Zoom security flaws could leave people at risk, say experts

Published Apr 3, 2020


When Georgetown University began advising faculty to use the video-call service Zoom to record their classes during the coronavirus lockdowns, professor James Millward couldn't help but worry about where all that video would end up.

His course on modern China features free-flowing and unsparing discussions about contentious issues, like censorship and surveillance. How would students' privacy be protected? And could those videos of students' faces, voices and questions someday be used against them?

"If we had a big camera on the wall recording everything happening in our normal classrooms, we would be very alarmed by that," he said in an interview. "And yet we're now eagerly setting that all up in our homes, creating these recordings without having any idea what's happening to them."

After the coronavirus contagion brought an end to many rituals of everyday life, many of them reappeared on Zoom, a video-call service that has exploded in popularity across a nation almost entirely locked indoors. Weddings, funerals, company layoffs, kindergarten classes and official government meetings have all been streamed through its platform, leading the Silicon Valley firm's market value to double to roughly $35 billion this year.

But the company's dramatic growth has come with a crisis of its own: An uproar over security, privacy and harassment concerns that could leave its growing audience at risk. Security researchers who've analyzed Zoom's code say its software relies on techniques that could leave people's computers exposed. And its data-sharing arrangements and the ability of some users to record conversations without the consent of all involved could undermine people's privacy as they carry out sensitive calls from home.

Launched as a business-friendly video chat, Zoom's engineers pushed design decisions that bypassed certain safeguards to save people a few clicks before jumping on a call. But technical experts argue the shortcuts are ripe for hackers who could exploit them to secretly peek into people's lives.

The company in recent days has endured a storm of embarrassing revelations from security researchers - flaws that could allow strangers to steal login information, access messages and gain control of users' cameras and microphones.

Zoom chief Eric Yuan said in a blog post Wednesday night that he was "deeply sorry" for falling short of users' "privacy and security expectations."

"We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home," he wrote. The system's new user base, he said, was using Zoom in a number of "unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived."

The company, Yuan said, will freeze work on new features and shift all of its engineering resources for the next 90 days to its biggest safety and privacy shortfalls. The company is also gathering a team of outside experts to conduct a "comprehensive review" of the system and draw up a short-term battle plan.

Zoom also is removing some controversial features, including an "attention-tracking" option that allowed a host to be alerted when the system suspected a call participant was looking elsewhere.

Federal and state authorities have begun asking questions about how the software monitors and protects Americans' video streams. New York attorney general Letitia James has asked the company for details on how user data is shared and safeguarded, and Sen. Richard Blumenthal, D-Conn., on Tuesday wrote a letter to Yuan demanding answers for the company's "troubling history of software design practices and security lapses."

"The millions of Americans now unexpectedly attending school, celebrating birthdays, seeking medical help, and sharing evening drinks with friends over Zoom during the coronavirus pandemic," Blumenthal wrote, "should not have to add privacy and cybersecurity fears to their ever-growing list of worries."

The company said in a statement that it takes user privacy and security seriously and is working to provide answers to the congressional and state requests.

Zoom has also attracted the scrutiny of the FBI, which said this week that it had received multiple reports of Zoom calls disrupted by anonymous trolls psting pornographic images and issuing threats; in one case last month, a Zoom hijacker shouted a teacher's home address in the middle of class. The bureau recommended video hosts keep the meetings private and use other features, like a participant-screening "waiting room," to control who joins the call.

Some have also criticised Zoom's default settings, which allow new people on a call to abruptly blast text and images onto other viewers' computers - a screen-sharing feature that "zoombombing" trolls have exploited at will. Zoom, which said in statements to The Washington Post that the feature was designed for its core user base of businesses, recently changed that default for schools, allowing only teachers to share their screens.

The service also allows a video host to record the call without participants' explicit consent. Call participants are notified when the recording starts and given the option to leave, but some students and other Zoom users said they feel like they have little choice but to stay.

Alex Stamos, the former Facebook security chief who now leads the Stanford Internet Observatory, said Zoom's issues have ranged from silly design decisions to serious product-security flaws - many of which he is reminded of constantly, because he, his wife and their three school-age children now use Zoom at home everyday.

"Google would never ship with these problems. Never. They can afford the best security team in the world," he said. "But in a competitive marketplace, what you also have to put up with is security growing pains from the upstarts."

Zoom has become a global phenomenon virtually overnight because its video-call software is relatively fast, reliable and easy to use. While Zoom's business clients pay thousands of dollars a month for service, anyone can use it for free video calls or group meetings of up to 40 minutes long. During the outbreak, the company has also allowed grade schools to use the platform free of charge.

Zoom was used by more than 200 million callers last month, up from 10 million in December, and is now used in more than 90,000 schools across 20 countries, Yuan said. More than 5 million people across the U.S. used Zoom's mobile apps on Tuesday, five times more than a month ago, dwarfing the competition of its top rivals, including Skype, Slack, Google Hangouts and Microsoft Teams, data from the software research firm Apptopia shows.

Yuan, Zoom's billionaire founder, said he first daydreamed about a snappy video-chat service when he was a college student in China during long train rides to visit his girlfriend (now wife). He moved to Silicon Valley during the late '90s tech boom, joining the rival video firm WebEx, and later defected with a team of engineers to found Zoom in 2011.

The San Jose-based company made the bulk of its $188 million in revenue during the last fiscal year, which ended Jan. 31, from video-service subscriptions sold to more than 80,000 businesses, financial filings show.

That's part of the problem, some industry experts said: Zoom was never designed for households, schools and social groups unsure of the advanced settings and technical controls. The service's sudden popularity was so unexpected that Yuan told a virtual summit on Wednesday that the shift from a professional clientele to a mainstream audience was the company's "number 1 challenge."

Zoom faced heavy criticism last summer when a security researcher showed the company had been installing secret pieces of software on users' computers that could turn on their cameras without their knowledge or consent. The company defended the practice as helping speed up meetings, but groups such as the Electronic Privacy Information Center, which filed a Federal Trade Commission complaint, said it ignored security settings and could be abused by strangers wanting to silently invade a Zoom user's call. After Zoom said it fixed the issue, engineers at Apple took the rare step of universally deleting the programs. Zoom said it no longer uses the technique.

But as the app's popularity has grown, researchers have revealed new concerns. Zoom's iPhone and iPad apps sent some limited information, like a user's city and when they opened the app, to Facebook as part of a login feature common across the web. After the tech outlet Motherboard revealed the practice, Zoom said it removed the code.

Zoom advertised a security measure, known as end-to-end encryption, that would protect messages between a sender and their designated recipients. But an analysis in the online outlet The Intercept this week showed that the messages are not properly encrypted, allowing outside viewers to potentially see their contents.

A Zoom executive on Wednesday wrote a blog post apologizing for the confusion, saying "we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it."

Security researchers this week said software vulnerabilities also could allow hackers to access users' cameras and microphones. Zoom representatives said they are "actively investigating" the reports.

And the code Zoom uses to speed up installation relies on "bad security practices and . . . lying to the user," according to a technical analyst at the cybersecurity firm VMRay. Yuan, Zoom's chief, said in a response that the company had used those practices to "balance the number of clicks" required by a user before the program could be used.

The country's abrupt Zoom-ification has also amped up anxieties among some bosses and teachers scrambling to lead people through a strange new time. New York University provost Katherine Fleming sent teaching staff an email last month attempting to address some concerns over a teaching style she wrote had "been a challenge for all and a major drag for some."

"Holding classes remotely is not a secret first step on the road to eliminating our regular mode of instruction," Fleming wrote, according to a copy of the email provided to The Washington Post. "NYU is not using NYU Zoom to surveil your class."

Clay Shirky, a vice provost for educational technologies at NYU, said Zoom has helped the university rescue the semester from devastating cancellations: At any given moment during the school day, more than 250 classes are in session on Zoom.

Zoom has scrambled to navigate the criticism, rolling out guides for how users can better protect their video streams. Over the weekend, the company also updated its privacy policy to say that customer video and chat messages are not accessed by the company or used for advertising. "Your meetings are yours. We do not monitor them or even store them after your meeting is done" except at the host's request, Zoom's legal chief Aparna Bawa wrote.

But there is already some indication that the pushback has started weighing down its bottom line: The company's stock price, which initially soared during the coronavirus lockdowns, has fallen this week nearly 20%. At least two class-action lawsuits were filed against Zoom this week, alleging the company had improperly shared users' personal information and duped customers with its promise of encrypted chat.

The company has faced added pressure from the rise of "zoombombing" raids, in which anonymous trolls barge into unlocked Zoom meetings, shouting profane insults and racist slurs. Videos of the raids, some of which have been removed by YouTube for violating hate-speech policies, show giggling trolls posting pornography into online grade-school lessons, pulling their pants down in front of company conference calls, and dancing with bottles of bourbon in what appeared to be an online Alcoholics Anonymous meeting.

Some students have also gone on to Reddit message boards and Discord chat rooms to request people hijack their own class. "Please - I'm begging you - raid my AP Stats class," one person wrote on a Reddit forum this week devoted to Zoom school invasions. The user also listed the names of the school's headmaster, principal and former teachers, details the trolls could use for comedic effect, adding, "Do whatever the hell you want."

The company said in a statement that it "strongly condemns harassment" and is seeking to remove the videos and identify the trolls to "ensure this doesn't happen again."

But some Zoom users feel the company hasn't acted aggressively enough. Dennis Johnson, a recent graduate from California State University Long Beach, was defending his doctorate dissertation last week on a university Zoom call when an unknown user took over the video and began scrawling an image of a penis and a racial slur - all while Johnson's mother, grandmother, spouse and dozens of other friends and family watched.

"I literally had to pause for a second, thinking, 'This can't be happening right now,'" Johnson said. "Somebody literally stole my moment. Three years of writing this paper, months of preparing, and I get there and it's taken from me and there's nothing I can do to get it back."

Elana Zeide, who researches technology and policy at the University of California, Los Angeles's law school, said the added scrutiny on Zoom has helped draw attention to its questionable design decisions. But it has also highlighted a tension for people scrambling, amid the chaos of "social distancing," to find a simple way to gather online. "You have schools and parents in a pinch, and there are only so many tools to use," she said.

The Washington Post

Related Topics: