Video conferencing tech used by UK government, but not cleared for ‘secret’ discussions
ANALYSIS The lockdown prompted in response to the coronavirus pandemic has seen usage of Zoom skyrocket, renewing security and privacy concerns about the video conferencing app.
But do any of these criticisms hold weight? Is Zoom ready for business use on a global scale? We take a closer look into the hugely popular remote conferencing app.
Zoombombing and privacy pleas
Meetings held over Zoom can take place without passcodes, offering convenience but also allowing pranksters or worse to jump into discussions uninvited – a phenomenon that has even spawned its own term: ‘zoombombing’.
Problems in this area can be managed by checking permissions, a process many new to the technology may be unfamiliar with, but an area in which Zoom itself has been proactive in helping users to navigate.
In one example cited by Searls, Motherboard discovered last week that Zoom’s iOS app sent data to Facebook, even for users who had no Facebook account.
Zoom removed the offending code soon after the practice was uncovered.
“Zoom takes its users’ privacy extremely seriously and the company has taken action to address the Facebook SDK [Software Development Kit] issue,” a company spokesperson told The Daily Swig.
In a blog post, Searls welcomed the re-write as “far more clear than what it replaced”, while arguing that Zoom ought to go further is distancing itself from the adtech business.
“There will be no need for Zoom to disambiguate services and websites if neither is involved with adtech at all,” he said. “And they’ll be in a much better position to trumpet their commitment to privacy.”
Va va Zoom
A security vulnerability that surfaced last year allowed miscreants to hijack people’s webcams through Zoom. At the time, the app’s developers were criticized for their alleged failure to address the issue promptly.
However, the organization’s response to challenges to marketing claims that it offers end-to-end (E2E) encrypted sessions to meeting hosts has been far less assured.
What Zoom offers could be more accurately described as ‘end-to-end transport security’, where connections are protected by encryption but Zoom itself is able access data and might therefore by obliged to turn over its cloud-hosted content in response to government subpoenas or other mandated requests.
The cloud-based video conferencing firm has become a fashionable target for white hat hackers, and there’s little doubt that Zoom is going to come under even more intense scrutiny and probing over the coming weeks.
“Zoom is going to need to demonstrate more transparency, including putting a security face to all of these responses,” Alex Stamos, the former chief security officer at Facebook, commented on Twitter.
“A documented 30-day security plan that includes a feature freeze, several professional pen tests and rolling out coordinated disclosure policies would be smart.”
Zoom has been proactive in addressing users’ privacy concerns
Zooming into Cabinet
Video conferencing from Zoom is reliable, functional and easy to use. That means qualms from some in the infosec community that the app has a bias against introducing security controls that might introduce friction are not cutting through to mainstream business.
The technology’s obvious utility in the midst of an unprecedented global health crisis that has resulted in millions working from home in front and center for a growing number of organizations.
As a result, Zoom is cropping up in all sorts of unexpected places.
Despite reports that the technology was prohibited by the UK’s Ministry of Defence, at least part of a government Cabinet meeting was held on Zoom last week
British Prime Minster Boris Johnson used his official Twitter account to herald the “first ever video conference Cabinet meeting”.
This week’s UK Cabinet was entirely virtual. Johnson promoted this by posting a screenshot on Twitter that contained the Zoom meeting ID and cabinet member’s usernames.
Even though the meeting was password protected – avoiding the most obvious Zoombombing risk – publicly exposing the meeting ID still smacks of inviting trouble.
Use of cloud-based video conferencing technology in cabinet meeting was, in principle, permissible, a spokesperson for the UK government’s National Cyber Security Centre (NCSC) told The Daily Swig.
“In the current unprecedented circumstances, the need for effective channels of communication are vital. NCSC guidance shows there is no security reason for Zoom not to be used for conversations below a certain classification.”
Asked to clarify what level of classification was allowable on Zoom or comparable technologies a UK government spokesperson explained: “We’re talking about discussions at official level (so not discussions at a higher level of sensitivity).”
The NCSC recently issued guidance to organizations on how to manage the cyber security challenges of increased home working in the midst of the coronavirus pandemic.
The document offers common sense general advice. “We’re updating guidance regularly, so I’ll let you know if/when we have more on videoconferencing,” a NCSC spokesperson told The Daily Swig.