With users skyrocketing, Zoom fixes security flaws in face of pressure
Zoom, a video conferencing platform, has seen a huge growth in downloads and users as more people are at home, looking for ways to connect remotely with friends, family, and colleagues. However, there have been concerns about a lack of security and privacy for Zoom users.
Patrick Wardle, former NSA hacker, now principal security officer at Jamf, joined KIRO Nights to talk about the flaws he and other security researchers found in Zoom’s software and what the company is doing to fix its security.
“The issue is, Zoom has been like thrust to the forefront and it’s become incredibly, wildly popular, and it’s still kind of a new product. And often with new products, things like security might not be as baked in or as fleshed out as we could like for them to see,” Wardle said. “I think Zoom was predominately designed, first and foremost, to be very easy to use and its goal to really kind of gain as many users as possible.”
This is not unusual for startups, as security is often an afterthought.
“It holds you up from rushing to market,” Wardle explained.
Zoom has already had a few missteps with security and privacy issues. Last year, a researcher found a flaw where malicious websites could turn the camera on remotely via an insecure Zoom component. More recently, researchers found that user information was being sent to Facebook without alerting the user.
“With Zoom’s meteoric rise now, a lot of other security researchers, such as myself, jumped in,” Wardle said. “And this last week, we’ve also found some rather problematic new security issues.”
When a product first comes out, it may not be as popular, so people are not necessarily focused on it. A lot of security issues can get swept under the rug, but become harder to ignore when it effects a greater number of users.
The other issue, Wardle said, is that Zoom was never fully examined or audited by security researchers.
“You would hope that the companies internally are doing this,” he said. “But the unfortunate reality is they’re generally, you know, chasing the profits or user growth versus security.”
Since it wasn’t audited, likely because it just wasn’t popular, researchers have found trivial, easy to find bugs.
“The stakes are a lot higher for everyone, so everyone’s kind of piling in, both hackers and security researchers,” Wardle said.
For those who are using Zoom for personal reasons or for work, Wardle said his answer to if it’s safe to use would have been different just a few days ago. He found flaws in just five minutes, and previously would have advised people to think twice about using Zoom.
Zoom has since fixed those flaws and other flaws found by security researchers in just one day.
“Moreover, they came out and said, ‘Hey, we are going to enact immediately a feature freeze, we’re not going to focus on, you know, new emojis and new bells and whistles. We’re going to put all that resourcing efforts specifically on privacy and security issues,'” Wardle said.
Zoom acknowledged there was a problem, and are now pledging to focus internal resources and engineering efforts on security and privacy. Wardle said Zoom promised to bring in external researchers and security experts to help audit the code as well.
“I think Zoom has seen this as a wake up call and finally is really going to take security and privacy, realize it’s a very important component of that product, and really focus on that,” Wardle said. “So I would have no problem using Zoom moving forward.”
“Really kudos to Zoom for stepping up and doing the right thing here,” Wardle added.
That being said, Wardle does recommend all Zoom users update to the newest version because “you’re going to get a lot of the security fixes baked in.” He also does not recommend government officials use Zoom, but perhaps look to a product that’s been vetted and tested, though this is true of any software.
“Government should be very careful about what software they’re putting on,” he said. “I would just say Zoom, with its track records, yes, things are improving, but I’m not sure it’s government grade security yet.”
In terms of why these issues weren’t fixed earlier, Wardle said the blame is not all on Zoom or the companies in similar situations.
“My personal opinion, which I think is accurate, is that Wall Street, our capitalistic society, the market in general does not value security until it becomes a big enough issue,” he said.
Companies are obligated to do what’s best for the shareholders, which is make money.
“Security doesn’t make you money,” Wardle said. “New features do.”
It often takes security researchers to come out and point to these flaws, which leads to bad press or a loss in users. Then, the flaws are impacting business and profit lines and so become a priority.
“Unfortunately, until that happens, there’s really no motivation for companies to focus on security,” Wardle said. ” … Yes, it’s the right thing to do. But companies aren’t in the business of doing the right thing. That’s why I think it’s really important for external security researchers to talk about the findings and then also the press, the media, radio, to really disseminate that message because, in a way, we are then the drivers of increasing the security and privacy of these products, which ultimately benefits the end users.”
Wardle runs a blog that offers open source, free security tools for the public, which you can find here. His Zoom findings are also posted on this website.
Listen to KIRO Nights weeknights from 7 – 10 p.m. on KIRO Radio, 97.3 FM. Subscribe to the podcast here.