Zit Seng's Blog

A Singaporean's technology and lifestyle blog

Rise and Fall of Zoom

Well, Zoom hasn’t exactly fallen. But since their insane rise in popularity in the last one to two months, they have now attracted a significant amount of bad publicity over security and privacy issues. Some groups of users have started to stop using Zoom in favour of competitors.

On 1st April, Zoom announced they were putting a freeze on new feature development for the next 90 days in order to focus on fixing security issues. Their meteoric rise in popularity saw 200 million daily active users in March, up from just 10 million in December 2019. It’s not surprising, thus, that its popularity has attracted a lot of security scrutiny, including by those with malicious intent.

You may have heard that our own Ministry of Education has suspended the use of Zoom by teachers after some very serious incidents occurred. We are far from alone. In fact, Zoom has already been banned in many other places:

To be fair to Zoom, not all the complaints about Zoom are entirely security holes in their software or system. For example, the incidents that occurred in our Home-Based Learning appear to be due, at least in the most part, to inadequate configuration. However, one could argue that Zoom’s service was poorly designed to allow misconfigurations to easily happen.

Similarly, many Zoom recordings have been exposed comes about because of the default way that recordings are named, and users unconsciously making them available and easily searchable because they don’t rename the files. You can’t say the users are blame free; on the other hand, Zoom made it easy for these problems to exist.

Then, there are also many instances of true security vulnerabilities in Zoom itself. Last year, Zoom had to patch a flaw in their Mac app that allowed a live webcam feed to be exposed to an attacker. Last month, an issue was found in Zoom that allowed attackers to steal Windows credentials when you click on UNC links.

Some of Zoom’s practices have also been called to question. For example, the issue with the Mac app last year raised questions about why Zoom needed to install a webserver in users’ computers. Zoom has also not been very upfront about their practices, such as sending data to Facebook from its iOS app even when you don’t have a Facebook account

Also, I’m very disappointed that the end-to-end encryption that Zoom claims to have incorporated is a complete lie. In fact, when called out, Zoom still tried to pass it off their “end to end” claim as being valid, because they encrypt from the client to the server. That’s utter nonsense.

End-to-end encryption in videoconferencing systems isn’t an easy to do. Google Meet and Google Hangout, for example, don’t claim to do it. The fact that Zoom claims to support end-to-end encryption could have led some customers to choose them over competing services. This deception may be hurting competitors.

Other recent security findings report that Zoom uses poorer encryption keys than they claim (AES-128 instead of AES-256), and use them in a lousy mode. Keys may be distributed from a China-based server, even when no parties of the call are anywhere near there. To find that calls made entirely within North America would end up routed through and having keys coming from a China-based server could be worrying for some, such as the U.S. government.

Zoom’s security woes do not end there. A recent Medium post shared another hack. It’s worrying what these discoveries show. It makes you wonder if Zoom has it in their mindset to consider security.

It is apparent that Zoom has quite a lacksey-daisy attitude towards security and privacy. Their dishonesty is appalling.

However, it seems in the present COVID-19 situation, most people on this planet seems to have been brought together via Zoom. We may find growing awareness, concern, and some users switching away to other videoconferencing solutions, but many likely will just stay on with Zoom.

Leave a Reply

Your email address will not be published. Required fields are marked *

View Comment Policy