‘Zoombombing’ on the Rise, Zoom Works to Improve Security

As use of Zoom Video Communications’ conferencing services have soared, the company’s chief executive Eric Yuan has had issues scaling up the popular app. The nine-year-old tool, once a favorite in the business world, is now ubiquitous among a wide swathe of consumers, educators and others. Issues with privacy and hacking have arisen, and Yuan admitted he “messed up” on security, especially with the claim — proven false — that Zoom offered end-to-end encryption. Yuan said the full encryption feature will be available in a few months. Meanwhile, some users are switching to other platforms.

The Wall Street Journal reports that Yuan said his first priority with Zoom was “a frictionless user experience for business customers.” As more people stayed home due to the coronavirus, Zoom “exploded,” used for “virtual cocktail hours, Zumba classes and children’s birthday parties” and becoming the “most downloaded free app on Apple’s iOS App Store.”

Across its paid and free services, the number of daily Zoom participants has soared from about 10 million at the end of 2019 to 200 million now. The company’s IPO about a year ago was “one of 2019’s most successful,” and its shares are up.

Yuan vowed to “devote all his engineers to fixing trust, safety and privacy issues.” “I feel an obligation to win the users’ trust back,” he said. Early in the coronavirus, Yuan made Zoom “more widely accessible for free so medical professionals and others could remain in touch,” stating that, “support for each other is more important than revenue.” He later admitted he should have prioritized privacy and security.

At University of Toronto, Citizen Lab researchers found that Zoom used a substandard encryption technology. Zoom head of technical support Brendan Ittelson said the “distributed nature of the company’s infrastructure” meant that data could be sent to different data centers around the world, opening up the opportunity for hackers to “listen in” to Zoom meetings. Some data was mistakenly routed to China when traffic surged, which some critics believe could “pose a security risk.”

The New York Times reports on the increase in “Zooombombing,” in which attackers interrupt a meeting with hate speech, pornography or other harassment. A NYT analysis “found 153 Instagram accounts, dozens of Twitter accounts and private chats, and several active message boards on Reddit and 4chan where thousands of people had gathered to organize Zoom harassment campaigns, sharing meeting passwords and plans for sowing chaos.”

Attackers can be difficult to identify, as they “can appear to jump from one alias to another.” “When you see this kind of rampant abuse, it isn’t just a one-off thing,” said Syracuse University assistant professor Whitney Phillips. “Clearly, this is systemic.”

Engadget reports that, “some U.S. school districts, including large ones like New York City and Nevada’s Clark County, have banned or disabled Zoom over security and privacy worries … [and] others, such as Washington state’s Edmonds School District and Utah’s Alpine School District, are rethinking their policies on Zoom use.”

The New York City teachers are switching to Microsoft Teams. Schools have experienced zoombombing incidents, in which attackers have disrupted classes. Zoom stated it has made changes that “require waiting rooms for K-12 classes and limit who can share data by default.”

Related:
DoJ: Zoombombing Could Land You Behind Bars, Infosecurity Magazine, 4/6/20