Here is my view on Zoom:
You are either going to use video teleconferencing or not. And if you use it you are going to use a system with vulnerabilities. So your best bet from a security perspective is to use one where the company is proven to take rapid action to address problems, like Zoom.
More On Why:
I’ve been involved in security and enterprise technology since the early days of the Internet. I continue to track issues and actions of security, and know as well as others that there are some serious issues we all have to deal with. Governments, Big Businesses, Small Businesses, Non-Profits, Academia and home users are all in the same boat. Since all are connected to the Internet, all are targets of criminals, hackers, miscreants and even, at times, hostile nations.
Now that the perspective I have on tech spans decades I can state with confidence that some characteristics of cybersecurity are very slow to change. One is that every program that is complex enough to do something worthwhile will have vulnerabilities. I don’t mean to make excuses for vulnerabilities, I don’t like them, and I know that through use of best practices and testing and bug bounty programs and red-teaming, the risk from vulnerabilities can be mitigated, somewhat. But the fact is that every software package you can buy has vulnerabilities.
The Vulnerabilities
What I have seen is many exaggerated claims of horrible vulnerabilities and then lots of pot-shots from journalists and then pile-on attacks by people in the cybersecurity community including many who never really read or analyzed the vulnerabilities themselves.
There are some serious vulnerabilities. Many have already been addressed by the firm. Others have been acknowledge by Zoom and are being worked. Many can be mitigated by making sure you put a password on your video sessions.
Overreaction By Enterprises and Government:
I have had friends in government agencies say they are banning use of Zoom. Another friend at a major security non-profit said he forbids it now. Google just announced they are banning its use. Looks like fear is driving decisions, with none of these organizations seeming to realize that there are vulnerabilities in every telecommunications package. Only with Zoom we know they are being addressed by a company that cares and wants to fix them.
Reaction By Zoom:
Over time I have learned to observe the behaviors of companies when those vulnerabilities are discovered. Over the past two weeks we have all been able to observe how Zoom responds to vulnerabilities and a huge onslaught of criticism. As an example of how they approached this see:
https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/
Opinion:
There were clearly vulnerabilities, and watching the action of Zoom during this makes me feel confident that the firm takes them seriously.
Remember that there is no such thing as perfect security. There is risk in any system, including any video collaboration platform. Do not discuss anything on Zoom that you consider extremely sensitive (use a system like Wickr for that). But feel confident that an adversary would have to mount a pretty significant attack against Zoom to get any of your info. They may or may not have to mount as hard an attack against any other commercial video collaboration platform.
Which brings me back to this:
You are either going to use video teleconferencing or not. And if you use it you are going to use a system with vulnerabilities. So your best bet from a security perspective is to use one where the company is proven to take rapid action to address problems, like Zoom.
So, for me, after a career of watching cyber vulnerabilities, attacks and mitigations, Zoom remains my video solution of choice.
For more see: Zoom