A silver lining during the coronavirus crisis for videoconferencing software maker Zoom is that demand for its product is up as millions of Americans staying at home during the coronavirus crisis have relied on the service to stay connected with family, friends, classmates and co-workers.
The downside for that burgeoning growth in users and usage is that Zoom has become a target for wrongdoers and potential hackers.
Uninvited guests who “zoom-bomb” online gatherings on Zoom have become a big enough problem that the FBI is on the case. Zoom had to update its software to prevent it from sending data from iOS device users to Facebook.
Zoom faces two additional security flaws that could be used to hijack a Zoom user’s Mac computer and access the webcam and microphone. Patrick Wardle, a former NSA hacker who works with Jamf, an Apple enterprise management software firm, revealed the bugs on his blog, first reported by TechCrunch.
Even though Zoom has become popular and critical, Wardle says, “if you value either your (cyber) security or privacy, you may want to think twice about using (the macOS version of) the app.”
This new Mac vulnerability can work similarly to a malicious app uploaded onto your phone to get inside a banking app and control it, says Zack Allen, director of threat intelligence at cybersecurity firm ZeroFOX. Another weakness could let an attacker get access to your online meeting and send messages to attendees that, if clicked, would install malware on your computer, he says.
Zoom has other security issues. A flaw identified by Matthew Hickey of cybersecurity firm Hacker House and first reported Wednesday by tech site iTnews could let a hacker get credential data and remotely access Windows computers on corporate networks.
Tech news site Motherboard reported Wednesday that Zoom was sharing the email address and photos of at least thousands of Zoom users who signed up with an email address sharing the same domain.
In a statement to USA TODAY, Zoom said it is “actively investigating and working to address” the Mac vulnerabilities and addressing the data issue identified by Hacker House. “At Zoom, ensuring the privacy and security of our users and their data is paramount,” the statement said.
New York Attorney General Letitia James sent a letter Monday to Zoom with a number of questions to ensure the company takes appropriate steps to ensure users’ privacy and security, a spokesman told USA TODAY. The letter was first reported by The New York Times.
The attorney general’s letter came after a lawsuit filed Monday, first reported by Bloomberg, charged Zoom with sharing information about the user, the device, phone carrier and other data. The suit followed Motherboard’s analysis of the Zoom iOS app, which found that when the app was used, it sent information from the device to Facebook even if the user didn’t have Facebook on the device. Zoom subsequently updated its app to prevent the sending of information, the company told Motherboard.
Zoom has never sold – nor plans to sell – users’ data and does not monitor video meetings or their contents, the company said in statement posted Sunday on its blog. “Zoom takes its users’ privacy extremely seriously. Zoom collects only the data from individuals using the Zoom platform required to provide the service and ensure it is delivered effectively under a wide variety of settings in which our users may be operating,” the company said.
Zoom-bombing disrupts connections
The zoom-bombing situation attracted attention this week after an Alcoholics Anonymous meeting in New York was interrupted by a man hollering misogynistic and anti-Semitic slurs and saying, “Alcohol is soooo good,” Business Insider reported.
In other incidents reported to the FBI, a Massachusetts high school online class was interrupted by a person cursing and shouting the teacher’s home address, and in a separate Massachusetts school meeting, an unidentified person appeared on video displaying swastika tattoos.
“As large numbers of people turn to video-teleconferencing (VTC) platforms to stay connected in the wake of the COVID-19 crisis, reports of VTC hijacking (also called Zoom-bombing) are emerging nationwide,” the FBI Boston field office warned. “The FBI has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language.”
Zoom updated its default settings, so passwords are required and teachers “are the only ones who can share content in class,” the company said in a statement to USA TODAY. “We are deeply upset to hear about the incidents involving this type of attack. We take the security of Zoom meetings seriously, and for those hosting large, public group meetings, we strongly encourage hosts to review their settings, confirm that only the host can share their screen and utilize features like host mute controls and ‘Waiting Room.’ “
Should you need to report a Zoom intrusion, you can do so on the Zoom website.
As more people across the globe have been told to stay at home to prevent the spread of the COVID-19 virus, Zoom has seen its traffic skyrocket. Zoom has been the No. 1 app for most of the month on Apptopia’s app store chart, the tracking firm says. In March, Zoom was downloaded approximately 40 million times worldwide, outpacing social media apps Facebook, Snapchat and TikTok.
During March, daily downloads of Zoom in the USA rose more than 1,000% from 29,802 to 339,701, Apptopia says.
In mid-March, Zoom CEO Eric Yuan lifted time limits on Zoom sessions for all K-12 schools in the USA, Italy and Japan, a move first reported by Forbes. Typically, Zoom’s free version limits video sessions to 40 minutes. The company had already lifted limits for China and other countries affected by the coronavirus crisis.
Individuals can upgrade to a Standard Pro account for $14.99 monthly for unlimited length sessions.
The latest security vulnerabilities should not stop teachers and others from using Zoom, ZeroFox’s Allen says. “WFH (working from home) cannot stop. The economy depends on it, so stopping the use of tools like Zoom will be hard for everyday users,” he said.
Tips to control your Zoom meetings
ZeroFox is working on new capabilities to help companies using Zoom for business, he says. For others, there are some simple ways to reduce risks, from ZeroFox, Zoom and the FBI:
• Don’t make meetings or classes public. You can require participants to use a password, or the meeting manager can make participants first appear in the waiting room and be admitted individually.
• Invite with care. Do not share links to your meeting on social media. Email or text them directly to participants.
• Limit screen sharing. Hosts can prevent others from posting video by changing the screen sharing options to “Host Only.”
• Lock the door. You can close your meeting to newcomers once everyone has arrived. Hosts can click the Participants tab at the bottom of the Zoom window to get a pop-up menu, then choose the Lock Meeting option.
• Use your silencer features. You can disable video for participants and mute an individual or all attendees.
• Cut out the chatter. The host can disable the ability to text chat during the session to prevent the delivery of unwanted messages.
• Boot the uninvited. Hosts can remove a participant by putting the mouse over that name and choosing the Remove option. Allen says you can block people from rejoining meetings if they were removed.
• Preparation. Make sure participants have the latest version of Zoom’s software, which was updated in January. That update added meeting passwords by default and disabled a feature allowing users to randomly scan for meetings to join.