By Andrew Korty
IU chief information security officer
Over the past month, much of the world has moved to telecommuting on a massive scale. To allow meetings, classes, and even whole conferences to continue, many organizations turned to their favorite videoconferencing software, Zoom, giving it a massive spike in usage. As a result, Zoom has received a lot of attention, from security researchers, cybercriminals, and the media, due to its sudden rise in popularity. Much of this attention has users understandably worried about security and privacy.
You’ve likely heard about Zoombombing, the act of an intruder barging into the middle of a meeting or class. Some of these incidents can be quite disruptive and even offensive. That’s why at Indiana University we recommend instructors visit keepteaching.iu.edu or keepworking.iu.edu, read the tips on securing a Zoom session, and implement those tips that apply best to their class environments or meetings. We’ve dealt with a handful of these incidents at IU and have been able to help instructors and meeting hosts put safeguards in place to protect their Zoom sessions from repeat incidents.
Andrew Korty
Zoom diligently fixes its flaws
In addition to the Zoombombing incidents, several flaws have been discovered in the Zoom software in the past weeks. Zoom has responded to news of these flaws swiftly and appropriately. It has frozen development of new features in order to focus on security work, and most of the flaws have already been fixed. We haven’t observed these flaws being exploited by malicious actors, and as long as students, faculty, and staff make sure to keep their copy of Zoom updated, the risk of their computers or devices being compromised is low.
To put these flaws in perspective, consider that dozens of flaws are found every month in Microsoft and Apple products. Yet we don’t consider switching away from Windows or MacOS for security reasons. Why? Because these vendors duly get to work fixing flaws as they’re made aware of them. So we don’t judge a product on its flaws but on how diligently the vendor works to resolve them. And Zoom has performed very well in this area.
Am I saying we should ignore future reports of Zoom security issues? No, but we should apply critical thinking and cool-headed risk assessment. Today I learned of the alleged existence of zero-day exploits for both the Windows and MacOS Zoom clients. (According to CSO Magazine, a zero-day exploit “is a security flaw that has not yet been patched by the vendor and can be exploited and turned into a powerful weapon.”)
We don’t judge a product on its flaws but on how diligently the vendor works to resolve them. And Zoom has performed very well in this area.
The Windows exploit allows remote code execution—normally very serious—and could result in eavesdropping. But as I read further, I saw that to launch the exploit, the attacker already had to be in the meeting. Again, the details of this exploit (if it exists) aren’t yet public, and we’ll need to scrutinize them once they are. But an eavesdropping exploit that requires you to be in the meeting anyway isn’t of much use.
In addition to the legitimate flaws that have been found, several other flaws that have been reported as attributed to Zoom but shouldn’t have been. One example made it sound as though Zoom is exposing Windows credentials. But this vulnerability is actually a flaw in Windows itself; all Zoom did was use a Microsoft library that make links clickable in chat. In response, Zoom has now made all links unclickable. There are other examples where Zoom has “fixed” or worked around vulnerabilities that weren’t really theirs in response to these reports.
Other platforms don’t have the functionality we all need
A few organizations are switching to other videoconferencing platforms, but in my view, it’s premature and not a risk-based approach. There’s no telling what weaknesses will surface in these other platforms once they get the attention Zoom has. Moreover, other platforms may have deficiencies in other areas. The other day I was in a meeting using a competing videoconferencing system and couldn’t figure out how to get more than four faces on the screen at once. As far as I can tell, the product doesn’t have that capability. It’s not only less usable but less secure in that it makes it harder to see if an interloper has joined.
As in all aspects of life, if we want to continue using computers, we have to accept some risk. We continue to use Zoom and other software because the risk is low and the benefits are great.
