Our Reports

Zoom Cybersecurity Advisory and Assessment

Published on: April 14, 2020

Authors: Johna Till Johnson, CEO and Founder; Irwin Lazar, Vice President and Service Director

The news about Zoom’s security flaws runs the spectrum from over-inflated concerns about privacy to serious concerns about weak cryptography and links to the Chinese.

In Nemertes’ opinion, many—but importantly, not all–of the concerns are non-issues for the use case of work-at-home corporate employees. For instance, many so-called vulnerabilities require simple shifts in configuration and following best practices (e.g. the use of passwords, not posting meeting links on social media) which should be de rigueur for any corporate organization with any security policy, whatsoever.

Additionally, a much-condemned (and since deleted by Zoom) privacy concern was the “attention-tracking” feature, in which the meeting’s host is able to detect a lapse in interest by attendees.

However, similar and more invasive remote-monitoring tools have been in place for contact center workers, contractors, and outsourced software developers for several decades. And for that matter, such “invasions of privacy” have been commonplace for blue-collar workers, who have their every motion, including bathroom breaks, digitally monitored and recorded and reviewed by supervisors.

Again, Zoom has since deleted this feature; however, even had it remained, we believe such “privacy concerns” are more a result of knowledge workers’ dawning awareness of the invasiveness of many processes and applications in the digital age than of any new issues.

There are some real concerns, however. In numerous cases, Zoom has taken shortcuts and elected to implement workarounds that intentionally circumvent security controls established by OS platform vendors (Apple and Microsoft), thereby creating vulnerabilities, some serious.

Table of Contents
  • Executive Summary
  • Security and Privacy Issues: Summary and Conclusions
    • Historical Perspective: Apple Mac Vulnerabilities
    • Windows Vulnerabilities
    • Facebook Privacy Concern
    • Attention-tracking and Videobombing
    • The Real Deal: Chinese Keys
    • Encryption Concerns
    • Zoom’s Responses
  • Conclusion

You are currently viewing a preview of this content. Nemertes Clients, please log in for full access to all research content. If you are not a client, please click below to purchase access to this research report. We also invite you to become a client.


Purchase Access