Can Zoom Be Hacked?

Yes, Zoom can be hacked. But not because it’s “Zoom.” And not that the other remote collaboration providers CAN’T be hacked – they all can. The problem is vulnerabilities and the likelihood and impact of their exploitation.

Vulnerabilities can exist at all levels within a system or application: within the app itself and within the underlying components that host the application. They can even exist within the people that support and use the application.

Recently Zoom had two vulnerabilities brought to light that they worked very hard to patch. In the scheme of things, neither vulnerability was all that bad (relative to some others like heartbleed & some of the RDP/SMB vulnerabilities we’ve seen in years past). They just happened to be announced at a time when the world had shifted pretty heavily to using Zoom on a pretty constant basis.

Shifting from vulnerabilities to configuration (including identification/authentication), Zoom doesn’t require every individual connecting to a meeting to identify/authenticate themselves before joining a meeting. …it was never intended to. It was intended to bring multiple people together into a meeting (in which the Host would identify & authenticate, but not all participants). The one issue was the default configuration for a meeting – Zoom’s default config didn’t require a password to protect the meeting. Now it does by default.

And there’s one last thing about the Zoom service – encryption. The communications for a client device connecting to the Zoom service over the internet is encrypted. So what is sent to Zoom is protected (as long as we trust the capabilities of our TLS protocols and Certificate Authorities). On the back end of the Zoom service, I’m not so sure. All I can say about that is, if you’re passing information with regulations behind it (like HIPAA or FISMA), I’d suggest using other services that have earned FedRAMP certifications (or certs associated with your field).

Otherwise, Zoom provides decent security to support their privacy claims. So, while, yes, it can be hacked. It’s no more susceptible to being hacked than anything else – it may just be a huge target right now.