Have You Been Zoom-Bombed? Experts Blame Security Flaws, China Ties

Print More

Photo by Teeejayy via Flickr

Executives of the videoconferencing platform Zoom are struggling to resolve security problems caused by its “overnight” emergence as a lifeline for millions of Americans who have been home-bound because of COVID-19.

But they may be fighting a losing struggle against technical overload, complicated by possible interference from foreign actors like China, according to media reports reviewed by The Crime Report.

 “Usage of Zoom has ballooned overnight – far surpassing what we expected when we first announced our desire to help in late February. This includes over 90,000 schools across 20 countries that have taken us up on our offer to help children continue their education remotely,” Zoom founder Eric Yuan wrote in a blog post.

“To put this growth in context, as of the end of December last year, the maximum number of daily meeting participants, both free and paid, conducted on Zoom was approximately 10 million.

“In March this year, we reached more than 200 million daily meeting participants, both free and paid.”

A study published April 3 by the University of Toronto’s Citizen Lab found new and significant security flaws in Zoom, including ties to China. According to Yahoo Finance, Zoom is facing several investigations in relation to data privacy and security.

The company is facing a backlash from users worried about the lack of end-to-end encryption of meeting sessions and “zoombombing,” where uninvited guests crash into meetings.

Elon Musk’s rocket company SpaceX recently banned its employees from using Zoom, citing “significant privacy and security concerns,” while Taiwan’s cabinet has told government agencies to stop using the app, according to media reports.

On Monday New York City’s Department of Education announced it is banning the use of Zoom for online learning classes and is recommending Microsoft Teams instead, according to The Washington Post.

Zoom was slapped with a class action suit on Tuesday by one of its shareholders, accusing the video-conferencing app of overstating its privacy standards and failing to disclose that its service was not end-to-end encrypted, Reuters reported.

Shareholder Michael Drieu claimed in a court filing that recent media reports highlighting the privacy flaws in Zoom’s application have led to the company’s stock, which had rallied for several days in the beginning of the year, to plummet.

Hackers have zeroed in on Zoom.

“On April 1, an actor in a popular dark web forum posted a link to a collection of 352 compromised Zoom accounts,” a spokesperson for cybersecurity firm Sixgill wrote in an email reported in Yahoo News.

“In comments on this post, several actors thanked him for the post, and one revealed intentions to troll the meetings.”

According to Sixgill, these links included email addresses, passwords, meeting IDs, host keys and names, and the type of Zoom account. Most were personal, but not all.

Sixgill said “one belonged to a major U.S. healthcare provider, seven more to various educational institutions, and one to a small business.”

In just the last week, “zoombombing” has become prevalent. Uninvited participants to Zoom conferences are unleashing harassment and abuse.

An analysis by The New York Times found 153 Instagram accounts, dozens of Twitter accounts and private chats, and several active message boards on Reddit and 4Chan where thousands of people had gathered to organize Zoom harassment campaigns, “sharing meeting passwords and plans for sowing chaos in public and private meetings.”

The New York Times reported that on March 29, Zahed Amanullah was in the middle of a call he had organized with the Concordia Forum, a global network of Muslim leaders, about maintaining spirituality and wellness during the COVID-19 crisis, when suddenly a cursor began to draw a racial slur across one of the slides.

‘Zoom Bug’

Theft could result from hackers getting inside computers through Zoom.

According to Tech Crunch, two security researchers found a “Zoom bug” that can be used to steal Windows passwords; another security researcher found two new bugs that can be used to take over a Zoom user’s Mac, including tapping into the webcam and microphone.

The China connection was inadvertent, say company officials.

Some Zoom calls made by U.S. and Canada users were routed through key management systems in China despite having no China-based participants, Yuan said, adding the company has corrected has corrected the flaw.

“It is possible certain meetings were allowed to connect to systems in China, where they should not have been able to connect,” the Zoom founder said.

“We have since corrected this, and would like to use this blog post to explain how our system typically works, where our misstep occurred, and how we will prevent these kinds of problems in the future.”

Nancy Bilyeau is deputy editor of The Crime Report

Leave a Reply

Your email address will not be published. Required fields are marked *