Even as popular video conferencing app Zoom pledges to improve in response to privacy and security concerns, experts warn that the platform is just one example of larger security threats looming due to the global wave of remote working and learning caused by the novel coronavirus pandemic.
“Companies have dramatically altered the way they work, which is leading to security problems,” said Ben Wootliff, head of Control Risks Cyber Security practice in Asia, adding that mitigation measures and security training should be in place to stem vulnerabilities.
“Over the coming months, we will see a lot of companies compromised because of the Covid-19 enforced changes,” he said. “The changes to the security environment will not go away soon.”
Zoom, which has beat Microsoft’s Skype and Google Hangouts to become the work-from-home app of choice for the tens of millions of people telecommuting due to the coronavirus pandemic, is now facing a backlash over a series of security and privacy lapses that came under the spotlight along with its exploding popularity in recent weeks.
The FBI’s Boston office issued a warning last week telling users not to make meetings on the platform public or share links widely after it received reports of internet pranksters hijacking virtual meetings to do silly things, post racist comments or sexually harass attendees – a phenomenon that has come to be known as “Zoombombing.”
The New York Attorney General’s office also made an inquiry into its cybersecurity practices, sending Zoom a letter asking what, if any, new security measures the company has put in place to handle increased traffic on its network and to detect hackers, according to The New York Times.
The lapses have driven high profile customers including SpaceX and Nasa to ban the app, with Zoom CEO Eric Yuan telling The Wall Street Journal in an interview that “I really messed up as CEO, and we need to win [users’] trust back”.
A Zoom spokeswoman said on Monday that the company was “working around-the-clock to ensure that universities, schools, and other businesses around the world can stay connected and operational during this pandemic” and that it takes user privacy, security, and trust “extremely seriously”.
“We appreciate the outreach we have received on these issues from various elected officials and look forward to engaging with them,” she added in the statement in response to the New York Attorney General’s inquiry.
According to a blog post published by Yuan on Zoom’s website on April 1, the surge in users staying home due to the pandemic has caused “challenges we did not anticipate when the platform was conceived”.
Founded in 2011 by Chinese-born American Yuan, San Jose-based Zoom is known for the user friendliness of its platform, with users being able to join video conferences with just a link or randomly generated meeting ID number, without the need for passwords by default.
The convenience comes at a price, according to Wootliff. “There’s always a trade-off between convenience and security,” he said. “The more convenient the software is designed to use, the harder it is to keep it secure.”
Zoom was primarily built for enterprise customers – large institutions with full IT support, Yuan said in the post. “However, we did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socialising from home. We now have a much broader set of users who are utilising our product in a myriad of unexpected ways,” he wrote.
The company is “committed to dedicating the resources needed to better identify, address, and fix issues proactively” over the next 90 days, according to the CEO, who wrote that measures implemented so far include clarifying protective features that could help prevent “Zoombombing”, removing a “Login with Facebook” feature that was sending information about users’ devices to the social networking giant, tightening the default privacy settings for education users as well as enabling passwords and virtual waiting rooms by default for more users.
Zoom’s links to China, a sensitive issue amid a hot US-China tech war, have also aroused suspicion. Last Thursday, it admitted in a statement that certain meetings held by non-Chinese users may have been “allowed to connect to systems in China, where they should not have been able to connect”.
The company noted in its filing to the US Securities and Exchange Commission in May 2019 that its “high concentration of research and development personnel in China” was a factor that could “expose us to market scrutiny regarding the integrity of our solution or data security features”.
That scrutiny did materialise: in a Tweet liked more than 2,000 times, Jacob Helberg, a senior adviser at Stanford University's Cyber Policy Center and adjunct fellow at the Centre for Strategic and International Studies, referred to Zoom’s engineering team in China and said “conducting sensitive conversations on a platform vulnerable to data collection by the CCP [Chinese Communist Party] should give pause to those concerned with protecting company or government secrets”.
Most of Zoom’s engineering team is based in China. Conducting sensitive conversations on a platform vulnerable to data collection by the CCP should give pause to those concerned with protecting company or government secrets. https://t.co/4AB37gd6R9
— Jacob Helberg (@jacobhelberg) March 31, 2020
Still, security experts the Post spoke to agreed the platform was just one example of how broader security issues could arise from the drastic surge in teleworking.
“It’s not usual to have 90 per cent of employees working from home,” Wootliff said, adding that “the issues are broader than what has been found with Zoom”.
“At the enterprise level, companies need to understand the baselines for remote working, so that they can spot irregular behaviour,” he said. “They also need to train employees to use their devices properly, separate work devices from non-work ones, and devise a plan to escalate and respond to possible breaches when most of your employees are outside the office.”
The risk of personal data being used for unauthorised purposes is common across cloud services, according to Kev Hau, a cybersecurity expert with Check Point Software Technologies.
“When using cloud services, we need to understand the shared responsibility model, where the cloud provider and cloud user both are accountable for different aspects of security and must work together to ensure full coverage,” he said.
“The cloud provider is responsible for securing their cloud infrastructure and its components. As for the user, we have the responsibility to protect [ourselves],” Hau added.
“Although Zoom is very popular, some of the issues are faced by many companies,” said Michael Gazeley, managing director and co-founder of Network Box Corporation, adding that “IT departments have been forced to wake up” due to the work-from-home trend.
“Say you’ve got a large company, and [staff] used to working behind layers of cybersecurity. But now you are using your laptop for both work and private life, and there’s no protection,” he said.
Gazeley suggested that companies that have not fully switched to remote working should set up proxies, virtual private networks and intrusion detection and prevention systems in advance if they can.
“It’s like changing the tire of a car – my recommendation would be to change it while the car is still stationary,” he said. “Once companies don’t have the luxury to have staff working from their offices, you will need to change the tire while it’s still moving.”
Sign up now and get a 10% discount (original price US$400) off the China AI Report 2020 by SCMP Research. Learn about the AI ambitions of Alibaba, Baidu & JD.com through our in-depth case studies, and explore new applications of AI across industries. The report also includes exclusive access to webinars to interact with C-level executives from leading China AI companies (via live Q&A sessions). Offer valid until 31 May 2020.
More from South China Morning Post:
- Coronavirus exposes flaws in Chinese and Hong Kong firms’ remote-working, business continuity capabilities
- Coronavirus: work from home scheme extended, harsh penalties laid out for quarantine violations as Hong Kong battles outbreak
- How Zoom became the coronavirus lockdown’s work-from-home video calling app of choice – beating Microsoft’s Skype and Google Hangouts
- Cybercrime lurks as biggest work-from-home experiment puts state, corporate secrets in peril
- Coronavirus forces world’s largest work-from-home experiment
This article Zoom’s security backlash points to bigger threats in coronavirus-led telecommuting wave, experts say first appeared on South China Morning Post