Zoom Hacked

Remote Workers Using This Software Got Hacked!

As the media talks about the explosive growth of online conferencing software and its adoption by schools and casual users they have focused on the embarrassing mistakes which led to uninvited guests making unwanted appearances during online classes and business meetings. But the much larger threat involves hackers exploiting security flaws to takeover users’ computers.

Covid-19 and the Growth of Video Conferencing

The world has changed dramatically in the last 60 days. Millions of people are working and studying from home. Even more are trying to stay connected with friends and family without the benefit of being able to be near the ones they love. Wouldn’t it be great if the video conferencing software used by businesses to conduct meetings could be repurposed by classrooms and families, patients and doctors needing telemedicine and others to connect visually? Enter Zoom.

Zoom is a company founded a decade ago that offers a video conferencing and screen sharing software platform that can be used for free. Before Covid-19, Zoom was primarily marketed to businesses but casual users quickly saw the appeal of being able to have visual one-on-one and group meetings. Zoom saw an opportunity and made its software free to schools during the pandemic. Unfortunately, this explosive growth in popularity by casual users has revealed significant security problems.

Security Flaws Revealed

There are multiple security weaknesses within Zoom. Many have to do with the way Zoom treats user data and sells and repackages it. These are privacy issues much like the complaints many social media sites face and not what you would expect to deal with when using a business productivity app.

Two are security flaws which we will focus on. One of the most widely reported is easily understood but not terribly serious. Another is more complex but far more dangerous. First is the ominous-sounding concept of “Zoom-bombing” which gets its name from “photo-bombing”. Zoom-bombing is the appearance of an unwanted guest in your Zoom meeting which can occur if the host does not adequately control who has the password to the meeting.

The best analogy is if you threw a pool party and told all your friends the code to the front gate. Once you did that, they could tell anyone and soon, you would not be able to control who was coming into your party. This led to a lot of embarrassing situations. Explicit profanity during elementary school lessons or antisemitic rants by anonymous people during business meetings. Zoom has already taken some steps to correct this problem but it was certainly embarrassing and turned a lot of users off Zoom.

The more serious problem is a security flaw that made the Zoom windows app vulnerable to the UNC path injection vulnerability that could allow remote attackers to steal a Zoom users’ Windows login credential and install and execute commons on their system. An April 2 patch has addressed this flaw and a similar flaw that allowed hackers to access the mic and camera of MacOS devices.

Four Free Alternatives to Zoom

Duo – Google’s video conferencing app supports up to 8 people (currently raised to 12 during Covid-19) offers end-to-end encryption and is available on Android, iOS and web browsers. Google also offers a more full featured app called Google Hangouts Meet (App) or simply Google Meet (Web) with chat and SMS messaging but it is less intuitive and the video conferencing can be less smooth than Duo. Read an in-depth comparison here.

FaceTime (Apple Only) – Pre-installed and easy to use on Apple devices and supports 32 people for group chats with end-to-end encryption but everyone must be in the Apple ecosystem.

Skype– Microsoft’s chat app for up to 50 people, offers end-to-end encryption for one-on one chat, available on many platforms including PCs, mobile devices, Alexa and Xbox.

WhatsApp – Facebook’s chat, video and calling app for just 4 people at a time. Strong security features. Available for Mac, PC, Android, iOS and more.

Of course, there are many more options, including Slack, Discord, Signal, Riot, Viber, Telegram and others. Some of these have significant benefits and special features. You can read about several of these here.

Little Sympathy for Poor Security

Similar to data breaches, the public has little sympathy for poor security and the reaction to these lapses has been swift and harsh. Perhaps sensing an opportunity, there are already at least four class action lawsuits in the works against Zoom. One filed by a shareholder in federal court in San Francisco details the numerous security gaps and missteps including unauthorized disclosures of personal information to third parties and information posted to the public internet.

Risk of Chinese Spying

For its part, Zoom has also admitted to using Chinese developers and Chinese data centers which have exposed its users’ data to major security risks. Taiwan has banned use of Zoom over fear that information will be harvested by the hostile Chinese state and used against Taiwanese interests. Perhaps the United States will follow suit. For now, weak encryption by Zoom and foreign developers do not engender much confidence in the security of the platform.

What Can You Do?

It is impossible to fully vet all the software you use, especially if that software is assigned to you by your employer or school. Software has flaws and those flaws will be exploited by hackers. In this world where your work device and your personal device are often one in the same and your home and office may be the same as well, your personal exposure to hackers is increasing. That is why we recommend signing up with MyProfyle’s Free For Life Identity Protection™ service because it remains the best way to find out if your information has been exposed which may help you determine if a future threat is real or just based on your name appearing in a data breach.

References

Bloomberg
TechJunkie

Did You Find This Post Interesting?

Join our email list to get the latest blog posts sent to you