Zoom Has Security Flaws. It’s Still Fine to Use

The security community’s newfound interest in Zoom, the suddenly critical video conferencing software, is unlike anything we’ve seen before. Zoom itself has said that it went from having 10 million daily active users before the coronavirus pandemic to more than 200 million now. We’re conducting business, teaching classes, singing karaoke, and having beers over Zoom.

Zoom’s sudden ascendence as a critical communications vector for millions of Americans has understandably put it in the spotlight, which has led to a flurry of research and media coverage about the company’s security flaws and design decisions that make it insecure or not ideal in a variety of ways, both critical and relatively insignificantly.

Recently publicized findings, several of which have been fixed after they were disclosed, include:

• Zoom shared data with Facebook without noting that in its privacy policy
• Zoom allows anyone to join video calls if they have the meeting ID, which has led to the phenomenon of targeted (and random) “Zoom bombing”
• Automated “war dialer” tools have been written to brute force valid meeting codes, allowing for more Zoom bombing
• Zoom allows your boss / teacher / the person administering the call to determine whether you’ve been paying attention
• Forums have popped up to enable coordinated Zoom bombing
• Zoom’s calls are not actually end-to-end encrypted, even though it says they are
• Researchers have found vulnerabilities that could allow hackers to overtake a user’s webcam
• People who use less popular email services (i.e. not Gmail, Hotmail, etc) are sometimes put into a list as though they all work at the same company, allowing strangers to call them, see their email address, and photos
• A certain data harvesting feature allowed some Zoom users to match a meeting participant with their LinkedIn profile.
• "Private" text messages sent during a call can be read by the call's host

These findings come after the discovery of a terrible security flaw last year that allowed hackers to hijack a user’s webcam with a simple link (a much more serious attack than the one discovered earlier this week).

These discoveries have led the FBI to issue a warning about the use of Zoom, Sen. Richard Blumenthal to write a letter calling for an investigation into the company’s security, multiple investigations by state attorneys general, and a class action lawsuit to be filed against the company.

It’d be easy to look at all of these flaws and say that people should simply stay away from Zoom, and that is, indeed, what many people are saying. Meanwhile, some high-profile security researchers are saying that others in their industry and the media are doing the public a disservice—and are being unfair to Zoom—by focusing so much attention on the company and by blowing what are, in some cases, minor bugs, out of proportion.

I think that security researchers who say the media is being unfair to Zoom are wrong. As a suddenly critical part of our culture, economy, and government, Zoom deserves to be thoroughly poked, prodded, and analyzed by experts, who can point out design flaws.

Zoom, for its part, has largely responded to these disclosures admirably and transparently (with a helping of corporate half speak, but, well, it’s a corporation). It has apologized for misleading marketing about its encryption, it has made the decision to stop sharing information with Facebook, and it has announced that it is beefing up its security team and will spend the next 90 days solely dedicated to pushing security updates. This is the right move, and it’s also something that could not have been reasonably expected without widespread media coverage of the company’s failings. This is the system working, and working well.

People who say “no one should use Zoom” are wrong, too. Many of the flaws that have been found are minor, can be mitigated with different user behavior, and are not necessarily worse than what would be found if other video chat software were suddenly put through the same high level of scrutiny that Zoom suddenly has been. The answer as to whether people should use Zoom or not is, as it is with all communications apps, “it depends.”

Zoom is so popular right now because, compared to many of its other competitors, it is fast, stable, deals with bad connections particularly well, and can handle groups of large callers all at once. Of course, it’s so fast in part because it may have made security concessions to make it work so well, as was pointed out in a report published Friday by Citizen Lab, a group of highly respected security researchers at the University of Toronto.

“The most prominent security issues with Zoom surround deliberate features designed to reduce friction in meetings, which also, by design, reduce privacy or security,” Citizen Lab wrote in its report.

The Citizen Lab report is the most thorough and clear-eyed explanation I've seen of Zoom's strengths and weaknesses, and the whole thing is worth a read if this is a topic that interests you. The general takeaway, though, is that sensitive communications should probably not take place on Zoom—this means important government meetings, conversations between journalists and sensitive sources, and conversations between high profile individuals. If you're the British Prime Minister, you probably shouldn't hold cabinet meetings via Zoom and tweet a picture that reveals that meeting's unique ID, which is exactly what Boris Johnson did earlier this week. But Zoom is fine for karaoke night, for having a beer with a friend, for low-stakes work updates, unless you are particularly concerned that your friend is going to get mad at you for alt-tabbing over to Netflix.

"For those using Zoom to keep in touch with friends, hold social events, or organize courses or lectures that they might otherwise hold in a public or semi-public venue, our findings should not necessarily be concerning," Citizen Lab wrote.

If you are worried about being Zoom bombed, you should use a password for that call. You should also make sure that your Zoom account doesn't re-use a password that you've used on another internet account (you should really be using unique passwords for all of your accounts).