The FTC announced a comprehensive settlement with Zoom regarding many alleged shortcomings in security. As part of the agreement Zoom neither admits or denies any of the allegations.
The allegations of security problems include eye-popping security lapses like storing private recordings on unencrypted cloud storage and not having simple brute force login mitigation strategies.
The agreement requires Zoom to make changes that are intended to improve security.
Some of the changes are incredibly basic, like mitigating brute force password guessing, that it makes a person wonder if Zoom was devoting any resources to user security.
Several of the top allegations against Zoom are:
- Misled Users on Level of Security
- Unencrypted Storage of Recordings in Cloud
- Bypassed Safari Browser Security
- Increased Risk of Video Surveillance
- Deceptive Software Release Notifications
False Sense of Security
The FTC complaint alleges that Zoom engaged in practices that gave consumers a false sense of security.
According to the FTC:
“In numerous blog posts, Zoom specifically touted its level of encryption as a reason for customers and potential customers to use Zoom’s videoconferencing services.
Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected.”
Zoom Alleged to Have Increased Risk of Video Surveillance
In perhaps the most disturbing allegation, the FTC said that Zoom’s approach to security increased the possibility that strangers could access private videos.
The FTC alleges:
“…Zoom did not implement any offsetting measures to protect users’ security, and increased users’ risk of remote video surveillance by strangers. The software remained on users’ computers even after they deleted the Zoom app, and would automatically reinstall the Zoom app—without any user action—in certain circumstances.
The complaint alleges that Zoom’s deployment of the ZoomOpener, without adequate notice or user consent, was unfair and violated the FTC Act.”
Misled Users on Security
The FTC alleged that Zoom lied to users when it assured users of “end-to-end, 256-bit encryption” when in fact Zoom was using a lesser encryption. End to end encryption is when the data being sent is secure on each end, where only the users can access the information.
The FTC alleges that this was not the case at all, that Zoom was able to break into private Zoom meetings and that the privacy level was lower than they were advertising.
Unencrypted Cloud Storage
Perhaps the most surprising allegation against Zoom is that private videos were stored unencrypted in the cloud.
This is what the FTC complaint alleged:
“Zoom also misled some users who wanted to store recorded meetings on the company’s cloud storage by falsely claiming that those meetings were encrypted immediately after the meeting ended.
Instead, some recordings allegedly were stored unencrypted for up to 60 days on Zoom’s servers before being transferred to its secure cloud storage.”
FTC Proposed Agreement
The FTC proposal has many security related activities that Zoom must comply with. All of them seem fairly basic and common sense.
Here is an overview of the security requirements:
- Annual Security Assessment
- Develop ways to safeguard against security risks
- Establish a vulnerability management program
- Create policies to protect against online attacks
- Create Safeguards Against Unauthorized Access to its Network
- Biennial Third Party Security Assessments
Some of what’s required seems so basic, one has to wonder why Zoom didn’t have these features to begin with. For example, one of the features is rate limiting on login attempts.
Rate limiting is the process of detecting when a software program called a Bot is rapidly requesting web pages and to block them from the website. Blocking these kinds of bots helps prevent them from trying to guess what the password is.
Many web content management systems include different forms of rate limiting or can have it with a plugin. So it’s very surprising that Zoom has to be required to use this, it’s kind of security 101 level of security that all sites should have.
For example, the open source forum software known as phpBB has basic rate limiting built in that enables anti-spambot measures to kick in after a set number of login attempts.
WordPress publishers have a multitude of plugins that can limit the amount of times a bot can try to guess a password and then block them from accessing the site.
The FTC is requiring Zoom to establish policies to protect against online attacks (like password guessing attacks), by requiring Zoom users to use strong passwords, to begin using bot identification procedures to block hackers from attacking the login, rate limiting login attempts, and forcing password resets when credentials are compromised.
All of the above are reasonable anti-hacking measures.
Establish a Vulnerability Management Program
The FTC agreement also requires Zoom to institute proactive security measures like a quarterly security scan and also having a third party security evaluation and stress testing. Stress testing is when a security company inspects and probes the site for security issues.
This is how the FTC describes the quarterly scan:
“Conducting vulnerability scans of Respondent’s networks and systems on at least a quarterly basis…”
Zoom Agrees to Protect Users From Now On
In all, the agreement requires Zoom to begin reasonable security related tasks and activities.
Considering that Zoom is used by companies for whom security is of the essence as well as consumers who expect privacy, these measures should go a long way to help prevent a major security breach, which is good for Zoom and their clients.
“Zoom has agreed to a requirement to establish and implement a comprehensive security program, a prohibition on privacy and security misrepresentations, and other detailed and specific relief to protect its user base, which has skyrocketed from 10 million in December 2019 to 300 million in April 2020 during the COVID-19 pandemic.”