Update: After these issues came to light, zoom put in place a swathe of security updates, and we’re now considering the software safe to use.
You may be familiar with zoom – we’ve seen various customers using this as a communication tool during the coronavirus lockdown. It’s great for conference calls, remote teaching and has been used for the PM’s cobra meetings.
This week zoom has been all over tech-news with horror stories hitting left right and centre. We’ve summarised them here:
- No Encryption: It’s best practice to use end-to-end encryption. It basically means that you’re protected from man-in-the-middle attacks, and your data is safe when travelling across the internet. Unfortunately, zoom decided to simply tell everyone it used end-to-end when it was using literally no encryption at all.
- Zoom Bombing: As zoom meetings are joined with a simple number based url, hackers can easily generate and join meetings / conferences / webinars. In the US, the FBI have started an investigation into the practice.
- Massive Security Flaws: One of which is that zoom installs with it a small web server, which allows calls to be joined immediately with the click of a link, e.g. zoom.us/j/00000000. This would join the meeting straight away with no prompt to the user to join the call. This can also be exploited, and hackers could access the webcam and microphone of macs that have the software installed. Even worse, if you’re using a Windows PC that connects to your business network, hackers can harvest your Windows logon credentials and use them to compromise your network and access private data.
- User Data For-Sale: Zoom has been sending your personal data to Facebook. This week zoom have been slapped with a lawsuit in the US alleging just that. We don’t know if it’s true, but given their current track record we wouldn’t be at all surprised.
Our advice for the meantime is to uninstall and find an alternative. We use slack for our internal communications and supports group calls, screen sharing and messages.
Zoom CEO Eric. S. Yuan wrote in a blog post: “Over the next 90 days, we are committed to dedicating the resources needed to better identify, address, and fix issues proactively.“, but we certainly will have a hard time trusting the company again, given their complete disregard for security and users privacy.
More on Zoom: