As the spread of COVID-19 forced the world to start hunkering down from home and using technology like videoconferencing to hold virtual meetings, religious services, and family get-togethers, remote conferencing service Zoom has taken off like a rocket. In Italy alone, during the peak week of its crisis, the Zoom app was downloaded more than a half-million times.
Getting lots of love is welcome at any technology company, but Zoom’s rise has created a lift-the-covers look-see from New York Attorney General Letitia James, who wants to make sure the company’s data privacy and security practices are up to snuff.
According to the New York Times, the Attorney General’s office sent Zoom a letter pointedly asking what, if any, new security measures the company has put in place to handle increased traffic on its network and to detect hackers.
Who’s zooming who?
While the Attorney General says her office regards Zoom as “an essential and valuable communications platform,” her letter details several concerns. James suggests that the company has slacked on its efforts to address security flaws such as vulnerabilities “that could enable malicious third parties to, among other things, gain surreptitious access to consumer webcams” -- a novelty some refer to as “Zoombombing.”
Unfortunately, this novelty is anything but fun. It has allowed mavericks to take advantage of a Zoom screen-sharing feature to hijack meetings and butt in on educational teleconferences and Sunday School group meetings. Some hackers have even gone so far as posting white supremacist messages while a webinar on anti-Semitism was going on.
Someone bringing up the subject of security flaws is nothing new to Zoom. In July, 2019, security research company Checkpoint Research notified Zoom that it had detected a flaw in the company’s system that “allowed a threat actor to potentially identify and join active meetings” by using randomly generated meeting IDs. When Checkpoint tested out the hackers’ method, it was able to successfully mimic that break-in technique roughly 4 percent of the time.
In response, Zoom made changes that would keep those bad actors from joining meetings at their will by building in a trigger that would cause hackers’ devices to be blocked for a period of time if they repeatedly attempted to scan for meeting IDs.
To its credit, Zoom made its policy easier to understand and more straightforward. For example, it did away with the whitewashing of how it went about data collection and scrapped gauzy phrases like: “We use this information to offer and improve our services, trouble shoot, and to improve our marketing efforts.”