Home / Blogs

Zoom Security: The Good, the Bad, and the Business Model

Zoom — one of the hottest companies on the planet right now, as businesses, schools, and individuals switch to various forms of teleconferencing due to the pandemic — has come in for much criticism due to assorted security and privacy flaws. Some of the problems are real but easily fixable, some are due to a mismatch between what Zoom was intended for and how it's being used now — and some are worrisome.

The first part is the easiest: there have been a number of simple coding bugs. For example, their client used to treat a Windows Universal Naming Convention (UNC) file path as a clickable URL; if you clicked on such a path sent by an attacker, you could end up disclosing your hashed password. Zoom's code could have and should have detected that, and now does. I'm not happy with that class of bug, and while no conceivable effort can eliminate all such problems, efforts like Microsoft's Software Development Lifecycle can really help. I don't know how Zoom ensured software security before; I strongly suspect that whatever they were doing before, they're doing a lot more now.

Another class of problem involves deliberate features that were actually helpful when Zoom was primarily serving its intended market: enterprises. Take, for example, the ability of the host to mute and unmute everyone else on a call. I've been doing regular teleconferences for well over 25 years, first by voice and now by video. The three most common things I've heard are "Everyone not speaking, please mute your mic"; "Sorry, I was on mute," and "Mute button!" I've also heard snoring and toilets flushing… In a work environment, giving the host the ability to turn microphones off and on isn't spying, it's a way to manage and facilitate a discussion in a setting where the usual visual and body language cues aren't available.

The same rationale applies to things like automatically populating a directory with contacts, scraping LinkedIn data, etc. — it's helping business communication, not spying on, say, attendees at a virtual religious service. You can argue if these are useful features or not; you can even say that they shouldn't be done even in a business context — but the argument against it in a business context is much weaker than it is when talking about casual users who just want to chat out online with their friends.

There is, though, a class of problems that worry me: security shortcuts in the name of convenience or usability. Consider the first widely known flaw in Zoom: a design decision that allowed "any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission." Why did it work that way? It was intended as a feature:

As Zoom explained, changes implemented by Apple in Safari 12 that "require a user to confirm that they want to start the Zoom client prior to joining every meeting" disrupted that functionality. So in order to save users an extra click, Zoom installed the localhost web server as "a legitimate solution to a poor user experience problem."

They also took shortcuts with initial installation, again in the name of convenience. I'm all in favor of convenience and usability (and in fact one of Zoom's big selling points is how much easier it is to use than its competitors), but that isn't a license to engage in bad security practices.

To its credit, Zoom has responded very well to criticisms and reports of flaws. Unlike more or less any other company, they're now saying things like "yup, we blew it; here's a patch." (They also say that critics have misunderstood how they do encryption.) They've even announced a plan for a thorough review, with outside experts. There are still questions about some system details, but I'm optimistic that things are heading in the right direction. Still, it's the shortcuts that worry me the most. Those aren't just problems that they can fix; they make me fear for the attitudes of the development team towards security. I'm not convinced that they get it — and that's bad. Fixing that is going to require a CISO office with real power, as well as enough education to make sure that the CISO doesn't have to exercise that power very often. They also need a privacy officer, again with real power; many of their older design decisions seriously impact privacy.

I've used Zoom in a variety of contexts for several years, and mostly like its functionality. But the security and privacy issues are real and need to be fixed. I wish them luck.

By Steven Bellovin, Professor of Computer Science at Columbia University – Bellovin is the co-author of Firewalls and Internet Security: Repelling the Wily Hacker, and holds several patents on cryptographic and network protocols. He has served on many National Research Council study committees, including those on information systems trustworthiness, the privacy implications of authentication technologies, and cybersecurity research needs. Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Certainly a team of workers in a By Phil Howard  –  Apr 10, 2020 4:33 pm PDT

Certainly a team of workers in a business is not the same as a classroom of kids.  Zoom focused on the former, and now faces the latter.  But, I still worry about one of those kids, or a real outsider, sneaking into the business meeting, unannounced.

Add Your Comments

 To post your comments, please login or create an account.

Related

Topics

Cybersecurity

Sponsored byVerisign

Whois

Sponsored byWhoisXML API

Brand Protection

Sponsored byAppdetex

DNS Security

Sponsored byAfilias

New TLDs

Sponsored byAfilias

Domain Names

Sponsored byVerisign

Cybercrime

Sponsored byThreat Intelligence Platform