How the Coronavirus Forced Zoom
to Grow Up Fast
The coronavirus has catapulted Zoom into the living rooms of hundreds of millions of people. But extra scrutiny of the videoconferencing software has found its security and privacy to be lacking. Rob Scammell looks at where Zoom messed up, how it responded to criticism and what it is doing to fix things
Before the coronavirus, Zoom was little known outside of business circles. Now its videoconferencing software is an essential tool for governments, businesses and friendship groups to maintain social interactions at a time when we are asked to be socially distant.
The result has been a near-overnight explosion in popularity. By February, Zoom had added more videoconferencing users than it did for the whole of 2019.
To put its growth into more context, it had 10 million daily meeting participants in December 2019. In March, that figure soared to 200 million.
That kind of growth doesn’t go unnoticed. Its share price is up by more than 100% year-to-date against a backdrop of markets in freefall, as investors carve up companies into pandemic winners and losers.
But with great power comes great responsibility – and scrutiny. No sooner had Zoom ballooned to new heights, cracks started to appear in its security and privacy.
The US firm has faced backlash from security professionals and privacy advocates over everything from ‘Zoom-bombing’ to faux end-to-end encryption.
And Zoom’s rivals – Microsoft Teams, Google, Skype – have been circling like sharks, looking to make a dent in Zoom’s current market dominance.
In a whirlwind four months, Zoom has been forced to face up to its mistakes – but so far it appears to be listening to its critics.
What Zoom got wrong
First came the Zoom-bombing. By mid-March, there were numerous reports of hackers and trolls entering Zoom meetings uninvited. Once inside they caused all manner of disruption; in some cases, Zoom-bombers used the screensharing function to show participants grotesque content, ranging from violent videos to shocking pornography.
Zoom-bombing became a problem because Zoom meeting URLs and personal meeting IDs are either shared online by participants or too short, which means it’s not difficult for trolls to randomly guess the numbers. Combine that with screensharing permitted by all participants, along with misconfigurations on the user end, and you have Zoom-bombing.
“The potential attacks and security vulnerabilities are radically different in an architecture where communication does not remain encrypted for the full path.”
On 26 March, analysis by Motherboard found that the Zoom iOS app sent some analytics data to Facebook, such as IP address, device time zone and mobile carrier. The software development kit that allowed users to login to Zoom with Facebook meant that Zoom was sending this analytics data to the social media giant even if they did not have a Facebook account.
Then, on 31 March, a report by The Intercept revealed how Zoom’s marketing had been using its own, unconventional definition of end-to-end encryption – one that meant its encryption had “significant weaknesses”.
“This is not merely a semantic distinction, as the potential attacks and security vulnerabilities are radically different – and greater – in an architecture where communication does not remain encrypted for the full path between end points,” says Tim Callan, senior fellow at Sectigo, a provider of digital identity solutions.
In other words, user data was unencrypted while on Zoom’s servers.
“Now that Zoom’s in the spotlight, it's all coming out.”
On 3 April, a report by the University of Toronto’s Citizen Lab backed up The Intercept’s analysis and went further, revealing that part of Zoom’s technical infrastructure is routed through China, an arrangement that the researchers warned “may make Zoom responsive to pressure from Chinese authorities”.
“An app with easily-identifiable limitations in cryptography, security issues, and offshore servers located in China which handle meeting keys presents a clear target to reasonably well-resourced nation state attackers, including the People’s Republic of China,” the report stated.
“Zoom is a security and privacy disaster, but until now had managed to avoid public accountability because it was relatively obscure,” wrote renowned cryptographer and privacy specialist Bruce Schneier. “Now that it's in the spotlight, it's all coming out.”
Zoom’s security flaws came as a succession of sucker punches to the high-flying technology firm. No sooner had it rooted itself in the daily routines of hundreds of millions, it was being criticised and abandoned in a very public fashion.
Arms of government, from the German Foreign Ministry to the United States Senate, banned its use. On 31 March the FBI sent a nationwide security alert warning the public and private sectors against leaving Zoom meetings open, in which it classes Zoom-bombing as a cybercrime.
Schools switched to alternative services; others abandoned video lessons altogether.
“Zoom's reaction has been pretty encouraging.”
So, what has Zoom done about it? First, it accepted it had fallen short on security and apologised. It did so quickly and sincerely, earning it some plaudits among the cybersecurity community.
“Zoom's reaction has been pretty encouraging,” says Carole Theriault, an independent cybersecurity expert and co-host of the Smashing Security podcast. “They seem to be owning the responsibility for the flaws, and they have announced a few measures to rectify the situation.”
It is reflective of a wider business culture that an honest apology should be worthy of praise. But weighed against a long list of companies that have played the semantics game to avoid a clear apology – often using gaslighting language (“we’re sorry if customers feel let down”) – it is a refreshing change.
“We recognise that we have fallen short of the community’s – and our own – privacy and security expectations,” wrote Zoom CEO Eric Yuan in a blog post addressing privacy concerns. “For that, I am deeply sorry, and I want to share what we are doing about it.”
To Zoom’s credit, it set about fixing problems promptly. Two days after Motherboard revealed Zoom was sending data to Facebook, Zoom removed the code enabling the “unnecessary” data collection while keeping the ability for users to login via Facebook.
“Zoom’s retrospective changes were very much forced and possibly not even on their short-term radar.”
It has hired cybersecurity consultants, including infosec heavyweights Alex Stamos and Katie Moussouris. After Stamos, a former Facebook chief security officer, voiced concerns about Zoom on Twitter, Yuan got in touch directly.
“He asked detailed and thoughtful questions of my experiences working at companies facing extreme crises,” wrote Stamos, “and I was impressed by his clear vision for Zoom as a trusted platform and his willingness to take aggressive action to get there.”
Meanwhile Moussouris’ company, Luta Security, will help beef up Zoom’s bug bounty programme.
Then, on 8 April, it announced a new “security” option that makes it easier for Zoom hosts to lock down a meeting and kick out unwanted participants, as well as preventing rogue screensharing. The Waiting Room function is now on by default, as are password-protected meetings.
And after UK Prime Minister Boris Johnson unwittingly broadcast his cabinet’s Meeting ID, Zoom will no longer show the number on the tab’s toolbar.
In response to Citizen Lab’s report, data is no longer relayed through servers in China, while paying Zoom customers can choose the exact regions their conversations pass through.
On 7 May Zoom announced the acquisition of secure messaging and file-sharing service Keybase, in move to accelerate its plans to add end-to-end encryption to its platform.
All of these changes fall under Zoom’s 90-day plan, during which it is freezing all new feature updates to focus solely on security.
“Zoom’s retrospective changes were very much forced and possibly not even on their short-term radar,” says Jake Moore, cybersecurity specialist at ESET, an internet security firm.
“However, it must be said that it’s refreshing to see a company listen to their users and take on board the suggestions and make security more of a focus.”
Room for improvement
Zoom is now approaching the halfway mark of its 90-day plan and continuing to make improvements. But the challenge at the heart of Zoom’s problems is one that is as old as the internet itself – privacy vs ease of use.
Yet while most tech companies have years to roll out changes that improve security while maintaining ease of use, Zoom has had a matter of weeks for its volte-face.
In other words, Zoom’s simple user experience, combined with an unprecedented growth surge, created the perfect storm for security to fall well short of the mark.
“Zoom had a dilemma on its hands as soon as it became popular,” says Moore. “Its original unique selling point was the simple easy to use click of a button functionality. This very quickly came under the spotlight as it’s well known that convenience is usually at the other end of the spectrum to security.”
“Zoom now has to deliver on these promises – and fast.”
The mantra of Silicon Valley – move fast and break things – has been notorious for creating great products that are later found to have serious privacy and security flaws. Often, tech firms are slow to fix the things they have broken. Some prefer to dispute whether there was a problem in the first place.
Zoom has done neither of these things. It has skipped past the usual stages of Silicon Valley grief – denial, legal threats, apology tours – and moved immediately to acceptance and remedy.
It remains to be seen whether the coronavirus will usher in a new era of mass remote working post-pandemic. And if remote working does increase when normality is resumed, Zoom’s position as the videoconferencing tool of choice is far from secure.
“Zoom now has to deliver on these promises,” says Theriault. “And fast. Otherwise, they will find themselves sidelined by another video service provider.”
But what is certain is that the pandemic has forced Zoom to grow up fast. There will likely be more growing pains to come.
Back to top