Site icon myLawrd

Home Ministry warns against Zoom. Should you continue using it?

MHA WARNS AGAINST USING ZOOM. SHOULD YOU USE IT?

Zoom is undoubtedly a compelling option, and it’s free! But nothing is free. The Ministry of Home Affaris has issued an advisory against it because of the security and privacy issues involved, should you continue using Zoom? But if you must, how much can it cost you?

Why do people use Zoom?

The coronavirus pandemic has changed the way businesses, organisations, and institutions go about their work. Country-wide lockdowns around the world have meant that not a single person, except essential services workers, can set their feet outsides their homes. Many organisations have even been forced to adapt to the situation, in order to survive, and come up with products befitting the situation.

The most essential part to keep this entire process ongoing is coordination between workers, which is forcing workers to flock to video conferencing solutions like Zoom, Skype, Microsoft Teams, etc. Since there are no more integrated workplaces and all are working from home, it simply means the attack surface has decentralised for hackers. Therefore, they are also trying to mend their ways to loot benign internet users. Apart from that, there are people using Zoom for hosting parties, religious events, and even a UK cabinet meeting, increasing the number of users exponentially.

Zoom is undoubtedly a compelling option for the work from home brigade. There are many pros. Among a few worth mentioning here are- it’s free to use yet gets things done, is feature packed, and it’s one of the easiest to use out there. This is the reason Zoom cropped up into everyone’s mind once the need to do a video conference arose. It won’t be wrong to suggest that many companies, given the uncertain situation, would have configured Zoom on their employees’ laptops before the lockdown kicked in, to keep the workflow sustained. Zoom, at present, attracts three times more use than Microsoft Teams.

How Zoom grew during the coronavirus?

Soon after the lockdown restricted everyone to their living quarters, an influx of new users pushed Zoom’s market cap as high as $42 billion. The platform grew from 10 million [1 crore] in December, 2019, to 200 million [20 crores] in March, 2020. The daily visitors to its download page witnesses a 535% increase in March.

However, the bullish trend could not sustain for long after security and privacy concerns bogged it down and the stock price dropped nearly 14.5% as of 7th April, 2020. Soon, New York City Department of Education, NASA, SpaceX, Google, among many other organisations, banned zoom. The FBI warned against its use after it received reports of harassment while using the platform from teachers. Taiwan became the first country to ban Zoom and stated that if the platform is used, it would contravene the rules set out under its Cyber Security Management Act, 2019. On 16th April, the Ministry of Home Affairs issued an advisory, after the CERT-In flagged high risk threats, stating that Zoom is not a safe platform and also laid down guidelines to ensure user safety.

Is Zoom that bad?

Yes. It is. Admittedly, Zoom was never designed for such wide scaled use.

“We did no design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. …We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate.”- Eric Yuan, CEO, Zoom Videocommunications Inc.

Mass adoption of the platform brought greater scrutiny of the service and numerous flaws came to the fore. So as it turns out, we have been using Windows to prevent house breakings. (Unintended Pun!) There are a number of shortcomings in the platform which have been recognised by security researchers. A few notable ones are:

However, just looking at the allegations won’t suffice for an assessment of your security needs. It would be nothing but justified to also look at the conduct of Zoom, both prior and after the fiasco.

How did Zoom handle the situation?

By shooting itself in the foot. The company fixed many issues after they came to light, tightened its privacy rules, and enhanced security features. It went on to clarify that the company only collects user data to improve the service and never allows its employees to access specific content in meetings and doesn’t sell any kind of user data. The company CEO himself confessed that “we recognize that we have fallen short of the community’s- and our own- privacy and security expectations.” The company proactively addressed user concerns and issued updates. It also self -imposed a 90-day feature freeze to focus on the security issues.

But, then the company confirmed the suspicion that it was perhaps using deceptive techniques by a very weird, hard to digest, explanation.

“When we use the phrase ‘end to end’ in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point.”

So what does this mean for an average Zoom user? It means that the company built trust on free to use features with minimum focus on security and privacy, while touting its security as one of the best. No matter what and for whom the company design the software for, if it’s available to the public for free, it doesn’t take rocket science to anticipate that the public is going to use it. Had people known about the flawed security practices, the platform would not have become an option in the first place, let alone the business enabler in the times of corona.

MHA WARNS AGAINST USING ZOOM. SHOULD YOU USE IT?

If something’s for free, you are the price. Nothing is for free. No matter how much we blame Zoom for its security and privacy overlook, the buck stops with us. The first reason is that Zoom needs to survive as a company. So how does it do that if we don’t pay? It uses our data to generate revenue through ads (or even sell the data), the data that it collects when we use its application. The second reason is, are we ever concerned for security and privacy? We only take reactive measures, if and when something bad happens to us. But security is all about being proactive. Do we put a door in our houses after we are robbed, or before the tragedy strikes? Most of the issues can be resolved with tightened security rules from the application itself.

Nevertheless, since the application has recently been listed on the security watch, it is certain that many more RCEs and vulnerabilities would arise in the coming days. It poses a great threat to you and your meeting partners. So should you continue zooming?

It depends.

It depends on the purpose you are using the application for, and the extent of security that you require for trouble free operations. Security is contextual. You don’t buy an ultra-secure locker, costing in lakhs, for securing a few thousand rupees. Similarly, using or not using zoom depends upon your needs. The vulnerabilities, as mentioned above, may be a deal breaker for some, and may not be for others. So here is the context of some of the known vulnerabilities.

No software is free of security vulnerabilities. Similarly, several serious vulnerabilities plague Zoom, which they have done in the past as well. Dubbed ‘prying eye’, a flaw discovered in October 2019 allowed cyber criminals to snoop on videos conferences run on the Zoom and Cisco WebEx platforms. So, it would not be wrong to say that Zoom is a just a legitimate software full of security vulnerabilities. The lack of prior scrutiny has suddenly made it a targeted platform. Although the quick response of the company to the discovered security flaws restores some credibility, the deceptive strategy used previously, many undisclosed vulnerabilities, and weird explanations make Zoom a tough product to recommend.

If you must continue with Zoom, how to protect yourself?

Many security issues can be mitigated by getting the basics right. Some mitigating strategies are:

Or even better. Just use some other platform that has better security out of the box!

A special thanks to Adv. Bhagyashree Swami for her vital inputs towards this article!

Do subscribe to our Telegram channel for more resources and discussions on tech-law. To receive weekly updates, and a massive monthly roundup, don’t forget to subscribe to our Newsletter.

You can also follow us on InstagramFacebookLinkedIn, and Twitter for frequent updates and news flashes about #technologylaw.

References:

  1. CERT-In Advisory CIAS-2020-0010, ‘Secure usage of Zoom video conferencing application’. https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES02&VLCODE=CIAD-2020-0010
  2. CERT-In Advisory CIAD-2020-0011, ‘Multiple Vulnerabilities in Zoom Video’ Conferencing Application. https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES02&VLCODE=CIAD-2020-0011
  3. ‘Managing participants in a meeting’. https://support.zoom.us/hc/en-us/articles/115005759423
  4. IT Pro, ;FBI warns of ‘Zoom-bombing’ hackers amid coronavirus usage spike’, https://www.itpro.co.uk/security/cyber-crime/355171/fbi-warns-of-zoom-bombing-hackers-amidst-coronavirus-usage-spike
  5. The Hacker News, ‘Zoom caught in cybersecurity debate’. https://thehackernews.com/2020/04/zoom-cybersecurity-hacking.html
  6. IT PRO, ‘Zoom admits meetings don’t use end-to-end encryption- IT PRO’. https://www.itpro.co.uk/software/video-conferencing/355180/zoom-does-not-use-end-to-end-encrypted
  7. CNET, ‘Your Zoom videos could live on in the cloud even after you delete them’. https://www.cnet.com/news/your-zoom-videos-could-live-on-in-the-cloud-even-after-you-delete-them/
  8. IT PRO, ‘Hackers advertise critical Zoom Windows bug for $500,000’. https://www.itpro.co.uk/security/vulnerability/355339/hackers-marketing-critical-zoom-windows-client-bug-for-500000
  9. CNN Business, ‘Zoom CEO apologizes for having ‘fallen short’ on privacy and security’. https://edition.cnn.com/2020/04/02/tech/zoom-ceo-apology-privacy/index.html]
  10. The Print, ‘MHA says Zoom app not safe, issues guidelines for those who still want to use it’. https://theprint.in/india/mha-says-zoom-app-not-safe-issues-guidelines-for-those-who-still-want-to-use-it/403051/]
  11. IT PRO, ‘Zoom admits meetings don’t use end-to-end encryption’. https://www.itpro.co.uk/software/video-conferencing/355180/zoom-does-not-use-end-to-end-encrypted
  12. IT PRO, ‘Zoom bombing” sends Zoom stock plummeting’, https://www.itpro.co.uk/marketing-comms/communications/355252/zoom-bombing-sends-zoom-stuck-plummeting
  13. IT PRO, ‘Taiwan becomes first country to ban Zoom amid security concerns’. https://www.itpro.co.uk/software/video-conferencing/355257/taiwan-first-country-to-ban-zoom-amid-security-concerns?_mout=1&utm_campaign=i
  14. DARK Reading, ‘WannaCry Detections At An All-Time High’. https://www.darkreading.com/endpoint/wannacry-detections-at-an-all-time-high/d/d-id/1335848
Exit mobile version