Did Zoom do enough to prevent their plague of security breaches?

By April 2020Cybersecurity, News

Did Zoom do enough to prevent their plague of security breaches?

Did Zoom do enough to prevent their plague of security breaches?

Zoom’s boom in popularity has left the video-conferencing platform vulnerable to cybercriminals exploiting the fear, uncertainty and rise in remote working driven by the coronavirus outbreak.

The vulnerabilities include user’s data being shared with Facebook and Zoom calls from non-Chinese users ‘mistakenly’ routed through Chinese data centers.

The word ‘Zoombombing’ has even been coined, as conferencing streams are being hijacked by unwelcome guests. 

Reports have surfaced of an online geography lesson in Singapore that was allegedly hacked by two men who shared explicit images. The Ministry of Education has since suspended the use of Zoom for teachers.

Security and privacy concerns over Zoom led organisations like Google, Elon Musk’s SpaceX, the US Senate, the Philippines’ telecom giant PLDT and the Taiwanese Government to ban their workers from using Zoom.

The video-conferencing tool has also been hit with a class action lawsuit by a shareholder who accused Zoom of overstating its security measures and failing to disclose the service was not end-to-end encrypted. The lawsuit came after Zoom’s shares fell by 25% in recent days, despite a huge stock spike of more than 100% since January.

With the plague of security issues facing Zoom, it begs the question of whether Zoom did enough to prevent it.

Zoom’s vulnerabilities identified as early as last year

In June 2019, Check Point disclosed a security flaw where their researchers were able to predict a Zoom Meeting ID with a high chance of success to gain unwanted access to a call. 

While the IT security specialists said Zoom made changes to mitigate the flaw, this is identical to what is now known as “Zoombombing”.

Check Point’s Head of Security Engineering for APAC Gary Gardiner said: “We would never have disclosed vulnerabilities to the wider audience if we didn’t feel that the company, and Zoom in this case, had actually gone through the appropriate checks and balances and made the changes that we would have said they needed to make.”

Zoom is making a number of changes, including upgrading their encryption and hiding meeting IDs.

Mr Gardiner added applications can still be vulnerable during a product’s development. These flaws can be exploited by threat actors particularly when a platform gains popularity very quickly like Zoom during the coronavirus outbreak.

Zoom’s daily usage went from 10 million meeting participants in December 2019 to a massive 200 million in March 2020.

To add another vulnerability to Zoom’s growing list, Mr Gardiner said he is seeing numerous copycat domains posing as the video communications provider. During the past week alone, Check Point witnessed a huge increase of more than 1,700 in domains with the word “Zoom” in the URL.

Zoom is not the only platform exploited by cybercriminals. Mr Gardiner discovered that Office 365 is a prime example of where threat actors are replicating websites which look like the real deal to steal corporate organisations’ credentials. 

He added that cyberattacks on mobile devices are increasing. This is because the URLs are much smaller and applications by organisations like OTT providers are easy to replicate.

As a security professional, Gary said he would like to see organisations like Zoom provide more online education for users to understand how to protect themselves.

How can you stay safe when using Zoom?

To stay safe online, some of the responsibility comes down to the user.

Mr Gardiner said: “From what we have seen with Zoom, there have been some basics that end users haven’t done very well.”

To stay safe when using Zoom and similar platforms, consider the following recommendations:

  1. Password protect your meetings and do not use the same password twice
  2. Use a randomly generated meeting ID provided by Zoom
  3. Lock your meetings once everyone has joined
  4. Only allow authenticated users from the same domain as your own  to join sensitive meetings
  5. Beware of copycat domains – check for spelling errors in the URL

Join in the cybersecurity conversation

The coronavirus outbreak has put into question the present and future state of the cybersecurity industry. With the threat of global attacks rising, the need for a strong cybersecurity plan is more important now more than ever.

Join industry experts for the free W.Media Inside Asia: Technology & Market Next Moves Power Talk on 30th April to explore the impacts of the pandemic on data centers, cloud, 5G, and cybersecurity. And discuss how we can survive and thrive in the post-coronavirus world.

Author

Receive the Latest News

Latest News

Oracle Logo
July 2020

Oracle announces ‘industry’s first fully-managed, on-premises cloud region’

July 2020 | Cloud, Data Center, News | No Comments
Oracle announced the ‘industry’s first fully-managed, on-premises’ cloud region on Wednesday, bringing all their second-generation cloud services directly to customer data centers. The Cloud@Customer service provides enterprise data centers with…
Read More
TM ONE
July 2020

TM to become Malaysia’s first end-to-end Cloud AI Infrastructure Service Provider with Huawei agreement

July 2020 | Cloud, News | No Comments
Telekom Malaysia Berhad (TM) has signed an agreement with Huawei to expand its cloud services and provide Malaysia with its first end-to-end cloud artificial intelligence infrastructure. The TM Cloud α…
Read More
Yotta NM1 data center
July 2020

Yotta to invest $469m in Indian data centers over next two years

July 2020 | Data Center, News, Power Infrastructure | No Comments
Yotta Infrastructure, a Hiranandani Group company, is set to invest US$469m or ₹3,500 crore on three data centers in Mumbai, Delhi and Chennai over the next two years. The facilities…
Read More
July 2020

SpaceDC Indonesia data center becomes the first OCP Ready™ facility in Asia

July 2020 | Data Center, News | No Comments
Singapore-based data center provider SpaceDC has become the first OCP Ready™ facility in Asia. The Open Compute Project Foundation (OCP) awarded SpaceDC’s facility in Indonesia with the certification after demonstrating its…
Read More
AIMS Malaysia Cyberjaya Data Center
July 2020

Malaysia’s AIMS starts constructing flagship Tier III data center in Cyberjaya

July 2020 | Data Center, News | No Comments
Malaysia-based data center operator AIMS has started construction on a flagship Tier III data center in Cyberjaya. The facility will offer 240,000 square feet of white space and a scalable…
Read More
Space DC Vertical Banner
Back to Events
Comments