As Zoom’s popularity has exponentially increased in recent weeks due to the mass migration to remote work, reports on security flaws continue to trickle out. Former NSA hacker Patrick Wardle shared with TechCruch two new security flaws that can be exploited to grant hackers physical control of a victim’s computer. Malicious code can be injected into a computer via a Zoom installer to gain root access—the highest level of user privileges.
Digital transformation initiatives carried out across the business world have brought third-party tools such as Zoom into corporate networks. The primary business benefits of the tools, namely the cost and operational efficiencies, have been easy for companies to justify and too difficult to resist. This same principle is applied to the outsourcing of critical digital infrastructure to managed service providers like WiPro.
But, with these tools and services come cyber risks that translate to financial risks. Based on Wardle’s finding, a hacker could gain root access to an employee’s computer connected to a corporate network via the Zoom installer compromised with malicious code. Once the hacker gains this access, the person could then use it as a platform over which to carry out further attacks such as ransomware on a company, some of which could disrupt core, increasingly digitized business operations. Business disruption attacks like ransomware are resulting in billions of dollars in financial losses for impacted companies and have become increasingly common in the past two years.
At a deeper level, the company adoption of digital tools like Zoom, which have further accelerated in recent weeks amid COVID-19 disruptions, will force companies to reckon with a problem with technologies that lack “security by design.” Companies like Zoom—and Facebook before them—place an emphasis on growth at all costs. This means pushing out products to the public that are not designed with security at the core but added on after the fact. This has been done because there are no mandated security standards for digital products globally. This is a deficiency that is unique to digital assets, considering the products that are regulated:
Resolving “buggy code” after an incompletely tested product goes live has just been viewed as standard procedure in the “move fast and break things” era. But, in fact, the Zoom story (like the Facebook story before it) is an example of the high risks and hidden costs that result from poor cybersecurity. Along with “move fast and break things” comes “move fast and break other people’s things,” namely corporate networks.