Despite efforts to ramp up security measures, video conferencing software provider Zoom is finding itself banned from education departments and major corporations like SpaceX.
New York City's Department of Education has banned teachers from using the popular video conferencing tool, Zoom, to teach students remotely during the COVID-19 outbreak. Originally, teachers preferred using the platform as its minimal setup and simple design means both teachers and students have fewer issues using it compared to other conferencing platforms.
However, with the rise in "zoombombing" incidents, educators are beginning to worry for the safety of teachers and students alike.
"Zoombombing" occurs when a bad actor takes control of a Zoom conference call. Many times, the hijacker will remain silent and merely observe the calls. Other times, they use it as a platform to harass viewers, posting shocking images and using hate speech. According to Business Insider, incidents were reported to have happened in online classes, corporate gatherings, and even a virtual Alcoholics Anonymous meeting.
The FBI issued multiple public warnings about the Zoombombing. It ultimately made a public statement on their website, about using the software.
#FBI warns of Teleconferencing and Online Classroom Hijacking during #COVID19 pandemic. Find out how to report and protect against teleconference hijacking threats here: https://t.co/jmMxyZZqMv pic.twitter.com/Y3h9bVZG30
-- FBI Boston (@FBIBoston) March 30, 2020
Schools aren't the only ones banning Zoom, either. On March 28, Elon Musk's SpaceX banned the program, instructing employees to use email, text, or phone calls as alternative methods for communication. Additionally, the Australian Ministry of Defense has also banned any use of the software.
Zoom announced on April 2 that they would be entering a 90-day development freeze as it sought to address privacy concerns. They plan on bolstering their security features through a variety of means, including white-box penetration tests and expanding current bug-testing procedures.
Zoom will begin meeting with third-party experts, as well as Zoom users, to "understand and ensure the security of all of our new consumer use cases." The company plans on preparing a transparency report to handle requests for data, records, and content. The company will also host a weekly webinar to provide security updates to Zoom users.
The most recent flurry of complaints started when it was discovered that the company was sending user data to Facebook without their permission. Zoom notified Facebook when the iOS app was opened, what device a user was using, what carrier they're on, and what city and time zone they're connecting from. The data also included a unique advertiser tag, connected to a user's device, that companies use to target advertisements.
Zoom had publicly told news outlets that the information had been anonymized, but understood why users were upset. The company removed the app's ability to send data to Facebook in an update pushed out on March 27.
Shortly after, security experts found that Zoom was able to install itself on Macs by working around Apple's security features. It was concurrently discovered that the company had claimed the service offered end-to-end encryption but did not possess those features.
On April 1, it was discovered that a flaw in Zoom's software allows a local user or piece of malware to piggyback on Zoom's camera and microphone permissions. An attacker can inject malicious code into Zoom's process space and "inherit" camera and microphone permissions, allowing them to hijack them without a user's knowledge.