How Secure is Zoom?

Numerous organizations have faced the challenge of swiftly adapting to the constantly evolving restrictions implemented worldwide to combat the spread of COVID-19. As a result, many employees had to transition to remote work, often without prior preparation. Unlike traditional business continuity plans, which typically involve relocating workers to alternative offices or locations, the current situation necessitated a different approach. Consequently, several organizations had not fully considered the implications of communication and collaboration when enabling their staff to effectively meet and work remotely.

In response to the sudden need for remote collaboration, many organizations quickly adopted online video conferencing services. However, in the rush to implement a solution, these services were often not thoroughly evaluated or vetted beforehand, which could pose security risks. This is especially crucial for organizations that handle sensitive data and require stringent security measures, such as those with ISO 27001 certification.

Among the various services available, Zoom gained significant attention, although the exact reasons for its prominence remain unclear. Zoom offers multi-person video conferencing along with additional features such as screen-sharing, text chat, and document sharing, which are similar to those offered by other platforms. If you are among the 200 million daily meeting participants using Zoom services (excluding the MOD, which has banned the application), you may be interested in understanding the reasons behind the negative press that Zoom has received.

Following Zoom's surge in popularity, security researchers began examining the platform more closely, as is customary when a product experiences a sudden increase in usage. The interest from these researchers stemmed from the fact that where popular platforms emerge, hackers tend to follow. Malicious actors naturally target widely adopted platforms, as they offer greater opportunities for successful attacks. As you may have come across in various online sources, Zoom's security design was found to be lacking, suggesting that the company may have prioritized rapid growth over comprehensive security measures.

Zoom's claims regarding end-to-end encryption have been a point of contention. While Zoom marketed its meetings as end-to-end encrypted, it became evident that their definition of end-to-end encryption differed from the widely accepted understanding of the term. In reality, Zoom's encryption only extends to their servers, which means that Zoom has the technical capability to access the video and audio data from meetings. Despite their assurance that they do not access this data, it raises concerns about trusting them with user privacy. True end-to-end encryption would ensure that only the participants involved in a meeting have access to the data, providing an extra layer of privacy and security.

Regarding privacy concerns, Zoom's utilization of Facebook's software development kit (SDK) is not uncommon in modern application development. However, as a consequence of using the Facebook SDK, Zoom has been transmitting substantial user data to Facebook. The main issue here is not the sharing of data with Facebook itself, but rather the lack of disclosure by Zoom to its customers regarding this data sharing arrangement. Customers were not informed about the extent of data transmitted to Facebook, which has raised significant privacy concerns. Transparency and clear communication about data practices are essential for establishing trust between users and technology providers.

Additionally, Zoom has certain features that have raised privacy and security concerns among individuals who prioritize these aspects. For example, Zoom allows the meeting host to determine if attendees have minimized the meeting window or not, which can be perceived as an invasion of privacy. Moreover, Zoom administrators possess remarkable capabilities, including the ability to access the content of all recorded calls and view detailed specifications of attendees' computers. Furthermore, administrators can join ongoing meetings without prior consent or notification, which can be seen as a potential breach of privacy and security protocols. These features and privileges have drawn attention from individuals who value privacy and security in their online communications.

The information security community strongly believes that using Zoom exposes organizations to significant risks in terms of data privacy and security. These risks necessitate a careful assessment before deploying such a product within your organization's infrastructure and allowing its usage by your staff. The reality is that if your organization has recently started extensively using a new video conferencing platform or service that was previously used only occasionally, it is crucial to conduct a comprehensive investigation into its security and privacy features, aligning them with ISO 27001 requirements. This assessment will help determine whether the platform is safe and appropriate for use according to ISO 27001 standards. The current situation has revealed that many organizations' business continuity plans are not as resilient and robust as initially perceived, highlighting the need for closer examination and improvement in this regard.