Explainer: Zoom bombs make choosing video apps harder for lockdown chats

April 21, 2020 - 5:49 PM
Ben Mulcahy, founder of Darlinghurst Life Drawing studio, organises a life drawing class for art students over a Zoom internet livestream due to social gathering restrictions implemented to curb the spread of the coronavirus disease (COVID-19), at Darlinghurst Life Drawing studio in Sydney, Australia, April 16, 2020. Picture taken April 16, 2020. (Reuters/Loren Elliott)

The coronavirus crisis has seen millions locked in their homes turn to videoconferencing apps, bringing with it question marks over security and privacy and a new verb – Zoombombing – the practice of uninvited users crashing into conversations.

From easy-access models for schoolkids and casual users like House Party, Google Hangouts or Zoom to Cisco’s business-focused Webex, Microsoft’s Teams or San Jose-based BlueJeans, the value and profile of these apps has soared.

But which one would you choose and what are the risks?

What can go wrong?

There have been two big social media-inspired scares since lockdowns and social distancing became widespread.

People started uninstalling Houseparty in late March after messages on discussion boards and social media claimed that other apps on phones had been hacked after downloading its social chat platform.

The company denied the claims and offered a reward of $1 million for evidence of what it said was a smear campaign.

Zoom, which has soared to 200 million daily users from 10 million in less than three months, had multiple reports of “zoombombing”, where strangers barge into private calls having gained access to an invite or meeting number.

Underlying many of the issues is the fact that Zoom has not merely become more popular; with the world under lockdown, Zoom has transformed from a business-oriented teleconferencing tool to global video hangout.

“Now Zoom is being used in situations where you invite strangers into video chat,” said former Facebook Inc Chief Security Officer Alex Stamos, who now works with Zoom as an outside consultant. “That’s a big change.”

This has snowballed into a bigger problem as security researchers found bugs in codes, user data sharing with Facebook, lack of end-to-end encryption and routing of some traffic through China.

Stamos said the changes meant the company had to think about privacy and security differently.

Are the threats real?

Security researchers draw a distinction between apps aimed at social interaction and ordinary consumers and those intended to keep communications private for a big corporation or a bank.

They say that most “zoombombing” incidents could have been avoided if meeting hosts had taken simple steps like requiring a password to join the chat and keeping invites to tighter groups.

Zoom has since updated its software and given hosts the ability to lock meetings, restrict what attendees can do and remove participants. It advises hosts to approve each participant before they join a particular chat and has removed Facebook’s access to data.

“The flaws are serious, make no mistake, but not unique or special in any way,” said Daniel Cuthbert, head of cyber security research at Grupo Banco Santander. “But Zoom acted quickly and fixed the issues, which is not the norm in my experience and this should be applauded.”

For corporate customers, however, the issue of encryption and who keeps records or can listen to your calls is more important, be it to safeguard valuable company information, or meet privacy obligations to customers.

Zoom has brought in top industry figures to work on security and has already taken steps to allow users to rule out data passing through China, but it has also had to admit that it misled customers by saying earlier that its conversations were encrypted from end to end.

Researchers say this may have been at the heart of a number of the bans on the app implemented by corporations and governments in the past month.

“While the average user talking about their daily activities with their family over Zoom are probably fine, I would recommend sticking with the platforms created by more mature companies,” said Patrick Wardle, a security researcher with software company Jamf, who found two undisclosed flaws in the platform.

A spokesman for Zoom, which has since patched those and other previously undiscovered flaws, said that big companies and government agencies globally have done exhaustive security reviews of its platform and many continue to use Zoom.

How do the apps measure up on encryption?

Some companies offer encryption as an option but when it is enabled several features such as saving session data, call transcripts, call recording and calling from landlines are not supported.

Cisco, which says it had 324 million attendees in March, said its Webex sessions were encrypted.

“We don’t go and take your data or transcribe what you are saying, and we don’t sell your data to ad agencies. This is a proper tool for secure communication,” said Cisco senior vice president Jonathan Davidson.

Microsoft Teams, with 44 millions users, also offer encryption options on their platforms.

Symphony Communication, a messaging service backed by big banks, is planning an early summer launch of a video conferencing platform featuring end-to-end encryption, Chief Executive Officer David Gurle said. —Reporting by Supantha Mukherjee and Munsif Vengattil in Bengaluru, Raphael Satter in Washington; Writing by Patrick Graham and editing by Bernard Orr