Zoom has become nearly synonymous with office meetings and socializing as people around the world have adapted to life at home amid the Coronavirus outbreak. That has put the roughly 9-year-old company in the spotlight more than ever before — for both the good and the bad, as an onslaught of security issues have come to light.
The biggest hurdle for Zoom moving forward, according to some security experts, isn’t just fixing those issues. It’s doing so in a way that enables Zoom to maintain the convenience that has made it so popular in the first place.
“There are different security measures that you can implement, but again it comes back to this pendulum of security versus usability,” said Etay Maor, chief security officer at cyber threat protection firm IntSights. “Where do you feel comfortable and where do your users feel comfortable?”
Zoom’s security troubles
The teleconferencing app has surged in popularity over the last month, as it’s hosted 200 million chat participants throughout March, compared with its previous all-time high of 10 million as of December 2019.
That has made the platform a ripe target for internet trolls. A new form of harassment known as Zoom-bombing has emerged in recent weeks, which is when intruders infiltrate a Zoom meeting and bombard participants with offensive content. The FBI has said that it received two reports of such incidents occurring in Massachusetts schools.
But that’s just one of the security woes that have troubled Zoom over the past month. The company was hit with a class-action lawsuit over accusations that it shared analytics data with Facebook without properly alerting users. Zoom also said that some calls were mistakenly routed through China as the company beefed up its server capacity in the country at the start of the outbreak.
The list of companies and organizations banning Zoom has continued to grow along with the security issues. Schools in New York City, the Taiwanese government, and Google have suspended usage of the popular video service. Singapore also recently told teachers not to use the service.
Security versus convenience
Enhancing Zoom’s security while keeping the service as frictionless and accessible as it has been could be a particularly challenging balance for the company to strike. Joining a Zoom meeting can be as simple as clicking a link from your email or calendar invite. But adding layers of security often means implementing more steps for the user.
“There’s always a trade-off between ease-of-use and usability,” said Rob Davis, CEO of cybersecurity firm CRITICALSTART.
Two-factor authentication, for example, adds more security but also means the user needs to take that extra step of typing in the code sent to his or her phone. Enforcing tighter controls around how participants join a meeting could also make the process of adding colleagues or friends at the last-minute slightly longer.
Stronger end-to-end encryption could also make it harder to maintain high call quality, one of the characteristics that makes Zoom so appealing, according to Satya Gupta, chief technology officer at web application security company Virsec.
“I suspect that this is going to be a serious problem for Zoom to be able to solve because, you know, when you encrypt and decrypt, it introduces lag and latency into a call,” Gupta said.
For its part, Zoom has been quick to react to the myriad of issues that have emerged. It outlined a 90-day plan to make Zoom a security- and privacy-first product. As part of that plan, it’s committed to freezing the development of new features to focus on increasing security, publishing a transparency report with information about data requests, and bringing in outside experts to evaluate its security practices among other measures.
The company recently tapped Alex Stamos, Facebook’s former security chief, as an external consultant to help it ramp up its security. It has also made security settings easier for users to access, and now requires additional password settings for users on basic, free accounts and accounts with a single licensed user.
Still, Zoom could be more transparent about the measures it’s taking, which makes it easier for other security professionals to assess the company’s approach to security, Davis said.
“That allows other people to more easily ascertain, ‘Have you taken the right steps?’ Davis said.
Zoom has said it will consult external security experts and form a council of chief information security officers from across the industry to discuss best practices when it comes to security.
But the experts seem to agree that trading some conveniences for security is worth it. And juggling the two, especially within 90 days, will be a challenge.
“It’s a hard balancing act that has to be performed,” said Maor. “It’s not an easy task.”Featured in Business Insider | April 11, 2020
CRITICALSTART® and MOBILESOC® are federally registered trademarks owned by Critical Start. Critical Start also claims trademark rights in the following: Cyber Operations Risk & Response™ platform, and Trusted Behavior Registry®. Any unauthorized use is expressly prohibited.