises considering adopting such services for mission-critical internal use should carefully examine service infrastructure to identify possible risks.
By Steve Hawley, Piracy Monitor