Kehoe Law Firm, P.C. is making consumers aware of the following Zoom-related software security issues:
Videos Recorded Through Zoom’s Software Saved Onto Separate Online Storage Space Without a Password

On April 5, 2020, divvycloud.com reported (“Zoom Recordings Exposed“) that

[u]nfortunately, last week, The Washington Post found that videos recorded through Zoom’s software were saved onto a separate online storage space without a password. And because Zoom uses a standard naming convention for every video recording, a simple online search revealed a stream of videos available for anyone to watch, download, or use for exploitation. Zoom failed to secure many video recordings covering sensitive business matters as well as the health, welfare, and education of our families, families, and loved ones. 

Zoom, like many other companies before them, made a mistake. However, their mistake likely happened in part, because of the current [Coronavirus] crisis and subsequent increase in demand for their product, which helps people stay connected in times of quarantine. Zoom may have had no choice but to forgo security and speed up efforts and in doing so, made a terrible choice between innovation and security leading to their resulting data breach. [Emphasis added.]

Zoom Makes Admission That It “Mistakenly” Allowed Calls To Go Through China

On April 5, 2020, finance.yahoo.com reported (“Zoom Admits Some Calls Were ‘Mistakenly’ Routed Through China“) that

[p]opular video-conferencing company Zoom Video Communications . . . admitted that it had ‘mistakenly’ allowed calls to flow through China, adding to a number of mis-steps raising doubt on the security of the platform.” [Emphasis added.]

Zoom said in a statement on Friday that certain meetings held by its non-Chinese users may have been ‘allowed to connect to systems in China, where they should not have been able to connect’.

‘In February, Zoom rapidly added capacity to our Chinese region to handle a massive increase in demand,’ said Zoom CEO Eric S. Yuan. ‘In our haste, we mistakenly added our two Chinese datacenters to a lengthy whitelist of backup bridges, potentially enabling non-Chinese clients to connect to them.’

According to finance.yahoo.com, “Zoom’s statement was triggered by research from Citizen Lab, which found that in some cases, the company’s encryption keys had significant weaknesses.” [Emphasis added.]

Zoom’s Video Software Security Subject of Class Action Lawsuit

On April 3, 2020, a class action lawsuit was filed against Zoom Video Communications, Inc. in United States District Court, Central District of California, “on behalf of all similarly situated consumers who used and/or purchased the Zoom software Product believing that the Product was secure and that their information was safe.”

According to the class action complaint:

Zoom sells the private information of its 200 million users without their knowledge or permission. Zoom also falsely advertises end-to-end encryption. While many companies are prioritizing people over profits to fight COVID-19, Zoom is prioritizing profits over people. Zoom is capitalizing off of the global pandemic by selling user information to Facebook without user consent. Zoom compounds this felony by falsely advertising that its software is equipped with end-to-end encryption. Zoom pedals its products knowing that hackers are accessing to user webcams, exposing its users to extreme invasions of privacy. [Emphasis added.]

Zoom, according to the class action complaint,

. . . consistently violates its duty to implement and maintain reasonable security practices, and misleads consumers about the security benefits of the Product.

Due to the challenges associated with the COVID-19 pandemic, Zoom’s popularity has skyrocketed in recent months. Businesses, schools, and other consumers are working to find the most efficient way to operate and communicate while quarantined at home. As a result, many of these organizations are turning to Zoom’s video conferencing software.

Zoom consistently violates its duty to implement and maintain reasonable security practices, and misleads consumers about the security benefits of the Product.

Zoom collects private information about Zoom users and discloses this information to Facebook and other third parties for financial gain. Zoom intentionally omits this fact from its privacy policy and misleads reasonable consumers to believe that the information they share is private.

Zoom claims to offer users the privacy and protection of end-to-end encryption, the most secure form of internet communication. In reality, Zoom does not offer end-to-end encryption, and its software cannot even support such security measures. Zoom accesses private information that users share on the Zoom network.

Zoom fails to remedy a known vulnerability that allows hackers and other websites to forcibly join a user to a Zoom call without their permission. This has led to serious invasions of privacy and allows hackers to target users with specific advertisements. [Emphasis added.]

The class action seeks injunctive relief and restitution against Zoom for its alleged false and misleading statements concerning the advertising of Zoom’s software Product.

FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic

On March 30, 2020, the FBI issued the following warning (“FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic”):

As large numbers of people turn to video-teleconferencing (VTC) platforms to stay connected in the wake of the COVID-19 crisis, reports of VTC hijacking (also called “Zoom-bombing”) are emerging nationwide. The FBI has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language.

Within the FBI Boston Division’s area of responsibility . . ., which includes Maine, Massachusetts, New Hampshire, and Rhode Island, two schools in Massachusetts reported the following incidents:

  • In late March 2020, a Massachusetts-based high school reported that while a teacher was conducting an online class using the teleconferencing software Zoom, an unidentified individual(s) dialed into the classroom. This individual yelled a profanity and then shouted the teacher’s home address in the middle of instruction.
  • A second Massachusetts-based school reported a Zoom meeting being accessed by an unidentified individual. In this incident, the individual was visible on the video camera and displayed swastika tattoos.
Kehoe Law Firm, P.C.