The containment measures taken by many governments around the world have led to a rush for videoconferencing solutions, whether for teleworking, home schooling or, more simply, video calls between relatives. Besides the already popular Skype, WhatsApp, Facebook Messenger, FaceTime and other Discord, Zoom was a resounding success, to the point of becoming the most popular application of the moment. In the space of a few weeks, this solution mainly intended for professionals and businesses has indeed increased from 10 to 200 million daily users ! It must be said that it does not lack assets, because in addition to its simplicity of use and its performances, it offers the possibility of gather a large number of participants including in its free version (see our Factsheet on organizing group calls).
However, this sudden popularity has also aroused the curiosity of various experts who have had the unpleasant surprise of discovering numerous security breaches and serious confidentiality problems in the service. To make matters worse, the success of Zoom has also attracted the attention of hackers wanting to take advantage of breaches to recover data, but also of intruders (trolls) interfering in discussions thanks to unprotected invitations.
We learned that the iOS version of the Zoom mobile application sent data to Facebook without users’ consent and that the integration of the service with the professional social network LinkedIn made it possible to reveal the professional profile of the participants, again, without their agreement, of these and this, even if they were logged in anonymously! In addition to these indiscreet drifts, with obviously commercial motivation, Zoom is singled out for its encryption system. According to specialists from The Intercept, and contrary to what Zoom suggests on its website, conversations would not be encrypted from start to finish, as do competing systems. And according to security experts from The Citizen Lab, the service would not use the AES-256 as indicated on its site, but with the previous generation of this encryption technology, the AES-128, much less solid. Worst, certain keys associated with encryption would be issued by servers located in China, a country that suffers from a sulphurous reputation for digital security.
Other gross gaps, some old and within the reach of a pirate, have also been detected. On Mac, it was possible to activate the webcam without the user’s knowledge via a server installed by Zoom on the computer – a problem solved directly by Apple in 2019. On Windows, instant messaging allowed injecting external links to retrieve the user’s password fingerprint. In another register, the site Vice revealed that people using the same domain name for their email addresses – such as @ free.fr or @ orange.fr – were automatically grouped in the same address book and they could access the profiles of complete strangers and contact them on video!
Finally, in addition to many other security vulnerabilities highlighted by multiple specialists, the FBI emphasized a trend phenomenon that is gaining momentum: zoombombing. The famous American investigation service explained that pranksters managed to break into virtual meetings by recovering invitation links disseminated innocently by participants, going as far as insulting, or broadcasting phonographic videos through screen sharing. So many problems that led prestigious and serious companies like NASA and SpaceX to ban their employees from using Zoom, given the sensitive information they handle … The New York Department of Education has decided to ban Zoom to manage the lessons of school children in confinement and the government of Taiwan has done the same for its various administrations.
We suspect, these criticisms and these problems did not make a good publicity to Zoom, which saw its dung action drop after certain revelations. Fortunately, after acknowledging its mistakes, the company reacted fairly quickly by correcting some flaws emergency and by imposing by default the use of a password to protect group conversations. The new version of the application, published on April 8, thus integrates several devices intended to reinforce security and confidentiality, as she explains in a statement. Welcome – and essential – efforts that will reassure the general public, but it will undoubtedly take a little more time to fully regain the confidence of institutional users.
–
