As a hacker turned entrepreneur, I’ve spent countless hours analyzing and breaking the security of applications — everything from hospital machines to mainstream consumer banking apps.
Zoom is a mess. People took an application that was mostly free and began distributing it to hundreds of thousands of business users due to shelter in place COVID-19 quarantines worldwide. Free applications, typically, lack the security sophistication to be massively deployed. This massive deployment pumped the stock, which pumped the usage, which pumped the stock. This cycle led to even more users.
With more users, come more hackers. People quickly started analyzing how the application worked and found flaws. The main flaws focused on privacy — leaking data and letting people join in on calls by enumerating and guessing meeting codes. Zoom responded quickly with “CYA” tactics. They hired esteemed security pros to try to quell the drama. This is a classic blunder and often shows how far behind a company is when it comes to security.
Are they to blame? Maybe. Maybe not. How you look at it matters. A startup is inherently cash strapped and often needs to take a lean approach to security. That said, if their application is used in enterprises(and it is), enterprise security standards are of utmost important.
Zoom needs to focus on end-user security, encryption, and ensure that the standard free version of the product has enterprise-grade security. Revenue generating or not, this level of growth and exposure puts them at the top of the list for hackers.
Zoom, as every other application should, needs end-to-end encryption. Whether because of nation-states or malicious users, encryption is important.
The policy standards set for mobile devices and communication within should match video conferencing policies. Personally, what I have found is that regulation around a communication often does not add security; people just cheat the system for the “compliant” checkbox. Policies driven by community and consumer are far more impactful.
Zoom is a great way to keep in touch during the Coronavirus pandemic, but buyer and user beware, if something is free then it always comes with a catch!