With more and more people working remotely, due to the COVID-19 pandemic, the popular video conferencing platform, Zoom saw over a 500% rise in their daily traffic this past month. But with the increase in its usage, security flaws were discovered when many calls started getting infiltrated by other users.
Zoom is easy to set up, use, and allows up to 100 people to join calls for free. And the fact that it just works all the time has made it more popular than other video conferencing platforms.
But the ease of use itself has made it easy for infiltrators to bomb into ongoing meetings. The Zoom-Bombing has brought Zoom into the international spotlight, which has led to the discovery of even more security flaws in the platform.
If you set up a zoom call that only requires your meeting ID, your meeting is public, and anyone with the ID can bomb into it. You don’t even have to share your meeting ID, as it can be guessed by simple automated tools online.
The troublemakers can be kicked out by the host, but they can hop back in with new user IDs. The easiest way to avoid Zoom bombing is to set up password-protected meetings. You can also use the waiting room feature, which will allow you to screen participants before starting the meeting, and once the meeting starts, you can lock more participants from entering.
Shady End-to-End Encryption
Zoom’s claims of them using end-to-end encryption doesn’t actually mean end-to-end encryption as it is commonly understood. End-to-end encryption ensures that the decryption of messages sent and received by you only happens on your and the receiver’s device, the platform should have no way to access or make sense of the data stored on the server.
“When we use the phrase ‘End to End,’ it is in reference to the connection being encrypted from Zoom endpoint to Zoom endpoint,” says a spokesperson from Zoom. This means that the connection in between Zoom endpoints and your device isn’t encrypted at all.
In an April 1 blog post, Zoom’s chief producer, Oded Gal, wrote:
“We want to start by apologizing for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption.”
“We recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.”
Zoom’s key management system doesn’t allow them to decrypt transmissions in real-time, according to Gal, but it doesn’t mean that it’s technically impossible to do so.
Malware-like Behavior and Much More, if You Zoom In
The malware-like behavior of the Zoom installer on Macs that was discovered last summer was never fixed until recently.
The macOS Zoom installer faking a password prompt, mimicking a standard application installation process, along with the misuse of the pre-installation scripts used by Zoom, that manually unpack and install the app into the Applications folder, is not just bad practice, but a technique that has been used by macOS malware. Zoom, swiftly reacting to these concerns, in the light of recent events, released a macOS Zoom installer that gets rid of this malpractice.
There are also other questionable practices, extensively discussed online, that put data privacy of Zoom users at risk. But not all of this has yet been confirmed.
Zoom Will Improve
The good news is, Zoom is only going to improve as a platform moving forward. Users just need to be aware that the way zoom operates, as of now, provides a huge attack surface, and only when the attack surface gets big enough, is when you should start expecting attackers and troublemakers.
The upside to all of this is that a lot of Zoom’s flaws will be found and fixed as soon as they’re discovered, and Zoom will eventually get better and safer.