BYOD on steroids. That’s the best way to describe the sudden shift to a remote working posture that occurred in response to COVID-19. Organizations of all sizes made an immediate pivot to support employees’ new work from home arrangements, with very little preparation and no opportunity for a gradual rollout. Before coronavirus, working from home was the exception, but in an instant, it became the norm and the working world immediately felt the impact.
Teleconferencing companies like Zoom went from a high-tech favored product to a mainstream tool for students, families, governments, and companies of all sizes. Wall Street traders at Goldman Sachs and other firms prepared for remote trading by quickly setting up special video conferencing setups to run all day. And it wasn’t just the private sector — even the UK Prime Minister and the Pentagon turned to Zoom to make remote work possible during a time of global crisis. With a high profile and perhaps a bullseye on its back, Zoom’s security practices quickly came under the spotlight.
A Bomb Goes Off
Along with Zoom’s meteoric rise came stories of video-teleconferencing hijacking, also known as “Zoom-bombing,” with multiple reports filed with the Federal Bureau of Investigations of conferences and classes being disrupted with pornographic and/or hate images and threatening language. The FBI’s Boston division reported two schools in Massachusetts fell victim to “Zoom-bombing” in March. One local high school reported that an unidentified person dialed into a classroom via Zoom, yelled a profanity, and then shouted the teacher’s address in the middle of the lesson. A second Massachusetts school reported someone infiltrated one of their Zoom meetings and displayed images of swastikas. And it’s not just schools — during a recent sermon live-streamed by the First Baptist Church in Jamaica Plain, a Colorado man hacked into Zoom and began spouting off homophobic rants and gibberish.
As countless businesses, schools, and religious institutions turned to online and digital solutions during social distancing intended to combat the coronavirus outbreak, the FBI issued a warning about the potential for video-conferencing call hijackings, but that was just the tip of the iceberg.
Zero Days See the Daylight
Beyond countless reports of Zoom-bombing, in late March, news made the headlines surrounding two zero-days discovered by former NSA hacker and Jamf Principal Security Researcher, Patrick Wardle. With physical access to a victim’s Mac, the first bug would allow a hacker to escalate their privileges, gain and maintain persistent access to the victim’s computer, and install malware or spyware. The second bug could enable an attacker to inject malicious code into the platform and eavesdrop on conversations by gaining the same access to the microphone and camera as the user. The good news is that both bugs were immediately patched by Zoom, but the bad news is that attackers are opportunistic, as they will seek the next media darling – going where the action is -– despite all our best efforts. So we can anticipate that more vulnerabilities will be found. It’s a vicious cycle.
Who’s Next?
What we all need to realize is this: Zoom is not alone. Many other organizations are ramping up capacity, support, and security requirements as their corporate clients move to home-based operations, so it’s likely Zoom is only the first of many tools to be thrust into the spotlight. Popularity and explosive growth lead to scrutiny — look no further than the popular coronavirus gaming app Houseparty and you’ll find confirmation of this notion. Perhaps Houseparty was more prepared for its growth, but it’s worth noting that Zoom took full responsibility for its posture, committing resources to fixing the problem and accepting responsibility in a public statement issued on April 1st: “We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home.”
Bottom line is that the home network has become an extension and temporary replacement of the corporate network, which has brought to light countless security concerns. As people continue to use video teleconferencing for business and teaching purposes, the FBI recommends being careful and cautious in cybersecurity efforts, primarily making meetings and classrooms private and requiring participants to enter a password to participate. But beyond fine-tuning your Zoom controls and locking down security settings, organizations across industries should look to implement robust security measures that protect against the dangers of shadow IT. While we eagerly await a vaccination for the virus that’s ravaging our world, it’s important that enterprises also look to inoculate themselves against future cyber threats to stay a step ahead of adversaries.
