On 31st March, Boris Johnson sparked security fears as he posted pictures of the UK's first ever digital-only Cabinet meeting online today - including details of how to join the conversation. The Prime Minister, who was self-isolating in Downing Street after being diagnosed with coronavirus, tweeted an image of this morning's meeting, which went ahead completely using the Zoom app.
Not only did it raised eyebrows because in the corner of the screen-grab he shared with his two million followers the 'room' ID for the meeting using the Zoom software. By which point for those who tried to gain access after the meeting were already scuppered because the meeting was also password protected. However, it would have only prompted people to start guessing what the password might have been.
Downing Street said it was confident its communications links were secure, despite concerns raised about the apparent use of Zoom to conduct the meetings. A spokesman said: Downing Street was 'following all necessary security procedures' and 'I am happy to say with confidence we were satisfied it was secure'.
Downing Street continued it's use of the Video conferencing app regardless of Zoom being exposed for it's data security protocols and privacy measures. This allowed a cyber-attacker to remove attendees from meetings, spoof messages from users, and hijack shared screens. Another problem forced Mac users into calls without their knowledge. Zoom responded to the BBC request for comment to inform: "Zoom takes its users' privacy, security, and trust extremely seriously.... During the Covid-19 pandemic, we are working around-the-clock to ensure that hospitals, universities, schools, and other businesses across the world can stay connected and operational. We appreciate the New York Attorney General's engagement on these issues and are happy to provide her with the requested information," it added.
Since Boris Johnson continued to use the web conferencing service, this presumably will have aided Zoom's user surge from 10m to 200 million daily users due to increased high profile usage. In April, Zoom once again repeated efforts to identify and fix issues to prioritise trust, safety and the privacy issues as there was a worrying pattern of meetings held on Zoom being “bombed” with images of child sexual abuse. This gave rise to Zoom buying security firm Keybase to build end to end encryption into their video conferencing product for all users.
During the pandemic, Zoom’s user surge continued to grow exponentially to 300m daily users including Government’s users who proceeded Zoom’s use regardless of claimed security risks and bought hundred of Zoom accounts. Zoom vulnerability continues to expose users and organisations to issues such as:-
fake meeting invites from hackers where Zoom revealed it had patched a vulnerability that could’ve allowed attackers to impersonate legitimate business accounts in order to phish user credentials, steal data, and infect employees with malware.
allowed potential attackers to crack the numeric passcode used to secure private meetings on the platform and snoop on participants.
Phishing risks to Zoom’s vanity URL’s (a custom URL for an organisation, such as: yourcompany.zoom.us.)
The ‘Zoombombing’ continued to cause concern for technology regulation requiring change. Andy Burrows, head of child safety online policy at the NSPCC, said Zoom’s ongoing issues were further proof that greater regulation of the technology sector was needed. “It’s frankly dismissive and cavalier of a Zoom executive to say their failings are ‘normal speed bumps’ when it includes adults and children being bombarded with child abuse images on the platform” … “These are not commonplace concerns they can lightly brush off, they are abhorrent crimes with devastating and long-lasting impacts on victims….“This goes to show the urgent need for the duty of care legislation and for platforms to be built with the safety of children in mind to avoid being forced to play catch-up.” He said.
A government web seminar was hijacked by pranksters over Zoom after they bombarded people's screens with porn. The Events in a South Australia meeting was setup to discuss the latest on COVID-19 and was cut short on Thursday when the hackers gained access with publicly promoted login codes.
On this basis, it is still unknown why the government continue to use Zoom when so many matters of security and privacy are unconcluded and out of control. Therefore, it will only be a matter of time before they will be the victim of one of the many issues outlined above. Thus, responsible for their security and duty of care to the public when endorsing such products that are not fit for purpose. The Government according to their own IT policy should look to implement the most suitable tools according to rigorous technology standards set out in the UK’s own legislation.
https://www.bbc.co.uk/news/business-52115434; Yahoo Finance 2nd Apr; Zoom buys Keybase; "Zoom Bombing"; "Zoom Bombing May 2020"; Government buys more Zoom licenses; More Security Holes; Cracking Private Passcodes; Vanity URL Phishing; Australian Government