Cybersecurity

Zoom vulnerabilities draw new scrutiny amid coronavirus fallout

As Americans stay home due to the coronavirus pandemic, video conferencing group Zoom has seen a surge in use. But the uptick in business has exposed vulnerabilities in Zoom systems and painted a target on the company for both lawmakers and hackers. 

Many have flocked to Zoom to hold everything from work meetings to happy hours, particularly as more and more countries enact stay-at-home orders that restrict people’s movements. 

As a result, the company’s stocks have skyrocketed over the course of the coronavirus pandemic, and usage figures have boomed. Zoom CEO Eric Yuan is estimated to have made $4 billion in the past three months alone, according to Business Insider. 

While a spokesperson for Zoom declined to comment on exactly how many people used the video conference tool in March, Yuan said during a press call last month that “we have seen a large increase in the number of free users, meeting minutes and new video use cases.”

But this week, the company was hit by multiple controversies, as increased use shined a spotlight on vulnerabilities that might have otherwise flown under the radar. 

One new phenomenon is “Zoom bombing,” when hackers or other individuals access and disrupt a live meeting.  

An example of this occurred during a virtual meeting of the Heman Sweatt Center for Black Males at the University of Texas this week when unknown users joined the meeting and shouted racist slurs to disrupt it.

And multiple Alcoholics Anonymous meetings in New York being held through Zoom were disrupted over the past week by individuals urging the participants to drink alcohol.  

The Zoom bombings have become so widespread that the FBI put out an alert earlier this week warning of the disruptions to online classes and other teleconferences held on the platform. The FBI recommended that all Zoom meetings be set to private and not shared on social media and urged individuals to make sure they were using up-to-date Zoom software. 

“As individuals continue the transition to online lessons and meetings, the FBI recommends exercising due diligence and caution in your cybersecurity efforts,” the FBI wrote. 

British Prime Minister Boris Johnson highlighted the perils of even posting a screenshot of Zoom meetings on social media this week, when he tweeted a photo of a Cabinet meeting that included the Zoom meeting ID number, potentially enabling anyone to join. 

“That’s just not a smart thing to do, and what it shows me is just the lack of understanding and lack of basic cybersecurity skills of our world leaders,” Eric Cole, a former cybersecurity adviser to President Obama and the founder and CEO of Secure Anchor Consulting, told The Hill on Wednesday. 

Zoom said it is fully aware of Zoom bombings and other security issues. 

A spokesperson for the company told The Hill on Wednesday that it was “deeply upset” by the Zoom bombing incidents and “strongly condemned” them, encouraging users to immediately report any such disruptions.  

“We take the security of Zoom meetings seriously and for those hosting large, public group meetings, we strongly encourage hosts to review their settings, confirm that only the host can share their screen, and utilize features like host mute controls and ‘Waiting Room,’ ” the spokesperson said. 

On top of these issues, the company was also hit by a class-action lawsuit this week for allegedly sharing user data with Facebook and other groups without users’ consent. The lawsuit was filed by a Zoom user following a Vice report this week that found Zoom sends some analytics data to Facebook from its iOS version. 

In response to these concerns, Zoom took steps to update its privacy policies this week in an effort to be more transparent, emphasizing in a blog post that the company “does not mine user data or sell user data of any kind to anyone.”

Cole emphasized to The Hill that Zoom users should understand that if they use the free version, they are likely giving up some data privacy as compared to paying for a business subscription. 

“People need to recognize that these companies, whether it’s right or wrong, are going to make money,” Cole said. “My advice there is if you are going to be using Zoom for any business-related activity that is sensitive, you need to pay the money.”

Despite the company’s reassurances, politicians and other lawmakers have begun to express serious concerns about Zoom’s cyber and privacy policies. 

Both Sen. Richard Blumenthal (D-Conn.) and New York Attorney General Letitia James (D) sent letters to Zoom this week seeking information on how the company was addressing its cyber and privacy vulnerabilities.  

“The millions of Americans now unexpectedly attending school, celebrating birthdays, seeking medical help, and sharing evening drinks with friends over Zoom during the Coronavirus pandemic should not have to add privacy and cybersecurity fears to their ever-growing list of worries,” Blumenthal wrote in his letter to Yuan.  

Sen. Ron Wyden (D-Ore.), a cybersecurity advocate in the Senate, told The Hill on Wednesday that he was also “looking into” the reports of Zoom vulnerabilities.

“As government agencies, companies and educational institutions rapidly shift to teleworking, it is vital that the video conferencing tools used by tens of millions of Americans every day are secure,” Wyden said. “Particularly given the popularity of Zoom, I’m alarmed by recent reports that experts have discovered privacy and security issues in Zoom.” 

But beyond attention by the federal government, Zoom users can take steps immediately to decrease the chances hackers or other individuals can access meetings. 

Cole said he would advise Zoom users to check to make sure security protocols are turned on when using the service, that attendees are verified and that passwords are used to access meetings.  

“Cybersecurity is not hard. It’s not rocket science. It’s not super complicated. It’s just taking the time to understand the technology you’re using,” Cole said.