AntonioDiaz - stock.adobe.com

Zoom rapped over historic security practices

The US Federal Trade Commission rules that Zoom’s practices undermined the security of its users

Videoconferencing provider Zoom will be required to implement further measures to ensure the security of its service, and has been prohibited from making misrepresentations about its privacy and security, in a settlement with the United States Federal Trade Commission (FTC) over historic malpractice.

The FTC said Zoom engaged in a series of “deceptive” and “unfair” practices that undermined the security of its user base, which has grown dramatically during the pandemic. At the tail end of 2019 Zoom booked 10 million daily participants in Zoom meetings, and this had risen to 300 million as of April 2020.

“During the pandemic, practically everyone – families, schools, social groups and businesses – is using videoconferencing to communicate, making the security of these platforms more critical than ever,” said Andrew Smith, director of the FTC’s Bureau of Consumer Protection.

“Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected,” said Smith.

The FTC’s complaint alleged that Zoom misled users by saying it offered end-to-end, 256-bit encryption, when this was not the case – in reality Zoom maintained the cryptographic keys that could have allowed it to access user-generated content and secured its meetings in part with a lower level of encryption than promised.

The FTC said this created a false sense of security among users, particularly among those who may have used the service to, for example, discuss sensitive business topics, financial matters, or health.

It said Zoom also misled users who wanted to store record meetings using Zoom’s cloud storage by claiming that those meetings were encrypted immediately the session ended, when in fact some recordings were stores unencrypted for up to 60 days on Zoom’s servers before being transferred to its secure cloud storage.

Read more about Zoom

  • New carrier agreement with conferencing provider Zoom designed to allow BT to offer a managed service with integrated networking to ensure optimal user experiences.
  • Lockdown breakout videoconferencing provider continues hot streak through second quarter of 2020, racking up record revenues of over half a billion dollars.
  • Zoom has added accessibility features that will let users with hearing loss rearrange windows to see a sign language interpreter better while viewing presentations.

The complaint also alleged that Zoom compromised the security of Mac users by secretly installing its ZoomOpener web server software on their machines during a manual update for its Mac desktop app in 2018. This software allowed it to automatically launch and join users to a meeting by bypassing a safeguard in Apple’s Safari web browser that was designed to protect users from malware by confirming they wanted to proceed with a pop-up warning.

This part of the complaint alleges Zoom did not itself implement any offsetting measures to protect user security, and in doing so may have increased the risk of remote video surveillance by malicious actors.

Furthermore, ZoomOpener remained installed on Mac computers even if the user deleted Zoom itself and could even reinstall Zoom in certain circumstances. The ZoomOpener web server has since been removed by an automatic Apple update that dropped in July 2019, but the FTC believes deploying it in the first place without adequate notice or user consent was unfair and violated the FTC Act.

Zoom will now be made to set-up a comprehensive information security programme and implement specific measures to address the problems named in the FTC’s complaint.

These include to assess and document annually internal and external risks and develop safeguards against them; to implement a vulnerability management programme; to deploy safeguards such as multi-factor authentication, institute data deletion controls, and take steps to prevent the use of known compromised user credentials; and to review any future software updates for security flaws and ensure updates do not break any third-party security measures.

It will also have to submit to biennial assessments of its security programme by an independent third-party auditor, which the FTC has the authority to approve.

End-to-end encryption

The measures demanded by the FTC formalise, to some extent, a series of steps that Zoom has already taken of its own accord since issues over the security of its platform first bubbled to the surface in the spring. It has, for example, now implemented end-to-end encryption and two-factor authentication, among other things.

A Zoom spokesperson said: “The security of our users is a top priority for Zoom. We take seriously the trust our users place in us every day, particularly as they rely on us to keep them connected through this unprecedented global crisis, and we continuously improve our security and privacy programmes.

“We are proud of the advancements we have made to our platform, and we have already addressed the issues identified by the FTC. Today’s resolution with the FTC is in keeping with our commitment to innovating and enhancing our product as we deliver a secure video communications experience.”

Read more on Web application security