Is Zoom an insecure app? No more than others


The rise of the video call ‘app’ triggers the detection of vulnerabilities and privacy problems. We talk to specialists to check security

In December 2019, the maximum number of participants per day in Zoom video calls was 10 million. In March 2020, the application reached over 200 million users a day, according to data provided by the company. The confinement decreed by the coronavirus has triggered the number of companies, institutions and individuals who choose this service to communicate. But in recent weeks the application has been involved in multiple controversies related to security and privacy. Companies like Google and SpaceX and even NASA have banned their employees from using it during telecommuting. But to what extent does this veto make sense? Is it unsafe to use Zoom to make video calls? Are other alternatives like Skype or Google Hangouts safer?

Zoom was founded in 2011 by Eric Yuan, a Chinese businessman based in Silicon Valley. Since then it has not stopped growing. But its expansion has accelerated exponentially in recent weeks with the global crisis caused by the coronavirus. In fact, the application has become one of the most popular in both the App Store and the Play Store. In this last store it has been downloaded on more than 100 million devices.

The rise of the platform has led dozens of security and privacy experts to put their full attention on it. In the same way, they have been cybercriminals. While trolls have taken advantage of the massive use of the app to sneak into public video conferences and project violent pornography or violent content onto the screen of other users, the number of false registered domains posing as Zoom has also increased to deceive users. .

“The problem that Zoom has had is that it has grown very fast and in a very short time. This has caused many eyes to go into it and many security holes have been found, “explains Josep Albors. He is responsible for research and awareness in Spain of the cybersecurity company Eset and stresses that “focusing all this controversy on Zoom does not make any sense”: “There is no 100% safe application. But neither of videoconferences nor in any other field. Other applications such as Skype, Google Hangouts or Cisco Webex Meetings have also presented vulnerabilities to a greater or lesser extent and have corrected them ”.

Zoom claims to be working “tirelessly” to ensure that all users can stay in touch. In recent days, he has offered free training sessions and tutorials to Internet users and claims to take “privacy, security and user trust” very seriously. “The company is very proactively involved in making sure that users understand the relevant policies, as well as the best ways to use the platform and protect their video communications,” company sources explain.

However, announcements of new vulnerabilities in the app have been happening continuously in recent weeks. To the leak of email addresses and photographs revealed by the Motherboard portal, it is added that thousands of recordings of calls were exposed on the web, as the Washington Post advanced. The app also had a data mining feature that automatically linked user names and email addresses with LinkedIn profiles, according to research by The New York Times. And even the Spanish National Cybersecurity Institute (Incibe) warned last week of a vulnerability that could allow cyber criminals to steal confidential information and execute files on the device of Windows users.

In early April, Zoom put in place a 90-day plan to “dedicate the resources necessary to proactively identify, address, and troubleshoot.” Much of the vulnerabilities found have already been fixed. And, according to Albor, in “record time”: “There are times that it takes months and even years to fix vulnerabilities in some companies.” Even so, all these problems detected have led to the prohibition of its use in schools in New York City and Singapore. Also the veto by the Government of Taiwan, the United States Senate or companies like Space X or Google.

For Albor, that the Mountain View company prohibits the use of Zoom “it has its logic because they have their own solution.” Zoom has ruled out evaluating the decision of these companies and organizations. He simply insists that security is “very important to the company”: “A large number of institutions globally, from some of the world’s largest financial services companies and telecommunications providers to NGOs and governments across Europe They have done a thorough security analysis of our user, network and data center layers and continue to use Zoom for their communication needs. ”

User data

The app has also been criticized for the data it collects from users and the use it makes of them. Samuel Parra, a data protection specialist, assures that “Zoom is not being transparent when it comes to informing the user of what data they are actually collecting, so that they collect it and whether or not they are sharing it.” The company collects information regarding the location, type of device, operating system, connection times or IP address.

Until a few days ago Zoom for iOS shared usage data with Facebook without permission. Even when users do not have an account on the social network. This information was not explained in the terms and conditions of the service. The company rectified after the controversy and solved the problem. Parra, who works with the data protection consultancy firm Égida, stresses that the United States Federal Trade Commission (FTC) has also been asked to investigate the application for exposing users to third parties. They can remotely activate their webcam without your knowledge or consent.

For Parra, that companies or governments allow us to continue using this tool is “an unwise act”. He advises against its use also to individuals, but stresses that the problem is not exclusive to Zoom: “I do not believe that there is any service free of errors or privacy problems, so I do not dare recommend any.” He believes that the best way to be responsible in the use of technology is to think first about whether it is really necessary to use one of these tools. “Why do we have to go through third party software to have that conversation? Is it essential that we can see our faces? Because it may not be necessary and a simple phone call is more than enough. Today’s telephones and operators allow us to make multiconferences where we can all be in the same telephone conversation, ”he says.

Put passwords to meetings and update the ‘app’: how users can protect themselves

Users also play an important role in ensuring security during video calls. To avoid incidents, Zoom encourages them to organize their settings so that only hosts can share their screens. Also to use functions like the “waiting room” and the silence controls of the hosts. Additionally, it advises users to implement passwords for all their meetings to ensure that uninvited users cannot join. These types of measures should be taken in all video call applications. Also use a complex password that has not been used before, do not offer personal information or bank details through the call and keep the application updated to always use the latest version – the most secure one. With the constant scrutiny we have subjected these platforms by cybersecurity professionals, today they are all much safer than before the Covid-19 crisis began. 

Notify of
Inline Feedbacks
View all comments