“We’ve fallen short…”
In December 2019, video conferencing tool Zoom had 10 million daily meeting participants on average. In March this year, that figure was 200 million.
The astonishing surge in use has come with a corresponding spike in scrutiny, as security researchers take to the airwaves to highlight a string of vulnerabilities, and school children trawl social media inviting trolls to “Zoom bomb” their lessons.
By Wednesday the pressure had mounted to the point at which Zoom CEO Eric Yuan had drafted a lengthy blog post, saying that the company would be freezing product development to focus solely on security, and apologising for “falling short of the community’s – and our own – privacy and security expectations.”
Infosec: “this company is doing well lately, let’s trash them in the media by publicizing a bunch of super low value vulnerabilities in their software”
Also Infosec: “why are companies hostile towards us :(“
— MalwareTech (@MalwareTechBlog) April 1, 2020
The furore has sparked a combination of sympathy and hostility in the security community, as well as a debate about just how helpful recent disclosures have been. Among the most contentious, the disclosure of two zero days, or previously unknown vulnerabilities, via Techcrunch without prior notification to Zoom.
Patrick Wardle, ex-NSA and now working at Jamf, shared the two vulnerabilities (which allow an attacker to tap into the webcam and microphone) on his blog on Wednesday. Despite subsequent hype, they were not RCE and would need an attacker to already have local access (At which point, users already have problems…)
Yes. Just because they are in the news doesn’t make dropping 0-day in Techcrunch appropriate.
— Alex Stamos (@alexstamos) April 1, 2020
Zoom Security Storm: What’s Happened?
That disclosure came after a series of other reports that had already drawn decidedly mixed reactions from the cybersecurity community.
These included one that resulted in Zoom removing its Facebook login because Facebook’s SDK was harvesting device data, and an April 1 apology from Zoom for misleading customers about how its encryption works.
Not everyone has been impressed with the security research community swarming all over the company. As Dave Kennedy, CEO of TrustedSec put it.
“Most of the findings thus far would be considered low to medium risk. Not world-ending… Dropping zero-days to the media hurts our credibility, sensationalizes fear, and hurts others. Most of these exposures wouldn’t even bubble up to a high or critical finding in any assessments a normal tester would conduct.
“Yet, it has world reaching implications to the masses that don’t understand the technical details. It creates hysteria when it is not needed.”
Others disagree, Google security researcher Tavis Ormandy saying of the zero day disclosures: “It’s a problem with the installation, and installations are spiking *now*, not in six months. Now is the time to make sure people are aware of the risks, good work @patrickwardle. This is what real responsible disclosure looks like.”
Zoom’s CEO said in his blog: “Our platform was built primarily for enterprise customers – large institutions with full IT support. These range from the world’s largest financial services companies to leading telecommunications providers, government agencies, universities, healthcare organizations, and telemedicine practices.
“Thousands of enterprises around the world have done exhaustive security reviews of our user, network, and data center layers and confidently selected Zoom.”
New, “mostly consumer” use cases and a corresponding spotlight on the company have helped uncover “uncover unforeseen issues with our platform” he added.
What’s the Company Doing?
Zoom will now enact a feature freeze, effectively immediately, and shift “all our engineering resources to focus on our biggest trust, safety, and privacy issues,” Yuan said. This will include launching a series of “white box penetration tests”, enhancing its current bug bounty programme, and “launching a CISO council in partnership with leading CISOs from across the industry to facilitate an ongoing dialogue.”
The company said it has also:
> Set up a guide on how to better secure virtual classrooms. On April 1, removed its controversial attendee attention-tracking feature, rapidly released fixes for a series of recent bugs, and removed the LinkedIn Sales Navigator after identifying “unnecessary data disclosure” by the feature.
To Computer Business Review, the company’s reaction has been astonishingly good under pressure: publicly appreciative of the security disclosures, patching fast, and working hard to educate users. Whichever side of the fence security specialists sit, one likely outcome of all the attention is that Zoom will soon be one of the most secure video conference platforms out there.
Banner image credit: @rtnarch, Twitter.