Zoom Hires Security Heavyweights to Fix Flaws
Zoom, the online video-conferencing tool that has won mass popularity during the coronavirus pandemic, over the past two weeks has hired dozens of outside security consultants. They include former security and privacy experts from companies such as Facebook Inc., Microsoft Corp., and Google, hoping to quickly address questions about security flaws, according to those involved in the effort.
With that move, Zoom is taking a page from the playbook Microsoft deployed almost 20 years ago to restore the image of its Windows software, said Alex Stamos, former chief security officer at Facebook who is helping Zoom manage the effort as a consultant. Microsoft’s pivot to “Trustworthy Computing” in 2002 came after years of security problems left Windows users vulnerable to internet worms and viruses that battered the company’s reputation.
Zoom’s surging popularity as the pandemic forces millions of people to stay at home has attracted trolls and hackers, as well as scrutiny from privacy advocates. The practice of “Zoombombing,” where people gain unauthorized access to a meeting—often to share hate-speech or pornographic images—has emerged as a problem for many users.
The Federal Bureau of Investigation issued a warning in March about videoconference hijacking, spurred in part by Zoombombing incidents. In the U.S., more than two dozen attorney general offices have raised questions about privacy issues, Zoom said, adding it is cooperating with authorities. Zoom has also been hit by reports that security experts have found a number of software bugs and errors in the cryptography it uses to secure conversations.
Zoom, which had 2,532 full-time employees as of Jan. 31, is undertaking the exercise to repair its system and reputation with far fewer resources than Microsoft, then already a software giant, was able to deploy, according to consultants who have worked with the San Jose, Calif.-based company. Zoom was founded in 2011 and went public last year.
Consumer-intelligence company J.D. Power this week said Zoom was the most popular online meeting platform for Americans, with almost half of those surveyed who said they had used video teleconferencing opting for its software over rivals’.
“They’ve been thrust in the stoplight at a level of scrutiny that’s typically applied to the biggest tech companies in the world,” Mr. Stamos said. “Those companies have teams of hundreds of engineers dedicated to security and years of practice.”
Zoom’s approach to security has been under scrutiny from rivals, too. In January, Cisco Systems Inc.—which provides hardware some customers use to run Zoom services but also offers a competing product—threatened legal action against Zoom to stop the company from allegedly rigging Cisco’s system to operate video-conference hardware without previously required passwords, removing safeguards that Cisco had designed, while making Zoom meetings easier to join, said Mark Chandler, Cisco’s chief legal officer.
Zoom, which removed the shortcut, said it opted for this approach because Cisco wasn’t making the tools available to otherwise integrate its software with the hardware customers were using. “We’d love to collaborate at the end of the day,” said Aparna Bawa, Zoom’s chief legal officer. “These are joint customers and we’d like to provide joint solutions.”
With the increased attention from the security community, Zoom is getting more bug reports as more and more hackers examine its software, said Katie Moussouris, chief executive with Luta Security, which has worked with Zoom since the summer of 2019.
Among the security companies that Zoom has now brought on are British security vendor NCC Group PLC, New York-based Trail of Bits Inc., Tempe, Ariz.-based Bishop Fox and Praetorian Security Inc., located in Austin, Texas. Zoom is using threat-intelligence services from CrowdStrike Holdings Inc. and DarkTower, the threat-intelligence arm of Queen Associates Inc., Zoom said.
Zoom Chief Executive Eric Yuan in an April 1 blog post announced Zoom was freezing product development and pledged to spend the next 90 days fixing the company’s security problems. “I really messed up,” he told The Wall Street Journal days later, and said that the company would now prioritize security over ease-of-use.
Other consultants include Lea Kissner, who formerly headed Google’s privacy technology, and Matthew Green, a noted cryptographer and professor at Johns Hopkins University.
Both Ms. Kissner and Mr. Green will be advising Zoom on its end-to-end encryption efforts, which scrambles communications so that only the people involved in the call can see and hear what is happening. The technology protects users from hackers, but it also prevents spy agencies and law enforcement from listening in.
Zoom originally advertised the feature, but security experts found it only offered a lesser level of protection. Long-term, Zoom aims to build a proper end-to-end video-messaging system that is both encrypted and able to operate at a very large scale, Mr. Yuan said in an email to the Journal. It is “too early to tell when and how we can get there, but we are working on it now.” he said.
Photo: Zoom has won mass popularity during the coronavirus pandemic. -REUTERS
