A lot happened in 2020, and almost no story rode the rollercoaster like the story of Zoom's security issues and updates.
Two of the biggest issues with Zoom's security – End-to-End Encryption and Zoom's affiliation with China - came under direct fire as the platform was adopted en masse earlier this year. Zoombombing became an every-day term. Zero-day exploits, malicious copycat installers, and stolen credentials were also high up on the list of security concerns.
The good news is that Zoom quickly and diligently worked to patch and resolve most of their known issues. Zoom 5+ rectified many security flaws and default configurations to get users to a better starting security point.
On October 27, 2020, Zoom finally launched End-to-End (E2E) encryption for everyone. Here's how to turn on E2E in Zoom, though E2E encryption is not turned on for all meetings by default: https://support.zoom.us/hc/en-us/articles/360048660871-End-to-end-E2E-encryption-for-meetings
You can view all of Zoom's updates (including release notes) here: https://support.zoom.us/hc/en-us/sections/201214205-Release-Notes
The bad news is that Zoom's affiliation with China continues to be a serious security concern. In June, Zoom suspended the accounts of Chinese dissidents at the behest of China, drawing the ire of the US government and proponents of free speech everywhere. On December 18, 2020, a Zoom executive was formally charged with "conspiracy to commit interstate harassment and unlawful conspiracy to transfer a means of identification" by the US Department of Justice. The executive was found to have suspended Zoom accounts relating to meetings commemorating the 1989 Tiananmen Square massacre's anniversary.
"Americans should understand that the Chinese government will not hesitate to exploit companies operating in China to further their international agenda, including repression of free speech," Christopher Wray, director of the FBI, said in a statement regarding Zoom and its affiliation with China.
On Tuesday, November 10, 2020, the FTC announced that Zoom was found to have "misled users" and "engaged in a series of deceptive and unfair practices" regarding its own security. Simulated end-to-end encryption claims were uncovered in March, and unauthorized software installed on Macs from 2018 and 2019 were cited in the report. Zoom settled with the FTC and agreed to annual internal security reviews, along with biennial external security reviews and a formal vulnerability management program.
Finally, the Better Business Bureau is warning Zoom users that scammers are trying to steal their usernames and passwords via phishing emails and text messages, according to ThreatPost.
As stated in this article's original posting, NO online platform is (or ever will be) 100% secure. As we saw recently with the SolarWinds cyberattack, third-party applications will always be a (mostly) trusted method of attacking organizations. However, with particular respect to Zoom's continued ties to China, there are certainly stronger, more-secure alternatives for your corporate videoconferencing needs, especially if you require some assurance of privacy and data protection.
Jon Waldman, Chief People Officer, SBS CyberSecurity and President, SBS Institute
SBS CyberSecurity has been helping organizations identify and understand cybersecurity risks to make more informed business decisions since 2004. If your organization is looking to better understand your cyber risk; build, maintain, or test your cybersecurity program; and make smarter, more informed cybersecurity business decisions, SBS can help.
Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.