Video conferencing has been around for more than two decades (tells you how old I am roughly). But while the concept has remained largely the same, the technologies used to deliver the service have benefitted from the evolution of cloud, mobile and security.
The first two can be likened to enabling platforms whereas the last is an add-on following the rise of cybercrime and the need to protect one’s privacy – both as individual and as part of an organisation.
In June 2019, PC Magazine (pcmag) listed its top 10 picks for video conferencing software: RingCentral Meetings (4), Intermediate AnyMeeting (3.5), Zoho Meeting (3), ClickMeeting (4.5), Zoom Meeting (5), GoToMeeting (4), Microsoft Teams (4), Cisco Webex Meetings (4.5), BlueJeans Meetings (4) and Join.e (3.5).
This year, one brand has become a success story – Zoom. In the protocol article, Zoom conquered video chat — now it has even bigger plans, David Pierce attributes this success to coronavirus by forcing people to work from home. He also concedes an air of mystery surrounding why people love Zoom.
Zoom has benefited from the closure of schools and offices leading to rise in remote learning and work-from-home activities.
Zoom vulnerabilities
Zoom’s apparent success has drawn the interest of the cybercrime community. In what the U.S. Federal Bureau of Investigation (FBI) referred to as Zoom-bombing in which hackers hijack a zoom session for malicious purposes.
But Zoom’s problems may not be limited to Zoom-bombing. A report by Bleeping Computer claims that more than 500,000 Zoom accounts are available for sale on the dark web and hacker forums. Some of the credentials were said to be available for free.
To be clear, this is not the first time the platform has been told of the zoom-bombing vulnerability. Software engineer Jonathan Leitschuh posted on medium his effort to inform Zoom about the vulnerability and the company’s failure to address the vulnerability revealed to it in March 2019.
User response
Following news of the Zoom-bombing attacks in different parts of the world, governments in Taiwan and India and private organisations like Google and SpaceX have banned the use of the platform. While Singapore’s Ministry of Education has lifted its ban on the use of Zoom, a Hong Kong protest group is calling for Zoom to be banned for online learning.
Apology?
In a blog post, Zoom CEO, Eric S. Yuan said the platform was designed for corporate users and cited enterprises doing “exhaustive security reviews” og the vendor’s technology. He also noted that at the end of December 2019, the maximum concurrent users was 10 million, and this figure ballooned to 200 million in March 2020.
Yuan apologised for “falling short of the community’s privacy and security expectations”.
Stop-gap solution
Zoom claims brought in former Facebook security head, Alex Stamos, as advisor and formed an advisory board to improve the platform’s privacy and security.
Check Point Software chief technology officer for Asia-Pacific, Tony Jarvis suggested that for organisations adamant on using Zoom, there are a number of settings that can be configured to improve the default security. These include requiring a password for invitees to join meetings and using a unique meeting ID for each meeting.
Zoom now has a “waiting room” function, where the user can decide if they will let a participant into the meeting or not. These changes should have been applied already by Zoom themselves but it’s still worth checking those settings for existing meetings. Other platforms have this feature as well.
“Other tools exist which are comparable to Zoom and offered by vendors such as Microsoft and Google. To date, it appears that they may be more secure options. It should be noted though that the work from home situation has led to cybercriminals turning their attention to platforms like Zoom as this has a large user base. If they were to target other platforms, vulnerabilities which we are currently unaware of may be exposed,” said Jarvis.
Etay Maor, chief security officer at IntSights, has a much stronger opinion on the matter saying every vendor should take into account the security risks associated with their solution when developing a solution or application.
He added that vendors know that there is a delicate balancing act between usability/speed/features vs. security.
“There is always a struggle in development cycles to make sure you are ahead of the competition and unfortunately sometimes these considerations triumph security considerations. What consumers should expect is that once a vulnerability is detected, the vendor will take swift action to fix it,” he continued.
Maor believed many vendors use tools to help them identify unsecure coding, pen test their own system and discover vulnerability and exploits, and there are now more regulatory and compliance laws to make sure that vendor take care of security issues in a timely manner.
“From what I understand, Zoom has hired high profile security professionals to help them with their challenges. Some fixes are very easy to implement and require changes in code – others may be more substantial and may require a change in the architecture of the program or its security mechanisms,” he concluded.
Security works both ways
According to Maor, no vendor should relay security issues to the end user. It is the responsibility of the vendor to make sure the product they provide is as secure as possible.
“For users, their responsibility lies in utilizing the solutions in a safe manner with security credentials, making sure to patch it, etc,” he added.
Maor offered the following recommendation for organisations looking to use any conferencing solutions, they should ask and deep dive into multiple security aspects of software security, including:
- Is any data stored? If so where?
- Is the communication encrypted?
- How is the communication routed?
- How often are vulnerabilities tested? Are there any elements of the software developed by a third party and if so – how is that secured? Is there 24/7 support? How fast will IT be notified of security issues?
- Does the vendor comply with different local and international data protection laws?
- Is there an external security audit to share?
