Zoom has faced considerable criticism over privacy and security over the past few weeks. The company was claiming to have implemented end-to-end encryption when Zoom itself had access to users’ video calls, zero-days have been discovered for which exploits are allegedly being offered for sale, data was found to be routed through China, and hackers have stolen at least 2,300 user credentials. There have also been many reported cases of Zoomboming, where people are gatecrashing Zoom meetings and harassing participants. These are just a few of the Zoom privacy and security concerns that have been raised recently.
Some of the problems experienced by Zoom are due to a massive increase in usage as a result of the coronavirus lockdown. Yuan previously said the company is experiencing some growing pains, which is unsurprising given that at the end of 2019 the platform had around 10 million meetings a day, whereas now there are more than 200 million meetings taking place each day. The security challenges associated with such a massive and rapid rise in popularity are considerable.
Zoom has responded by improving transparency and this week, Zoom founder and CEO, Eric Yuan, announced that the company is rolling out several new security measures to address the issues widely covered in the media over the past couple of weeks.
The issue with meetings being routed through China has been addressed. Zoom said geofencing has always been in place to ensure users outside of China do not have their data routed through the country, but in a limited number of Zoom meetings that was not the case. By the end of the week, users of the paid service will be able to select the regions where their data will be routed.
Zoom has responded to the hacking of Zoom credentials and said that it was not due to a breach of its own systems and the credentials must have been stolen from elsewhere on the internet or through malware infections on users’ devices, as is the case with credentials for many other platforms.
Steps have been taken to improve security and prevent brute force attempts to guess users’ passwords. A system is under development that will detect when hackers are attempting to try out different username and password combos and those users will be blocked from trying again.
Zoom has partnered with the cybersecurity firm Luta Security which will be reviewing its processes to enhance security and improvements will be made to its bug bounty program to encourage ethical hackers to identify and report flaws to Zoom, which it will address promptly.
The company has also taken several steps to reduce the risk of Zoombombing, including making passwords a requirement for Zoom meetings by default and adding a new toolbar feature to allow chats from strangers to be quickly locked.
All of the steps taken so far show that the company is taking privacy and security seriously, but some may feel that not enough had been done in response to the massive increase in usage. Zoom is now being investigated by several US states over its privacy and security practices and there have been many businesses and government agencies that have now banned the use of Zoom out of security fears, one of the latest being the Indian government, which this week banned use of the platform for government remote meetings.