Zoom 'Lied,' Faces Criticism for Newly Discovered Lax Security Practices
Some condemn Zoom, while others believe the concerns are overblown.
April 7, 2020
Zoom Video Communications faces intensified scrutiny as new questions about lax security practices surfaced and school districts and other organizations started banning the meeting service.
Despite apologizing last week after the FBI warned that “Zoom-bombers” were hijacking Zoom meetings with pornographic images, New York City’s Department of Education barred use of the service, recommending Microsoft Teams instead. Likewise, other school districts throughout the U.S. pulled the plug on Zoom because of the lax security practices. NASA, SpaceX and the governments of Australia and Taiwan are among the latest to ban use of Zoom.
As critics debated Zoom’s lax security practices, the University of Toronto’s Citizen Lab released a report on Friday that raised more alarms. Among them, researchers discovered encryption keys on servers in Beijing, China, for meetings in North America. The researchers saw the keys when making a test call, according to the report.
Citizen Lab’s testers also found single 128-bit encryption keys by all Zoom meeting participants in ECB mode to encrypt and decrypt audio and video. That finding is especially troubling because Zoom has claimed its service uses 256-bit encryption for its service. Moreover, security experts have long regarded ECB mode as insecure.
Two days after apologizing for last week’s lax security practices, Zoom CEO Eric Yuan responded to The Citizen Lab’s findings. In its urgency to add capacity, Yuan noted Zoom had rapidly added more server capacity, starting in China. Zoom added the capacity in China where cases of COVID-19 first appeared, he noted.
Zoom’s Eric Yuan
“In that process, we failed to fully implement our usual geofencing best practices,” according to Yuan’s April 3 post. “As a result, it is possible certain meetings were allowed to connect to systems in China, where they should not have been able to connect. We have since corrected this. We have also been working on improving our encryption and will be working with experts to ensure we are following best practices.”
Yuan noted that Zoom typically maintains geofencing. That method aims to ensure that meetings users hold outside of China aren’t routed through data centers in that country. As demand ramped suddenly in February, Zoom rushed to meet it by quickly deploying the additional servers.
“In our haste, we mistakenly added our two Chinese data centers to a lengthy whitelist of backup bridges, potentially enabling non-Chinese clients to – under extremely limited circumstances – connect to them,” he said.
This typically happened when all other servers outside of China were unavailable, he noted. Following on a prior April 1 post, Yuan promised to share more how Zoom will address the encryption issues.
“We recognize that we can do better with our encryption design,” he said, in his subsequent April 3 post.
Zoom shares plummeted 15% on April 6 and were down nearly 7% as of 1:40 p.m. ET on Tuesday as critics remained unmoved by Yuan’s responses to reports of its lax security practices.
Harsh Reaction on Social Media
“For everybody patting Zoom on the back for its apologies and promises to do better, keep in mind it LIED about: AE256 (128), E2E encryption (TLS), geofenced keys (China-US),” industry analyst Patrick Moorhead, founder of Moor Insights and Technology, tweeted. “These aren’t ‘mistakes.’ It has a culture issue.”
For everybody patting Zoom on the back for it’s apologies and promises to do better, keep in mind it LIED about:
-AE256 (128)
-E2E encryption (TLS)
-geofenced keys (China-US)
These aren’t “mistakes”. It has a culture issue.— Patrick Moorhead (@PatrickMoorhead) April 5, 2020
Managed service providers (MSP) and IT consultants agree that Zoom must fix these issues quickly, but have …
… varying opinions as to whether companies should ban the use of the service.
“Zoom security stuff is awful and this will just get worse,” said Ben Johnson, founder and CEO of managed services provider Liberty Technology.
Peter Fidler, president of WCA Technologies in New York City, said he wasn’t impressed with Zoom’s original response last week.
“I think Zoom’s response fell short,” Fidler said. “Their onboarding should have included a getting started security guide. They knew they were not selling subscriptions to the enterprise.”
Fidler acknowledged customers have ramped up on the use of Zoom.
“They could probably use [Microsoft] Teams but they are more comfortable with Zoom,” he said.
Indeed, many organizations have gravitated to Zoom. Why? Because it is easy for non-technical people to set up a meeting and use the service. Critics argue it is that ease of use that has resulted in weaker default security settings. Zoom’s subscriber base has jumped from 10 million users at the beginning of this year to 200 million, or 20x, in the wake of COVID-19.
“That’s some explosive growth,” according to a blog by Scott Gombar, owner of NwajTech, an MSP in Meriden, Connecticut. “Zoom’s platform has remained stable throughout.”
Zoom’s Security Changes
Zoom also announced changes that will require passwords for all users of the service, which includes instant meetings and those dialing in by phone. Zoom also is automatically enabling the waiting room feature, allowing moderators to control who can joining a meeting.
Gombar, who posted 12 tips on April 4 outlining how to hold more secure Zoom meetings, noted some of the security issues, but said he remains confident in Yuan.
“Essentially, he explained that the recent growing pains contributed to the vulnerabilities and challenges,” Gombar noted. “He was very transparent with what has been done and what they will do going forward.”
The blame shouldn’t fall squarely on Zoom, he added. It also rests on businesses and consumers who use the platform.
“Security is everybody’s responsibility, and until everybody takes it seriously, these things will continue to happen,” Gombar noted. “I attended five meetings over Zoom last week. Three of them did not have a password on them.”
As reports pointing to Zoom’s lax security practices have widened, Gomar acknowledged it has raised eyebrows among some clients.
“Most clients are sticking with Zoom, but a few have opted to use MS Teams/Skype for Business,” he noted. “A few therapists have used Facetime for telehealth.”
Melvin Foo, owner of PC Ninja, a provider of IT services to small businesses in Wyomissing, Pennsylvania, said he would continue to recommend it for smaller organizations, now that Zoom has said it will allow conference moderators to control who can access a meeting and require the use of passwords.
“I think it’s kind of blown out of proportion from that standpoint,” he said.
But Foo said he would steer clients from Zoom if they plan to discuss confidential matters.
“In those cases, I would suggest using another solution,” he said.
Kevin Kieller, co-founder and lead strategist at EnableUC, a technical consulting firm, believes Teams is a better solution, but disagreed that Zoom is sidestepping the issues that have surfaced.
“I believe Zoom as an organization is taking security issues seriously and is being quite transparent in addressing these concerns,” Kieller said. “Many organizations are allowing Zoom use for nonconfidential meetings, like social gatherings, where the 7×7 tile display is appreciated but is requiring a more secure option, such as Microsoft Teams, for any meeting that is discussing sensitive information.”
Read more about:
AgentsAbout the Author
You May Also Like