Software vulnerabilities aren’t new. So why has anxiety about Zoom gone next-level crazy? Is a clumsy narrative about Zoom distracting us from bigger risks?
Growing up in the Northern Ireland ‘Troubles’ introduced me to threats and risk management. When the Grand Hotel in Brighton was bombed in 1986 narrowly missing killing the then Prime Minister, Margaret Thatcher, the IRA issued a statement in which they claimed responsibility, saying; “…remember we only have to be lucky once. You will have to be lucky always.” The security challenge was formidable. How do you keep a functioning society and design a security program to identify threats, manage vulnerable assets and avoid collateral damage without massive disruption to everyday life? What’s at stake? What countermeasures are necessary? How do you respond appropriately to incidents?
Equally important to the security apparatus was the narrative. The implementation of security controls also had to be matched with the reasons why? The battle for hearts and minds. The “why” was always more complex than “because security” or “because terrorism”. On both sides of the conflict, political and social support was paramount to the success of measures taken, because some level of either cooperation or understanding by the population was required for them to be effective. Lose the “why” battle, and things were unlikely to go well, or last long.
The parallel of an adversary having to be lucky only once is something that keeps security pro’s awake at night. Have we done enough? Are we investing in the right things? Have we missed something? I have to say, I have lost sleep over these questions. I have also lost sleep over the narrative of why the measures and interventions being taken to protect an organization matter. This is because a fundamental part of a security program isn’t just investment in technical controls; it’s helping business leaders build their understanding of the threat and that countermeasures make a difference as invariably many security controls come with trade-offs against user experience and convenience. Just have a look at where airport security went after 9–11.
Why Zoom? Why now?
You only have to go back as far as the year 2015 B.C. (before coronavirus) to remember just how bad video conferencing was to understand why Zoom rose in popularity. How many hours of your life will you never get back from wasting time at the start of a meeting trying to get the video conference to work? Wrong codec. Wrong version of the client. Wrong day of the week. Just pick a reason why stabbing yourself in the eye with a pencil was more attractive than wrestling with a ten-person meeting over one of the other available video platforms. And don’t you dare try and fix it without consulting with the IT Helldesk — here’s your ticket number — see you in a week. You know what I’m talking about? Then came along a company that figured out how to make it “just work’. Never mind how — isn’t it great? No longer will we give up the first 15 minutes of a meeting only to put someone’s mobile on speaker in the middle of the table because the VC didn’t work.
I’ve got 99 (other) problems…
There have been many reports of companies banning Zoom because of (publicity about) security concerns. Truly the majority of conversations people have had with me about it have centered around perception of the reported security failings and not because of a specific risk assessment that highlighted material issue.
Is recommending to stop using Zoom really being driven by an existential risk to an organization? That to do otherwise suggests that you do not take security seriously? On the contrary I would contend that recommending to continue to use Zoom is exactly why you do take security seriously. Because there are hills to die on and in the realms of knowing what’s more likely to kill you in cyber security, there are 99 other problems that are probably keeping you awake at night more than this. And if there aren’t, bravo; you’ve solved all-the-security-problems!
This is not an apology for Zoom’s security shortcomings nor a reason to bypass existing corporate arrangements. Clearly if your company has a policy to use something else (even if it’s crappy) then a different conversation about productivity versus risk should be had.
Zoom should certainly have been doing better with the security of their platform. But find/replace Zoom with ‘any tech company from the last 20 years’ and the headline reads the same…. “researcher finds security flaw in tech product”. This isn’t news — this is business-as-usual. Security researchers discover bugs. Bugs have CVE’s issued. Software gets updated. Every… Day… Of… The... Year. Then we move on with our lives.
Looking at the historical record, Zoom haven’t done themselves any favors from past responses to security defects in their software. In July 2019 they had a significant RCE (remote code execution) vulnerability that allowed the camera to be remotely taken over, made worse by the Mac OS implementation and made even worse by Zoom’s bad handling of the original responsible disclosure by a security researcher in early March 2019. Zoom’s poor behavior towards the researcher was particularly disappointing because research, when used for good, improves the software we all use.
Keep calm and stop freaking out
The total freak-out over Zoom security hasn’t been helpful and perpetuates the FUD-narrative (Fear, Uncertainty and Doubt) security teams are infamous for.
Put simply, the security community should be better at communicating the real world implications of Zoom security and privacy concerns and compare with wider risk issues, rather than being viewed in isolation under a microscope.
It is troubling to me that in the year 2020, the narrative for security defects found in Zoom by the security community continues to be of the chicken-little, sky-is-falling, world-ending, somewhat-sanctimonious told-you-so creed I expected from decades ago. Is this really the level of sophistication we are at? The technicalities of being oh-so-correct (yeah, the vulnerabilities are pretty poor) are not playing out well with the hearts-and-minds of businesses that have found tremendous value in the utility and great user experience that Zoom has provided.
The only thing growing faster than the COVID-19 infection rate at the minute is anxiety about Zoom security. I find myself asking — why this? Even given past transgressions by Zoom themselves — why this? If we’re going DEFCON #1 on a security issue then it has to count. There have been some real stinkers of security vulnerabilities discovered over the years and they have required attention, like Heartbleed in 2012. The risk for the security community is that they simply lose credibility of the narrative because, frankly, no-one is going to die from Zoom-bombing. Just saying.
Success begets loathing
The Australians have a great phrase for what is happening with Zoom currently — Tall Poppy Syndrome — the tendency to discredit or disparage those who have achieved notable wealth or prominence. Zoom have gone from a couple of tens of millions of active users to hundreds of millions within a few weeks. They’re the accidental beneficiaries of COVID-19 and the stampede to remote working.
Yet you only have to go back a couple of years to find a similar headline about Skype — described as “terrifying and unfix-able”. The difference was, several hundred million people hadn’t just piled onto Skype within a 3-week time period.
Have a look in the publicly available vulnerability databases and search for your favorite product — almost guaranteed to be a slew of defects. The inconvenient truth is that all software has defects. Good security researchers find new vulnerabilities, good companies patch them and this makes everyone safer. Is Zoom a good company? I’ll leave you to decide that for yourself, but please weigh your answer up against all of the other things you use (because we need to be consistent here).
4 questions to consider before walking up the kill-Zoom hill
- Is there something in your threat profile that would concern you about eavesdropping or data interception? If yes, then you probably already have a more secure alternative available (looking at you, UK Government), OR don’t use Zoom for that purpose.
- Knowing all the other things that could cause harm to you or your organization (and that’s keeping you awake at night), have Zoom security or privacy concerns now risen to surpass all of these? If so, why are these worse than anything else you’ve dealt with that requires such intervention?
- Do you currently have a way to implement software updates and do you regularly do this? Why is Zoom so different that it is unable to fit into the existing risk management regime?
- If you are going to recommend to your organization to stop using Zoom, have you got an another option ready to swing into action, with minimal staff retraining or cost implications (because if you’re going to set fire to this you’ll need a good alternative)? BTW — if it’s your corporate policy to use something else — be a good corporate citizen and don’t use Zoom.
I have no doubt that Zoom will emerge from this a stronger company with better security. At the time of writing Zoom have fixed several bugs and committed resources to addressing security concerns. How they balance the trade-offs with user experience remains to be seen. They’re not the first company to optimize for product features over security and they won’t be the last. Everyone should be doing better in that respect. But in a world of uncertainty it’s never been more important for the security community to help businesses navigate their understanding of security risks. Keep calm and patch on.
For a full run-down of current Zoom security issues, Tom’s Guide provides a good summary.