Zoom Video Communications
Zoom is video conferencing and online meeting software. They went public on the stock exchange for $36/share in 2019 and are currently sitting at $120/share with a year to date of 76% in 2020 even though market is down 30%. Investors clearly believe in the company and I agree, the response from Zoom has been awesome.
Zoom has earned the American Healthcare certification (HIPAA) and claim to be in compliance with Canadian Healthcare certification (PIPEDA/PHIPA) though we don’t have a certification process. They have an extensive privacy policy and impressive privacy controls: they protect data in transit via TLS 1.2 and 256bit AES.
However they have had previously had security issues that they fixed quickly and publicly. Elon Musk banned the use of Zoom in his companies. American law enforcement doesn’t recommend using Zoom and it has been banned by various other governments.
Zoom was sending data to Facebook although they claim to be removing this code, explaining simply that had enabled the ‘login with Facebook’ feature and Facebook was actually leaking the information. It’s likely this is true of many sites that have enabled ‘login with Facebook’. Hardly an indictment of Zoom.
Zoom is vulnerable to an SMBrelay 0-day. We have highlighted this vulnerability in other applications as it’s a very common problem. Zoom patched this in 1 day which is remarkable.
Unfortunately Zoom traffic is not encrypted end-to-end (ie workstation to workstation) In their blog, Zoom acknowledges they were deceptive when touting their data protection virtues. Those in healthcare should re-evaluate if this is a deal breaker.
In that last blog they state “Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes, nor do we have means to insert our employees or others into meetings without being reflected in the participant list.”
There is also a harassment phenomena on Zoom meetings: people jumping into random meetings to be annoying. The reality is the default settings when creating a Zoom meeting are low on the security front and a fairly simple adjustment to these defaults will improve overall meeting security tremendously. Meeting hosts can increase their Zoom meeting security substantially by enabling the waiting room feature, assigning a password to their meeting, and using unique meeting IDs every time. Zoom didn’t need to make any changes.
Zoom responded with a blog on April 1st, pledging to make a number of changes over the next 90 days to improve overall security, the highlights include:
Enacting a feature freeze, effectively immediately, and shifting all engineering resources to focus on our biggest trust, safety, and privacy issues.
Conducting a comprehensive review with third-party experts and representative users to understand and ensure the security of all of our new consumer use cases.
Preparing a transparency report detailing information related to requests for data, records, or content.
Enhancing the current bug bounty program.
Launching a CISO council in partnership with leading CISOs from across the industry to facilitate an ongoing dialogue regarding security and privacy best practices.
Engaging a series of simultaneous white box penetration tests to further identify and address issues.
Hosting weekly webinars on Wednesdays at 10am PT to provide privacy and security updates to the community.
Why the huge discrepancy between the stock market and the current news? The stock market invests for the future so it is a general prediction of where Zoom will be in several years.
Zoom has some short-term growing pains given the massive increase in their monthly user count over such a short period of time. They are already working towards fixing these fundamental security issues. The security problems they have are no different than competitors like Microsoft’s Skype or Teams.
In reality Zoom’s increased popularity has inspired greater scrutiny. There are legitimate concerns that they misled the public before so it’s not unreasonable to wonder if their current response is equally misleading.
Investors think they have a good future and they are right: the fundamentals of their infrastructure must be solid to scale this much this quickly without major issues. Their response fixing the security concerns has been top notch so I’m betting Zoom will be a long term contender.