Posted on 17 April 2020 by Austen Read-McFarland
Wildix vs. Zoom: A Security Showdown
Amid the sudden surge in demand for smart working, one option that’s caught on with literally millions of consumers is Zoom. With its rise to the spotlight, the freemium videoconferencing app has drawn a lot of attention — but not always for the best reasons.
The explanation for Zoom’s popularity is most likely that it does what it says on the label: it provides a fast, approachable means of connecting people over video (albeit without providing the degree of end-to-end encryption it promises).
In a perfect world, this would be all an end-user needs out of a web conferencing app. But the problem is, we’re living in a world full of security and privacy threats.
This means using Zoom poses enormous problems for businesses and individuals alike. Because, at the end of the day, Zoom does very little to keep you safe from those threats. In fact, it even does a whole lot to make you more exposed to them.
Let’s dive into all the ways Zoom gets security and privacy wrong — and what Wildix does instead.
Unsecured, Inside and Out
A well known exploit in Zoom is the ability for strangers to enter videoconferences uninvited. In fact, the practice is so common it’s been given its own name: “Zoombombing,” a term which even the FBI has recognized after having to step in to warn about the attacks.
This issue has garnered attention because of the shocking disruptions Zoombombers cause: shouting obscenities or even screensharing sexually explicit material, they aim to disturb attendees as much as possible and make their harassment all anyone can focus on.
These intrusions were made possible largely through Zoom’s lax approach to conference security. The big issue is that Zoom’s conference URLs all use a simple nine- to eleven-digit numerical code, making it easy for malicious agents to enter a conference room through brute-force hacking — meaning that Zoom conferences can easily be disrupted even if their room invite is kept secret. Further complicating matters is that, until recently, Zoom’s preventive measures against such disruptions, such as password locks and waiting rooms, had been turned off by default.
All this suggests that Zoombombing is not the result of user error, but of poor design. Practically speaking, a program’s security is only as good as the average end-user can be expected to maintain it. Consequently, it’s essential that communications software is secure automatically, without the need for endless user guides and video tutorials.
Yet what we see in Zoom is just the opposite; instead of the program ensuring users are safe on its own, the program makes it the user’s responsibility to understand the platform in perfect detail or else be subject to security breaches.
The poor design in Zoom is even more apparent in the app’s rather odd choice of using pre-installation tools in its Apple software. This code, security experts have revealed, allows Zoom to install itself on macOS without user permission — and, alarmingly, is usually seen in malware, not web conferencing tools.
This is a problem not because Zoom itself is malicious, but because it can become an unwitting accomplice for malware. Thanks to pre-installation exploits and the permissions you’ve given the app, Zoom can be leveraged by viruses as a way to record you without your knowledge.
Yes — with Zoom on a Macbook, it’s actually easier for malware to hijack your webcam and mic.
Meanwhile, with Wildix, these vulnerabilities are effectively non-existent.
First off, the issue of unwanted guests entering a conference is solved automatically thanks to a more complex alphanumeric URL. By including both random numbers and letters in conference URLs, the platform automatically makes it exponentially more difficult for intruders to enter (let alone disrupt) a conference.
As for malware, that problem is solved through browser-based design. By running through WebRTC, Wildix requires your explicit permission to use your mic and webcam from new web domains. But more importantly, the program is exceptionally difficult to hack in the first place thanks to the near-impenetrable design of WebRTC.
As far as security is concerned, Wildix operates efficiently and transparently from the word go.
Zoom, meanwhile, utilizes design that keeps users in the dark about its security operations.
A Not-So-Private Branch Exchange
Zoom’s secretive approach to its functionality has also extended to their privacy policy, which cybersecurity expert Doc Searls described as “creepily chummy” with ad tracking companies.
Per a complaint by Consumer Reports, Zoom’s long-standing privacy policy allowed the software to not only store the data it captures during a videoconference — which includes anything from your face to the objects in your call’s background — but to then sell your data to the marketing sector.
While, thankfully, this practice has ended with Zoom’s latest privacy policy, it’s still concerning why such a policy was ever included, considering a competent web conferencing developer ought to be making money off their proprietary software, not by mining data.
Yet more concerning still is the way Zoom handles video recordings of conferences. As revealed by the Washington Post, when Zoom stores a recorded conference, the service defaults to saving the file to a public URL — so public, in fact, that Zoom’s recordings can be found through a simple Google search.
By default, Zoom quite literally puts conferences out for the entire internet, and thus the entire world, to see. While user settings and custom names can again add a layer of privacy to these recordings, it is nevertheless mind-boggling that such a lack of security is possible at all.
More worrying still, your Zoom account may not be safe even if you skip recording your conferences. Since January 2020 onward, databases containing Zoom account names and passwords have been circulated and sold on the dark web. As Zoom took on more and more users, that database has only grown larger and more valuable to hackers, meaning there’s all the more reason for new accounts to be exposed.
With Wildix, these privacy issues are outright nonexistent. Wildix does not store any video communications for ad tracking purposes — in fact, since the app works directly from browser to browser, it’s impossible to intercept or save such data, even for Wildix technicians. Recorded conferences are also private by default, since they’re given a complex, randomly generated URL that’s inaccessible from the outside web.
Again, privacy is the built-in, automatic default with Wildix. With Zoom, meanwhile, the responsibility for protecting privacy is once again relegated entirely to the end-user.
The Takeaways
To Zoom’s credit, the company has taken active notice of their system’s flaws. As of April 1, 2020 — not long after undergoing investigation by the New York Attorney General — they announced they would suspend feature updates for 90 days to focus on existing security issues.
This announcement came in an apology for Zoom’s security flaws issued by the company’s CEO, Eric Yuan, which also highlights why the product was released with such defects at all. In the post, Yuan states that the number of active users on the platform “far surpass[ed]” what the company expected to ever host, and that Zoom “was built primarily for enterprise customers – large institutions with full IT support.”
Yuan is certainly correct, though more through omission than admission. With all the security issues that have come to light, perhaps it’s appropriate to say Zoom should be used only in conjunction with an internal tech team — provided said team is large enough to devote much of their working hours to upkeep on the program.
Of course, the underlying implication of this point is equally correct: for small to midsize businesses, and even for individuals, Zoom is not a worthwhile, purpose-built solution.
This seems to be a conclusion shared by New York City public schools, who are now dropping the platform, and by self-described “public interest technologist” Bruce Schneier, who wrote about the software’s issues at length. Princeton computer science professor Arvind Narayanan, meanwhile, outright calls Zoom “malware.”
If there’s anything to take away from these examples, it’s that security must be integrated into communications platforms. Since user error is guaranteed to happen, safety must always be active in the solution, not something that can be casually flipped on or off.
We’ve often talked about how being secure by design is an integral part of the Wildix solution. With Wildix, security is not simply a setting that you have to turn just right or else be exposed to threats — security works automatically as soon as you start using the platform. Here, there’s no need to choose between convenience or security, because Wildix gives you both.
In fact, what we’ve seen is that nothing makes a solution inconvenient quite like a lack of security. As Zoom’s example shows, once you lose security, you lose usability.
After all, no solution is less usable than one that puts you and your organization at risk.
The Breakdown
Wildix | Zoom | |
Invite-only videoconferences | On by default | Opt-in |
Downloadable recordings | On by default | Opt-in |
Conference URLs | Alphanumeric (more combinations, harder to guess) | Numeric-only (fewer combinations, easier to guess) |
Kick or mute conference attendees | Yes | Yes |
Recorded conferences | Private only | Public or private |
Installation | N/A, used in browser | Uses pre-install exploits to save clicks |
Webcam and mic access | Given only to Wildix in-browser app | Given to standalone Zoom app and any programs that access it |