<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

How Secure is Zoom and Should I Be Using It?

Topics: IT Security, COVID-19, Remote Work, Remote Workforce

Posted: 24 April 2020


There are a few businesses which have been proven to thrive in the conditions we find ourselves in today; and telecommunications companies are one of them. Whether it be Zoom, Webex, GoToMeeting or any other provider of teleconferencing software, the demand for such solutions and services have soared, as large swathes of the population now adjust to new working from home requirements.


So much so, that in March of 2020, Zoom reported a 535% rise in usage of their services - and unsurprisingly so, as everything from Government meetings, to training courses and even birthday parties are now seemingly going virtual.


Yet despite this, Zoom in particular with its affordable price-tag and easy-to-use interface, has attracted a bit of a reputation for not being the most secure nor privacy-friendly piece of software available.


So, what is it that worries security experts about Zoom, and should we continue to use it?


You may also be interested to read How to Secure Your Remote Access from the Changing Threat Landscape

Hidden Web Servers


While you might have only just become aware of Zoom, due to its increased fame as a result of the COVID-19 crisis, it has been around since 2011.


In that time, it has, like most software, discovered vulnerabilities in its solution which it has sought to address. However more curiously, in 2019 it was revealed that Zoom had covertly included a web-server into its solution, which could allow a user to be added to a Zoom call without their permission or explicit action in joining.


What this meant is that simply by browsing to a website, the user could be placed into a Zoom call with their camera activated. More worryingly, this undocumented web-server was not removed from the user’s device, when the user elected to uninstall Zoom’s software.


After taking considerable flack from members of the IT security industry, Zoom did release a patch to rectify the problem. However, the problem was concerning enough that Apple took matters into their own hands by releasing an operating system level patch to deal with the problem themselves.


Hacked Webcams and Microphones


While 2019 seems like a world away in a slow-motion lock down world, Zoom have had their fair share of security issues in 2020.


In the latter part of March 2020, two bugs were discovered which could be used to snoop on webcams and microphones; and which could be used to steal Windows passwords.


This led to Tech Crunch labelling the incident “Zoom Doom” and an associate computer science at Professor at Princeton University to say “Let’s make this simple, Zoom is malware.”


It is important to point out that Zoom have since released a patch to correct both issues. However, there is no information available which tells us how many people are running vulnerable versions of the Zoom software.


You may also like The Top 5 Cloud Security Challenges Haunting Every IT Manager


Privacy Concerns


Finally, in what was the most important matter of our time – Zoom has come under heavy criticism for its privacy policy.


In April 2020, New York’s Attorney General, Letitia James, sent a letter to Zoom asking it to outline the measures it had taken to address privacy concerns, considering the rise in the number of users using its software.


Referenced in this letter is an alleged incident whereby Zoom has been sending data from users of its iOS app to Facebook, for the purposes of advertising. Even when the user doesn’t have a Facebook account.


In response to this, Zoom has changed some of its policies and has said that it “has never sold data in the past and has no intention of selling users’ data going forwards.” Since then, a lawsuit has been filed in California against Zoom, accusing it of a failure to safeguard its users’ personal data.


You may also be interested to read Five Considerations for a COVID-19 Ready Remote Workforce


Should We Continue to Use Zoom?


It is important that when it comes to the use of one software solution over another, that we weigh up the risks and benefits which are applicable to our individual cases.


It is easy to cast a judgemental eye over Zoom for their past security flaws. But which software solution hasn’t had to release security patches or respond to publicly disclosed vulnerabilities? As IT Security Professionals, we are already aware of the need to regularly assess and patch to reduce our risk surface of exploit.


Zoom software is no exception.


When it comes to privacy, I ask a similar question. How many big tech companies are also in the hot seat? This doesn’t mean that we shouldn’t question and scrutinise, but I do think that any attempt at demonisation should be placed into context. Is the alternative any better?


That said, Zoom is a great piece of teleconferencing software which is very easy to use, whether you are adept at IT or not. It has proven to be very popular in very testing times; and there is no-doubt that some of its negative attention is due to its increased usage.


My recommendation is that anyone considering using Zoom software should be aware of the alleged and proven flaws; and assess those against how they intend to use the software. There is no such thing as eliminating risk – in the end, it comes down to likelihood and impact - the fundamentals of every choice we make as human beings.


New Call-to-action

Infinigate UK
Posted by: Infinigate UK
Share via:

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts