Zoom to Halt Feature Development to Bolster Privacy, Security for COVID-19

April 02, 2020 - Zoom announced it plans to enact a freeze on all feature development and shift its engineering resources for the next 90 days to focus on privacy and security issues, in light of recent cybersecurity concerns that have emerged during the Coronavirus pandemic.

The videoconferencing platform has a healthcare-specific service. Meanwhile, the Office for Civil Rights has lifted penalties for HIPAA noncompliance around expanded telehealth use during the crisis. Zoom was listed as an acceptable platform for this use, which means providers can use the platform for remote care or consultations.

“Usage of Zoom has ballooned overnight – far surpassing what we expected when we first announced our desire to help in late February,” Zoom CEO Eric Yuan wrote. “To put this growth in context, as of the end of December last year, the maximum number of daily meeting participants, both free and paid, conducted on Zoom was approximately 10 million.”

“In March this year, we reached more than 200 million daily meeting participants, both free and paid,” he continued. “For the past several weeks, supporting this influx of users has been a tremendous undertaking and our sole focus… However, we recognize that we have fallen short of the community’s – and our own – privacy and security expectations. For that, I am deeply sorry.”

The news follows the launch of an inquiry into the platform by Sen. Richard Blumenthal, D-Connecticut, who sent the videoconferencing service vendor a letter to gain insight into their privacy and security policies and technologies after reports showed several privacy issues were putting user data at risk.

READ MORE: Amid COVID-19 Telehealth Use, Sen. Probes Zoom on Privacy Practices

For one, researchers reported vulnerabilities in the Zoom platform allowed unauthorized individuals to identify and join active meetings. While mitigations were released, the Senator blasted the effort as incomplete.

Check Point also discovered a serious increase in hackers targeting Zoom domains for malicious activities. Zoom was also forced to remove its Facebook Software Development Kit from the platform, after it was discovered the app was sharing some user data with the social media giant.

This week two more vulnerabilities were made public: the Zoom Windows client leaked network credentials, given the app rendered UNC file paths as a clickable link in group chat windows, and a vulnerability in the macOS Zoom installer was found to be using insecure APIs. SpaceX and NASA have both banned employees from using Zoom, in light of these concerns.

Zoom has since released fixes to the most recently discovered vulnerabilities. The new blog post from Yuan is designed to address user concerns and explain the company’s efforts to improve the platform’s security posture.

“We have been working around the clock to ensure that all of our users – new and old, large and small – can stay in touch and operational,” Yuan wrote. “[Zoom] was built primarily for enterprise customers – large institutions with full IT support. These range from the world’s largest financial services companies to leading telecommunications providers, government agencies, universities, healthcare organizations, and telemedicine practices.”

READ MORE: Zoom Domains Targeted by Hackers, as Use Surges with COVID-19

“Thousands of enterprises around the world have done exhaustive security reviews of our user, network, and data center layers and confidently selected Zoom for complete deployment,” he added. “However, we did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home.”

As a result, there are a myriad of users leveraging Zoom in unexpected ways that have presented new challenges not anticipated by the platform’s initial design. Yuan explained the new use cases have brought to light new privacy and security – and the scrutiny has been embraced by platform as it “will make Zoom better, both as a company and for all its users.”

In light of the rapid increase of use and these concerns, Zoom has been offering both free training sessions and tutorials to ensure users can better understand the best and safest ways to use the platform, including guidance on virtual classrooms.

Zoom has also since updated its privacy policy to be more transparent, given criticisms around its end-to-end-encryption claims, while removing the attendee attention tracker feature.

For the next 90 days, Zoom will be conducting a comprehensive review with assistance from third-party experts and users to better understand the security needs of new consumer use cases, in addition to preparing a transparency report outlining requests for data, records, or content and enhancing its current bug bounty program.

READ MORE: COVID-19 Cyber Threats: Hackers Target DNS Routers, Remote Work

Zoom will also launch Chief Information Security Officer Council with leading CISOs in an effort to  jumpstart a dialogue on privacy and security best practices. The platform will also undergo white box penetration tests to find and address any privacy and security issues. Yuan will also host a weekly webinar to provide privacy and security updates.

“Transparency has always been a core part of our culture. I am committed to being open and honest with you about areas where we are strengthening our platform and areas where users can take steps of their own to best use and protect themselves on the platform,” Yuan wrote.

“We welcome your continued questions and encourage you to provide us with feedback,” he added. “We take them extremely seriously. We are looking into each and every one of them and addressing them as expeditiously as we can. We are committed to learning from them and doing better in the future.”