Wednesday, April 01, 2020

Zoom-bombing is now a thing (yawn...)

In these strange days when everyone and their dog is using the video-conferencing app Zoom, there are more and more questions being asked about how secure the platform is.
It is now ranked as the number one app in the US, and number 2 in the UK, and its share price has just about doubled in the last couple of months. While it may be fine for my wife to participate in her virtual gym class, when we see Boris Johnson using it to host a cabinet meeting, security becomes kind of important (especially given that the UK Ministry of Defence has banned its staff from using Zoom for that very reason).
Zoom just doesn't offer end-to-end encryption (encryption that ensures that no-one other than the invited participants can see a meeting), which should be an issue for companies and governments who are using it for sensitive political or commercial purposes. In the past, various security concerns have been voiced about the app, including the possibility of attendees being removed from calls, spoof messages from users, hijacked shared screens, even a vulnerability that allowed some users to be forced into a call without their knowledge. There have also been complaints about the "employee tracker" feature that allows hosts to check whether attendees have been paying attention.
Now, the issue is "Zoom-bombing", in which perfectly wholesome shared video calls can be interrupted by pornography or hate speech. For instance, a meeting of black journalists is taken over by racist chants and pornographic images, a virtual synagogue service is hijacked by anti-Semitic ravings, recovering alcoholics are harassed by trolls who break into an online AA meeting, several online classrooms have been hacked and had to deal with racist and pornographic images (one such example causing Singapore to ban the use of Zoom for online education), etc, etc. (Why does almost all this stuff involve racism? What is the relationship between hacking and the ugly extreme of the far right?)
There ARE security settings and means by which crashers can be excluded or controlled, as the Zoom Blog explains, but whether this keep EVERYONE out, I don't know. All successful technologies seem to have to go through this proving process, as hackers around the world, with apparently nothing better to do, try their damnedest to show that they can hack through any security. It's a bore, but it's a fact of life.

UPDATE
And, as one security hole closes, another opens up. Now, it seems that many Zoom chats that were saved to the cloud, either deliberately or accidentally, are visible to all and sundry. The Washington Post reports that thousands of Zoom chats are accessible online, partly because of the way that saved files are named. The Post was able to access any number of video sessions, from one-on-one psychotherapy sessions to small company financial meetings to elementary school classes to a demonstration of how to give a Brazilian wax.

No comments:

Post a Comment