“Zoom and doom” and “Zoom bombing” are taking over headlines as the Zoom video conferencing app experiences very public security problems. As the coronavirus social distancing requirement spread, Zoom usage increased by 1,900 percent between December and March, increasing from 10 million to 200 million daily users. Zoom wasn’t ready for the increased demand and the added exposure to security threats that came with it.
This is a perfect example of what can happen when the AppSec side of app development isn’t as strong as it has to be to deal with unexpected events.
Zooming in on video conferencing security
The Zoom app was built for use within companies that have their own in-house IT departments. But usage skyrocketed as social distancing quickly forced most people to work from home. Small businesses, associations, and organizations started using the app to continue to hold meetings and maintain some type of connection between employees and customers.
As usage increased, attackers set their sights on the collaboration app. One of the biggest problems is what has come to be known as “Zoom bombing,” in which attackers gain access to meetings and insert graphic content and other unwanted material into sessions.
As these and other attacks surfaced in the news, a number of Zoom app security issues came to light:
- The video conferencing application does not provide end-to-end encryption, despite claiming to do so. It actually provides transport encryption. End-to-end encryption secures data at all points, while transport encryption only encrypts the data while it is in transit.
- Zoom accidentally leaked users’ personal emails and photos, enabling strangers to try to start conference calls with them.
- Zoom’s iOS app was apparently sending data to Facebook without users’ knowledge, prompting a class-action lawsuit against the company.
- Reports surfaced of a bug that attackers can use to steal Windows passwords from users.
- Another security vulnerability allows attackers to take over a user’s Mac and access their microphone and webcam.
- An attention-tracking feature of the app allows the host to see if users click away from the meeting for more than 30 seconds, raising questions around privacy.
- The randomly generated meeting IDs are easily guessed by attackers, making it simple for uninvited people to sneak into meetings.
- Default settings do not require meeting passwords, letting anyone share their screen, making Zoom bombing even easier.
Many of the features that made Zoom so appealing in the wake of COVID-19 (ease of use and access, for example), are now being scrutinized in the wake of security and privacy breaches. The company will need to find the right balance between privacy, security, and usability—fast.
Zoom CEO Eric Yuan has apologized for the security and privacy issues associated with the collaboration app, admitting the product wasn’t ready to handle the dramatic increase in users.
The company has promised to take the following steps to remediate the many issues uncovered:
- Weekly updates on progress being made will be delivered via webinar.
- A feature freeze. All focus will be on addressing the current security and privacy issues, rather than new features.
- Outside expertise to assist.
- A transparency report to detail the requests for data and content from government authorities.
- Enhancements to its bug-bounty program, in which ethical attackers are paid to look for security vulnerabilities.
- Establishment of a council of CISOs across the industry to discuss security issues.
- Internal penetration tests, which look for security vulnerabilities from within the organization, based on a deep knowledge of the infrastructure.
The FBI also released tips for how to protect yourself against video-teleconferencing (VTC) hijacking, such as making sure meetings are private through a password or other controlled access, making sure the vendor uses end-to-end encryption, and keeping software up to date.
Don’t get bombed: Application security top tips
Organizations can learn a lot from the troubles facing Zoom. While it’s true the application was suddenly used in unforeseen ways by millions more people than expected, it points to the importance of privacy and security during application design and development.
The bottom line is this—it doesn’t matter what your intent is when you build an application; you can’t predict the future. You just don’t know how well-used the application will be or what it may morph into (possibly overnight).
Obviously, the best thing to do is treat security and privacy with the same level of attention and care as you do every other feature. Be prepared—for anything.
So what should you do? Start by making a list of all the security vulnerabilities your application will be subject to. These include injection flaws, broken authentication, sensitive data exposure, broken access control, cross-site scripting, and using third-party components with vulnerabilities. Determine how you will be able to prevent these breaches from occurring.
Here are the top tips from the many articles we have written on application security, along with links to get additional details.
- Make application security a priority from day one.
- Use AppSec metrics to gauge progress and measure how your team is performing when it comes to clean code and remediating security vulnerabilities.
- Hire skilled coders, developers, and security members who understand application security testing and how to fix issues.
- Use a variety of application security testing tools to get comprehensive code coverage.
- Use an application vulnerability manager to correlate the results of your AppSec tools and prioritize the issues that pose the biggest threat, so you can address those first.
- Stay on top of the latest trends and new developments in AppSec, so you’re prepared to address new threats as they emerge.
A proper defense against security vulnerabilities will keep your software applications (and your reputation) shielded from the types of issues Zoom is currently facing. Take the proper steps and execute a formal and comprehensive AppSec strategy to make sure your applications and your company are prepared for anything.