Zoom, which on Friday stopped development of new product features so it could focus on fixing various privacy and security issues, clamped down even further on security weaknesses over the weekend.
The company on Saturday switched on default password settings and waiting rooms for users of its Free Basic tier and those with a single account on its cheapest paid tier, such as K-12 eduction accounts. All meetings that use a Personal Meeting ID (PMI) will now need a password, and password settings that had been disabled will be re-enabled. As a result, passwords will be required for instant meetings, for participants joining by phone and when a new meeting is scheduled.
Zoom CEO Eric Yuan acknowledged in an interview with CNN on Monday that the company “moved too fast” as the COVID-19 crisis unfolded and should have enforced tighter security to protect users. The company also acknowledged in response to research from the University of Toronto’s Citizen Lab that its encryption efforts need more work.
The company has seen a surge in the use of its platform in recent weeks, as self isolation in response to the pandemic ramped up the demand for video software. As its popularity has boomed — both for business and personal use — and the company’s stock price rocketed, underlying vulnerabilities in the platform have become apparent.
Referring to the latest security changes, Zoom said schools using its software will have the new password settings locked permanently, while others with free accounts, or paid accounts with a single licensed user, can remove the requirements if the want.
(Zoom’s waiting room feature has also been enabled by default to let hosts vet participants before letting them in to a meeting.)
“Zoom-bombing,” where intruders have been able to access video meetings that were not password protected, has led to serious privacy concerns, with uninvited attendees harassing online A.A. meetings and church meetings, for example. The FBI last week warned of unauthorized access to virtual classrooms and recommended that users change security settings to protect meetings.
Meanwhile, Elon Musk’s SpaceX aerospace company apparently banned the use of Zoom by its 6,000 employees because of privacy and security worries, according to Reuters. Zoom has also come under fire for a vulnerability that enabled hackers to steal passwords on Windows devices, though that flaw has since been addressed.
More recently, New York’s Department of Education also banned the use of Zoom, with teachers and administrators barred from using it due to concerns about Zoom-booming, according to The New York Post. A letter to staffers said Zoom should be replaced with Google Hangouts Meet or Microsoft Teams.
Zoom CEO apologizes for recent issues
Yuan published a blog post last Wednesday detailing the company’s response and said that over the next 90 days Zoom will direct necessary resources to “better identify, address, and fix issues proactively.
“We are also committed to being transparent throughout this process. We want to do what it takes to maintain your trust,” he said.
Measures include a “freeze” on feature development, with Zoom engineers told to focus on “trust, safety and privacy issues.”
The company also plans to work with “third-party experts” to review security for consumer use of its platform; create a council of CISOs to discuss security best practices; create a transparency report in relation to “requests for data, records, or content;” expand Zoom’s bug bounty program; and conduct white box penetration tests to identify other security issues.
Yuan will also host weekly webinars to provide privacy and security updates.
Zoom needs to prove it’s enterprise-ready
Zoom is going “above and beyond” by putting its roadmap on hold to address recent concerns, said Raul Castanon, senior analyst for workforce collaboration at 451 Research / S&P Global Market Intelligence. “This should help restore confidence with enterprise users, assuming the company comes up with a clear list of improvements after the 90-day period.
“Zoom is getting a lot of attention with the pandemic, and the security issues could actually be an opportunity for the company to prove it can address privacy and security for its enterprise customers,” he said.
However, Zoom still has a way to go in terms of ensuring that its platform is ready for enterprise use.
“Yuan contradicts himself with his comment about Zoom being developed for enterprise customers ‘with full IT support’ and not a ‘broader set of users,’” Castanon said. “It is true that the pandemic is uncovering opportunities for improvement — not just for Zoom, but for most vendors — but the security flaws that have come up show the platform is not quite enterprise-grade. Yuan could have been better off without that remark.”
In another privacy incident, Zoom is being sued in California for sharing user data with Facebook. Zoom said in a March 29 blog post that it “has never sold user data in the past and has no intention of selling users’ data going forward,” and would remove the Facebook SDK (software development kit) from its iOS client, which it said was responsible for collecting device data.
Castanon commended the way Zoom handled privacy issues related to the Facebook SDK.
“Zoom will be okay, but this incident will further damage Facebook’s reputation,” he said. “Mark Zuckerberg should pay close attention to Eric Yuan’s detailed response about how Zoom is addressing security and privacy concerns.”
