1
00:00:00,000 --> 00:00:04,560
As difficult as isolation and social distancing have been for many of us,

2
00:00:04,560 --> 00:00:10,160
imagine how much more unpleasant things would be without the tech that keeps us all connected.

3
00:00:10,160 --> 00:00:15,360
And perhaps nothing has exploded in popularity recently as much as Zoom,

4
00:00:15,360 --> 00:00:20,880
the teleconferencing and video chat software that has seen huge levels of adoption worldwide

5
00:00:20,880 --> 00:00:27,040
since the start of the COVID pandemic. But now the app is being banned left and right.

6
00:00:27,040 --> 00:00:33,280
Everyone from companies like Google and SpaceX to agencies like NASA and the Australian military

7
00:00:33,280 --> 00:00:38,720
to the entire government of Taiwan has forbidden their people from using Zoom.

8
00:00:38,720 --> 00:00:44,240
But why? Well, there have been a number of well-publicized security problems with Zoom,

9
00:00:44,240 --> 00:00:48,880
which is a little strange considering that we don't really worry all that much about having

10
00:00:48,880 --> 00:00:53,600
our video calls on other platforms being broken into. I mean, when's the last time you worried

11
00:00:53,680 --> 00:00:58,400
someone was going to hack into your call on a platform like Skype, Google Hangouts,

12
00:00:58,400 --> 00:01:05,120
haha, or Facebook Messenger? Well, turns out Zoom has actually had security issues for a while,

13
00:01:05,120 --> 00:01:09,920
but many of them are just now coming to light due to its recent burst in popularity.

14
00:01:09,920 --> 00:01:14,560
Back in summer 2019, there was a widespread security flaw on Mac systems,

15
00:01:14,560 --> 00:01:20,240
where Zooms installer would effectively turn your computer into a server without telling you,

16
00:01:20,240 --> 00:01:24,240
which made it much easier for a stranger to add themselves to your conference

17
00:01:24,240 --> 00:01:27,440
and look through your webcam with just one errant click.

18
00:01:27,440 --> 00:01:32,720
The feature was put in place to make it easier to jump into meetings without additional clicks

19
00:01:32,720 --> 00:01:37,360
because the web server feature accepted connections that normal browsers wouldn't.

20
00:01:37,360 --> 00:01:42,800
I mean, we all trade security for convenience every day, but that one went a little too far,

21
00:01:42,800 --> 00:01:47,520
don't you think? Apple actually ended up issuing a macOS patch to fix the problem,

22
00:01:47,520 --> 00:01:51,360
but since then, a number of other issues have been discovered.

23
00:01:51,360 --> 00:01:57,520
One was a relatively easy way to bypass email confirmation and gain access to any account

24
00:01:57,520 --> 00:02:03,680
where the email address was known simply by using the same ID tag in the signup pages URL

25
00:02:03,680 --> 00:02:08,880
to access the confirmation page without ever having actually had access to the email account.

26
00:02:08,880 --> 00:02:13,200
No fancy hacking skills needed. And because of how Zooms permissions work,

27
00:02:13,200 --> 00:02:17,440
a simple attack like this could actually allow an outsider to access

28
00:02:17,440 --> 00:02:22,880
all accounts associated with a domain if the compromised account is from a company rather

29
00:02:22,880 --> 00:02:29,920
than an individual. Wow, that's terrible. Is anybody using Zoom? Okay, good.

30
00:02:29,920 --> 00:02:34,720
Although that issue has been fixed, Zooms encryption is still rather weak.

31
00:02:34,720 --> 00:02:39,600
In early April of 2020, researchers discovered that the encryption Zoom used at the time

32
00:02:39,600 --> 00:02:46,320
was actually AES-128, not the advertised AES-256, which is much more secure.

33
00:02:46,320 --> 00:02:50,240
Perhaps a larger issue for most people, though, is how easy it is to find

34
00:02:50,240 --> 00:02:52,720
Zoom meetings without even breaking any encryption.

35
00:02:53,280 --> 00:02:58,560
Attackers have had success rapidly trying random IDs until they found some that were active,

36
00:02:58,560 --> 00:03:03,760
making it simple for them to break into meetings and sometimes transmit disruptive or offensive

37
00:03:03,840 --> 00:03:10,640
audio and video, a practice dubbed Zoom bombing. So it's like chat roulette, but at the office.

38
00:03:10,640 --> 00:03:15,520
And to top it all off, Zoom has been routing lots of traffic through servers in China.

39
00:03:15,520 --> 00:03:19,760
And unlike other countries which have strong privacy protections for user data,

40
00:03:19,760 --> 00:03:23,600
China's government doesn't need a warrant to see what's happening on servers located

41
00:03:23,600 --> 00:03:27,840
inside the country at any given time, raising fears from the privacy conscious.

42
00:03:28,800 --> 00:03:33,280
And if that's not enough, Zoom is also facing issues that aren't strictly its fault.

43
00:03:33,280 --> 00:03:38,000
Zoom's installer has been a favorite target of hackers who are modifying it with malware

44
00:03:38,000 --> 00:03:43,200
and then releasing it back out into the wild. And because so many people are quickly downloading

45
00:03:43,200 --> 00:03:47,680
and signing up for Zoom using existing email and password combos involved in previous data

46
00:03:47,680 --> 00:03:52,640
breaches, it hasn't been tough for attackers to steal accounts. Over half a million credentials

47
00:03:52,640 --> 00:03:56,720
are up for sale on the dark web at the time we wrote this episode.

48
00:03:56,720 --> 00:04:01,520
So what can you do if you're using Zoom and you can't convince your friends or organization

49
00:04:01,520 --> 00:04:04,880
to move to a different platform? Well, the easiest form of risk mitigation

50
00:04:04,880 --> 00:04:08,720
is to simply slap a password on your Zoom meetings, which will effectively stop

51
00:04:08,720 --> 00:04:13,520
Zoom bombing attacks. And there's also an option to lock meetings after everyone has joined

52
00:04:13,520 --> 00:04:18,720
so no unauthorized participants can butt in. If you don't have Zoom yet and you need to install it,

53
00:04:18,720 --> 00:04:23,040
one pro tip is to make sure that you're only installing it from Zoom's official website,

54
00:04:23,040 --> 00:04:26,720
not from some other source that could be giving you a compromised installer.

55
00:04:27,440 --> 00:04:31,840
Of course, with so much public scrutiny, Zoom is attempting to fix some of these issues,

56
00:04:31,840 --> 00:04:35,600
and they won't be rolling out any new features for the next couple of months so that their

57
00:04:35,600 --> 00:04:41,680
developers can focus on security and privacy patches. It just means that given their mentality

58
00:04:41,680 --> 00:04:46,800
around this stuff and that it took this kind of outburst from the public in order to focus on

59
00:04:46,800 --> 00:04:53,440
those things, it just raises the question, should you be trusting them with your messages?

60
00:04:53,440 --> 00:04:56,000
Or should you instead communicate with your colleagues via

61
00:04:56,560 --> 00:05:02,320
pigeons? Like we do. Thanks for watching. Like, dislike, check out our other videos,

62
00:05:02,320 --> 00:05:07,200
and leave a comment with video suggestions so that you can see your idea on TechWiki.

63
00:05:07,200 --> 00:05:12,240
We're not going to pay you for it, but we are going to use it.