Zoom’s vulnerabilities were exposed in rapid-fire succession as the service surged in popularity due to the coronavirus pandemic forcing businesses across the world to shift to remote work and people to seek new ways to keep in touch with friends and family in quarantine.
They included bugs that could allow hackers to spy on video and messages and a feature that automatically shared some data with Facebook. And its calls were not actually end-to-end encrypted, despite company claims they were.
But cybersecurity pros are commending Zoom for moving just as fast to acknowledge its errors and promising serious fixes. In a blog post from founder Eric Yuan, the company committed to comprehensive cybersecurity reviews by third parties and to dedicating all of its engineering power to fixing privacy and security rather than rolling out new features for the next 90 days.
“It’s a rare case of a company acknowledging their problems, admitting they made mistakes and misleading statements, and laying out concrete steps to fix it,” Gennie Gebhart, associate director of research at the Electronic Frontier Foundation digital rights group, told me.
Gebhart warned, however, that Zoom's promise to increase its security and privacy protections will mean little if it doesn’t follow through and ensure those problems are fully fixed over the next several months.
“There’s not much more you can ask, but they need to actually follow through. They’re not out of the woods yet,” she said.
Ashkan Soltani, former chief technologist for the Federal Trade Commission, described Zoom’s commitments in a Twitter post as much better than the typical responses of tech companies under fire.
The drama is a fast-forward version of a crisis that commonly befalls tech companies when they become more widely used and face increased scrutiny. But Zoom’s growth has been head-spinningly fast — a jump from about 10 million monthly users in December to about 200 million daily users today.
And the warm response from security pros could suggest the critical role Internet companies are playing in the coronavirus crisis is cooling the blanket hostility to many big tech firms stemming from privacy scandals in recent years .
“There’s a lot more to talk about now and this is also an example of how tech companies are helping people stay in touch during difficult times,” Gebhart said.
But for now, some of Zoom’s features are still raising privacy alarms. While one feature that could alert hosts when meeting participants look away from the screen has been removed, another that allowed some users to record conversations without the consent of others in the meeting has not, as my colleague Drew Harwell reported.
And because of a sloppy design choice, trolls and harassers were initially easily able to interrupt, or “Zoombomb,” meetings with harassing content. The trolls interrupted university lectures with racial slurs, bombarded a Jewish high school class with anti-Semitic attacks, and taunted participants in an Alcoholics Anonymous meetings with praise for booze. Zoom responded by condemning the trolls' actions and requiring passwords by default to join meetings, which makes zoombombing far harder.
The issues were already drawing questions from state and federal officials, including New York Attorney General Letitia James, who asked the company for details about how its user data is shared and protected, and Sen. Richard Blumenthal (D-Conn.) who wrote a letter demanding answers about the company’s “troubling history of software design practices and security lapses.”
In his blog post, Yuan apologized for “fall[ing] short” of the company’s own privacy and security standards.
“We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home,” Yuan wrote. “We now have a much broader set of users who are utilizing our product in myriad unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.”
Zoom also released a statement apologizing for misleading users about its encryption protections. The company had claimed it offered “end-to-end” encryption, which means information is shielded from everyone except the sender and recipient, including the company that’s managing the communication. But Zoom actually retained access to video and audio of meetings, the Intercept reported.
“While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it,” the company said in a separate blog post.
Dave Kennedy, founder of the cybersecurity firm TrustedSec, praised Zoom’s “communication and clarity.”
As did Ben Adida, who runs the nonprofit voting machine company VotingWorks.
Here’s a deeper dive from Kennedy on how security pros should look at Zoom’s issues:
PINGED, PATCHED, PWNED
PINGED: Pro-Iran hackers attempted to steal the personal emails of World Health Organization staff during the coronavirus pandemic, Joseph Menn, Christopher Bing, Raphael Satter and Jack Stubbs at Reuters report. The revelation is just the latest example of an increase in cyberattacks against organizations on the front lines of fighting the global health crisis.
There’s no evidence any emails were successfully hacked, WHO spokesman Tarik Jasarevic told Reuters. The attempted hack follows a separate effort to breach the WHO, likely by East Asian hackers. The United Nations health agency and its partner have faced a twofold increase in hacking attempts during the pandemic, Reuters reported.
The Iranian government denied any involvement with the hackers who sent emails posing as Google web services to try to steal personal information. The websites used in the attacks were the same as ones used to target American academics with ties to Iran.
PATCHED: Microsoft announced a plan yesterday to offer cybersecurity help to political campaigns at dramatically reduced prices under its Defending Democracy Program. The services will be available to campaigns for federal, state and local elections and will include vetting their systems for cybersecurity best practices and responding to hacks after they happen.
The announcement follows a slew of similar offers for free and reduced prices for cybersecurity services from other firms after the Federal Election Commission opened the door for such offers last spring.
Microsoft also announced plans to offer a free service called AccountGuard that sends alerts about hacking threats to members of Congress and their staffs and to state and local election officials. The service was already available to political campaigns, political parties and democracy-focused nonprofit organizations in the United States and elsewhere.
The company also released a slate of recommendations for running elections during the pandemic including increasing access to absentee voting, allowing voters to request mail-in ballots online and enabling “curbside or portable" voting.
PWNED: Lawmakers and voting rights advocates are gearing up for another fight to get the election security money into a second stimulus bill that’s already being discussed in Washington. They hope to secure at least $1.6 billion to increase early voting, voting-by-mail and other reforms, after securing just $400 million for elections in the first coronavirus stimulus bill.
Sens. Amy Klobuchar (D-Minn.) and Ron Wyden (D-Ore.) gathered with half a dozen civil rights advocates yesterday to press for their bill, the Natural Disaster and Emergency Ballot Act, to be a part of any additional coronavirus stimulus package. That bill would require states to allow all their citizens to vote by mail without requiring an excuse such as travel or ill health, and mandate expanded early voting.
Getting the funding approved fast is vital because time could be running out for states and localities to make big changes if the pandemic is still making in-person voting difficult in November, Klobuchar warned.
“This next month is critical for our democracy,” she said. “I can’t think of another time when we faced something quite like this.”
— Cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from abroad:
Stay home and stay safe this weekend, folks.