Multiple state attorneys general are banding together in an investigation of teleconferencing software Zoom, whose exponential growth in the past few weeks amid the social distancing measures imposed during the covid-19 pandemic has been marred by an off-putting number of security issues.
By default, Zoom meetings are public and allow screen-sharing by any participants, allowing random individuals to join meetings they have a link to and broadcast porn, racial slurs, and violent imagery. These so-called “Zoombombings” illustrate that the company has done a poor job of ensuring users are adequately protected against intrusion. The New York State Attorney General’s office started an inquiry earlier this week, and the FBI’s Boston office issued a warning after reports of mass Zoom teleconference hijackings everywhere from schools to businesses. According to a Friday report from Politico, Connecticut Attorney General William Tong now says his state is investigating as well.
“We are alarmed by the Zoom-bombing incidents and are seeking more information from the company about its privacy and security measures in coordination with other state attorneys general,” Tong told Politico in a statement. Tong did not elaborate on who those other state attorneys general were; a Reuters report shed no more light on how many were involved. However, Senator Richard Blumenthal of Connecticut told Politico he had “been in touch with other authorities, and I’ve been in touch with colleagues and I think there’s some common themes in the scrutiny that Zoom is receiving.”
Zoom’s user base has grown from 10 million in December to over 200 million by March, a pace that has far outstripped its handling of the situation. Earlier this week, another major security flaw emerged in the form of an exploit that made it possible for a Zoom user to steal someone else’s Windows credentials. Zoom said it has patched that bug and wrote in a blog post that it will halt all feature rollouts for the next 90 days to focus on resolving outstanding security issues.
Previous screwups by the company included the discovery last year that it had installed insecure, persistent local web servers on Mac devices that exposed users who visited malicious websites to webcam hijacking, which Zoom initially defended as a feature before eventually patching it out under pressure. Reports this week allege that Zoom’s claims to have true end-to-end encryption are incorrect, with an additional report by the Canada-based Citizen Lab on Friday finding that its implementation of encryption is seriously flawed and transmits keys through servers in China, where Zoom could potentially be subject to pressure from state authorities.
It’s not clear whether the state attorneys general inquiries will have any bite or whether they will result in more than a public grilling. Zoom’s blog post from Tuesday asserts that it is taking the complaints seriously.
“We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home,” CEO Eric Yuan wrote in the post. “We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.”