Skype me: How military-banned Zoom wins in the age of Covid-19

The surge in people working from home means video conferencing tools have really taken off - but how secure are they?

Covid-19 and the surge in housebound workers, has seen video conferencing tools take a swift uptick in users. And while Skype seems to have become the default verb for video calling, it's not become the default choice. That seems to be Zoom, which is used by UK Prime Minister, Boris Johnson, for top secret cabinet meetings and this week received a military ban due to security fears.

Ease of use has seen Zoom surge in popularity

Zoom is easy to use. That's why my local yoga studio is relying on it to run live classes in the lockdown and why it's become the default for every work call I've been on over the last couple of weeks. It also has a solid reach - with 13 global data centres and a presence in the US, UK, France, Australia, China and Japan - amongst others.

Gartner named it a leader in its Magic Quadrant for meeting solutions for the third consecutive year, last July. And a detailed interview in Protocol this month with Chief Product Officer, Oded Gal, put the platform's secret down to latency. It always aims to stay under 150 milliseconds - the maximum before conversations feel unnatural.

Zoom's security is in question

This January, its vulnerabilities were revealed loud and clear when security researchers found serious flaws in the platform. These could have allowed hackers to join a video meeting uninvited and listen in, potentially accessing any files or information shared during the meeting. 

Tom Lysemose Hansen, CTO at Norwegian app security company, Promon also points to the privacy policy which allows bosses to track employee attention during calls and shares the copious amounts of data it collects with third parties.

Employee tracking is also made possible through an in-app feature which alerts the call's host anytime someone on the call doesn't have the Zoom desktop or mobile app in focus for more than 30 seconds. This means that regardless of whether you clicked away from Zoom to take notes, check your email, or respond to a question on another programme, the call host will be notified.

The company's own privacy policy states that Zoom collects information such as names, physical addresses, email addresses, phone numbers, job titles and employers on all accounts created. In the same section on the website under the question: "Does Zoom sell Personal Data?" it reads, "Depends what you mean by ‘sell'', and states, rather vaguely, that personal data is shared with third parties for ‘business purposes'. 

"Businesses - particularly those in the practice of handling sensitive information - and members of the public, alike, should consider using end-to-end encrypted video call apps including WhatsApp, Signal, Viber, and Telegram," recommends Hansen.

All video platforms come with security challenges

Skype, Google Hangout, Cisco and Slack and Microsoft Teams have all seen a huge jump in users during the pandemic. Teams, which was making a big play for Zoom customers earlier in the year saw Daily Active Users (DAU) going from 32 million to 44 million within one week alone. It's also been offering UK NHS staff the chance to communicate remotely through its platform for free during the crisis.

Yet Colin Robbins, Managing Security Consultant at cyber security services firm, Nexor, warns that all platforms have their issues. When it comes to this type of crisis, where companies are operating fully remotely and many conversations include sensitive information, "then you have to assume that any application like this has security challenges," he says.

He recommends the best and safest thing to do is to run a risk assessment on any software. First you need to assess the supplier and in turn your supply chain, ideally using the NCSC's ‘Software as a Service (SaaS) security guidance'. Then do some independent research on the software to find out if, for example, there been major security breaches reported in the past.

"Each software will be different, so I wouldn't say it's simple enough to state that one is better than the other," he says.

Paul Scholey, Senior Vice President and General Manager, International at BlueJeans Network, another cloud video conference supplier, has similar advice for businesses and identifies three security measures to evaluate when selecting videoconferencing tools: authentication, privacy and monitoring.

Authentication ensures that only authorised participants join calls. Privacy options are about the data that vendors may sell on to third parties. While monitoring lets administrators watch conferences to see how many people have joined, who they are and where they are calling from. So, if an employee appears to be calling from Tokyo and you know he's based in New York, you have the opportunity to remove him from the conference.

"Look for systems that can detect an attack and disable the victim user account immediately," recommends Scholey.  

Pandemic sees security threats to video tools rise

The increased use of these platforms makes them more of an attractive target for hackers right now. "Cybercriminals are aptly deploying sophisticated phishing, drive-by-download and BEC attacks under the guise of scheduling or cancelling an urgent WebEx or Zoom meeting," Ilia Kolochenko, CEO and founder of ImmuniWeb tells us.

A breach of these platform's servers could be catastrophic given the sensitive nature of meetings now taking place online. "Such a breach [of Zoom, for example] will provide attackers with a great wealth of opportunities of an unprecedented scale, ranging from data theft related to meetings to mass-trojanisation of users and full control over their devices. 

"Companies are especially susceptible to such attack scenario these days, as working from home often implies insufficient protection of laptops and mobile devices by corporate cybersecurity policies," he adds.

Alyn Hockey, VP of Product Management at data security provider, Clearswift believes that the biggest security flaw around video conferencing apps is how they are used. "Ultimately users prefer usability over security," he says.

He highlights the ease of file transfer that these tools provide. In terms of collaboration this feature is very useful, but it can be a real risk in terms of accidental disclosure and subsequent data leaks.

When users share their desktop screen, for example, they aren't always vigilant about removing sensitive content, while people that are rushed or distracted can attach files to a chat session which either go to the wrong recipient or weren't what they thought they were sending. Once data has been shared like this, the user loses all control over what happens to it.

"Meeting passwords are a great example [of how people use these tools]," he says. "Zoom gives users the option to set up meetings so that they require a password to enter and doing so makes those meetings much more secure. However, most people do not use that feature. It's a question of usability over security, and many choose the former."