Zoom's security and privacy issues are no longer breaking news. However, as more and more information is unearthed about the platform, it becomes clearer as to why users across all sectors must exercise plenty of caution before proceeding to use Zoom. A New York Times investigation on the matter has revealed that Zoom was very well aware of the sheer volume of security issues that its service had, but seemingly did very little to proactively make its service safer. In fact, it was so unsecured that Dropbox, one of Zoom's then-business partners and now investor, actually hired hackers privately to identify major vulnerabilities on the service, and then urged the video calling startup to fix the issues at hand.
Zoom's popularity skyrocketed in March as the coronavirus pandemic spread out across the world, pushing more and more companies to extensively work from home. This beckoned the need for a low cost, easy to use and flexible video conferencing service, and Zoom offered just that. It features a highly intuitive interface that is easy to use, and even its free version allows features such as up to 50 participants in free live conferencing mode, screen sharing, file sharing, chats with transcriptions and so on. In fact, despite all its privacy and security issues today, it does remain one of the most intuitively designed video conferencing apps in the market.
Many Zoom stakeholders, as well as industry experts, argue that since Zoom was designed as a service for the enterprise sector, it was never designed keeping security as a design feature from the ground-up. In simpler words, Zoom was designed to rely on the security protocol of companies, and hence may have never deemed it important enough to take these privacy concerns with utmost importance. It is this that the new NYT report highlights, revealing that when Dropbox organised these private-scale bug bounty programmes and informed Zoom about the severe underlying security issues at hand, they found that the company was rather lax in their promptness to fix them.
It hence comes down to the fact that Zoom knew very well that their platform was never safe to use. Even in the enterprise space, having so many security flaws in its code meant that attackers could have remotely exploited specific vulnerabilities to elevate system-level access to enterprise systems, thereby putting certain company data at risk. This may have held particularly true for non-technology small and medium businesses, who are often seen to not follow the best Wi-Fi and internet security practices.
On a user level, Zoom's security issues have led to malicious users reportedly selling zero-day hacks to interested parties for as much as $500,000 (~Rs 3.8 crore), tapping and selling usernames and password databases for similar amounts, crashing video sessions with pornographic and other lewd content (an act now popularly called 'zoombombing'), intercepting private information due to lack of better encryption standards, routing calls through surveillance states, and in one case (that has now been fixed), passing this information on to another company.
While Zoom's assurances seem legitimate right now, it is difficult to trust a company that knowingly left its platform with multiple security flaws, and made little effort to rectify them in the years preceding its newfound popularity.
The full report by The New York Times can be read here.