Insecurity and privacy, it is usually not a good idea to demonize a specific product or solution. There are few absolute truths and many nuances.
Perhaps this situation sounds very common to you in recent weeks: you have been working all day. From home, of course. He has had to speak with colleagues, with clients, with suppliers. In some cases, a phone call was enough; in others, he has needed a video call. The latter allows different people to gather almost as if it were a face-to-face meeting.
In parallel, their children have been connected to their school or their university. And they have had classes and tutorials with teachers by videoconference. To end the day, they have all connected with grandparents, cousins or friends to see their faces and know how they are.
How many different applications or plugins have you installed, configured and used to carry out all these activities? WebEx, Skype, Teams, Zoom, Jitsi, WhatsApp, Houseparty or Hangouts / Meet? How safe is it to have these products installed on your computer or mobile? And use them?
All applications have vulnerabilities.
In recent days the topic is hot because there has been much news about security vulnerabilities discovered in one of these specific products, Zoom. This news has created such an alarm that some media have classified it as malware (malicious software) and many companies and institutions have prohibited its use. Is this alarm justified? Are the vulnerabilities discovered so critical? Are the alternatives to this product much safer?
We are going to focus on design vulnerabilities, which are introduced when the software is developed. There is a database called CVE (Common Vulnerabilities and Exposures) in which the weaknesses that the community of security researchers are discovering in different software products are published.
According to this list, since 2016, WebEx has had one vulnerability (critical), Skype has had 6 (1 of them, essential), Zoom has had 2 (no criticism, the ones discovered this week are missing), WhatsApp has had 8 (half of the moderate criticality) and Jitsi, 1 (which is not critical). These vulnerabilities are the ones that manufacturers fix through patches and security updates that we all have to install on our devices from time to time.
These security holes can affect us by causing problems such as the following:
Put at risk the confidentiality and integrity of the communications we make (chat, screen sharing, voice, etc.). For example, if encryption is not used or is not done well, a malicious third party could access or even modify our conversations (deleting or adding elements).
Hinder or prevent availability: there may be a denial of service, so we could not access the application or some of its features.
We are provoking impacts for access control so that we could not control who accesses a private room or meeting (and there could even be a hijacking of the call or the phenomenon called bombing).
Facilitate a third party to impersonate a user within a room or meeting.
Posing problems with camera or microphone permissions, for example, and allowing someone to control them for us.
But the critical vulnerabilities are those that allow a third party to take control of our computer and execute any code on it without our permission. Those are the ones that should concern us. And let’s be clear: Zoom doesn’t seem to have any of these unsolved at the moment.
What about privacy?
Another essential aspect is ethics. Most of these video call applications potentially have access to our personal and professional communications, the personal data of the people who connect, our microphone and camera, our files, etc.
In privacy, we are concerned with aspects such as minimization, decoupling or transparency and control. All of them are treated very lightly in most of the products mentioned.
If we carefully read the conditions of use and the privacy policies that we accept, we will often put our hands to our heads when we discover that our conversations can be heard, recorded, shared with third parties—also our contacts, for example. And in principle, with our consent.
Many of the apps mentioned, for example, Zoom or Houseparty, have had such a bad press for their privacy policies that they have had to be changed multiple times in the past few weeks.
Conclusion: should we stop using these apps?
Insecurity and privacy, it is usually not a good idea to demonize a specific product or solution. There are few absolute truths and many nuances. In the case of Zoom, they have multiplied by 20 the number of calls a day in a week. This increase in the volume of users and the particular interest that has aroused everything that had to do with this tool have revealed many of its problems.
But the company doesn’t seem to be reacting badly. In essence, it has been transparent in its management, it has solved most of the vulnerabilities found, and it has blocked new features for 90 days to focus on improving what they already have as much as possible. Therefore, it does not seem necessary to prohibit its use in most of the contexts in which it is used.
Now, it is clear that neither this tool nor most of the ones we use daily would be adequate to share military secrets (the level of security would not be sufficient) or to use it in educational contexts where those who connect they are minors (the level of privacy would not be appropriate either), to give two easy-to-understand examples.
In business environments where confidentiality or privacy is important, there are often budgets that allow developing, deploying or contracting alternatives that guarantee robust end-to-end encryption, authentication of people connecting, etc. This does not mean that these solutions are 100% safe; they also have their vulnerabilities.
As for educational institutions, since they usually do not have that much budget, they have it more complicated. Almost all of them are choosing to use Google or Microsoft platforms through specific agreements, but it is not the perfect solution. Many aspects of these agreements will have to be reviewed when this exceptional situation happens because the privacy of minors is at stake.
What then can we do to protect ourselves?
The first step is to think about the use that we are going to give to video calls: personal or professional? Will sensitive data be shared? Are minors going to participate? Answering these questions can help us rule out some solutions directly and find more suitable ones.
Nor is it enough to install it the first time and forget about it, you have to keep updating it as patches, and new versions emerge so as not to leave software with a security hole in your device. When all this happens, do we need to keep having 20 of these apps installed? Maybe some can be uninstalled because we are not going to use it again.
As for home use with minors, if they are well configured and not left alone, using some of these apps has similar implications to using YouTube, any social network, online games, etc. Data is collected about them, but practically the same as all the other applications we use daily. Parents should accompany them and make them aware of the risks they are taking.
Finally, when we have to install any new application, we must always do it from the official site, which we must have reached by our means. It is not worth clicking on a link that we have passed through social networks or that we have found on a website. Because the problem is that, in many cases, we download applications from malicious sites, and they come with a surprise in the form of malware. So we don’t have a security issue because of a design vulnerability, but rather a social engineering vulnerability.