Singapore has suspended the use of video conferencing app Zoom for conducting remote classes after reports emerged that a Zoom teaching session was breached and obscene images were posted on it, the Straits Times reported. This development comes right after Singapore’s Ministry of Education directed schools and colleges in the country to shift to full time home-based learning, starting from April 8 until May 4. The suspension isn’t permanent but is precautionary, and will reportedly remain in effect until Zoom addresses its security issues. Recently, New York City had also banned the use of Zoom for remote teaching due to security concerns, TechCrunch reported.

Singapore has asked teachers to adhere to security measures during the home learning period while using such video conferencing services, by having “secure log-ins” and sharing meeting links only with students. It is also working with Zoom to improve its security, according to the Straits Times, which also pointed out that the Singapore government has used Zoom to hold press conferences.

“Zoombombing” has become a major sore point for the service ever since it saw a surge in users — which ballooned from 10 million to 200 million in a matter of months — following lockdowns around the world to combat COVID-19. The Zoombombing in the Singapore case happened despite Zoom enabling passwords and virtual waiting rooms by default for Free Basic and Single Pro users. It had claimed that this would “prevent unwanted participants from joining your meeting or webinar”.

Scrutiny over Zoom’s security measures increasing

On April 8, Senators Elizabeth Warren and Edward Markey wrote to Zoom raising privacy concerns over how the platform handles children’s user data, especially those under the age of 13. Zoom’s security issues have also led Taiwan to bar any official use of the platform. The US Senate has asked members to avoid using Zoom given its security flaws. Germany’s Foreign Affairs Ministry has also directed employees against using Zoom. Apart from governments prohibiting, or advising to prohibit the use of the service, Google banned the use of Zoom on company-owned employee devices.

Zoom, for its part, has created a Chief Information Security Officers Council to advise it on issues of security and privacy. It also announced a feature freeze to address those issues. Here are some of Zoom’s security issues in the last few weeks:

  • On April 8, Motherboard reported that several hackers are showing interest in so-called “zero-day” exploits, which are vulnerabilities that are not disclosed to anyone. The report says that the hackers are trying to sell these exploits to the highest bidder, which means there could be risks in the app that cannot be patched until the attacks actually happen. The report does not name any of the hackers.
  • On April 3, the Washington Post reported that several video call recordings were left in the open web, without any password protection required to access recordings. The videos included classes and therapy sessions.
  • On April 2, the New York Times reported a feature where even anonymous participants in a call could siphon off LinkedIn data about other participants without their knowledge. Zoom later removed this feature.
  • On April 1, researchers discovered a vulnerability where Windows users could have their operating system’s login password stolen with a malicious link sent on chat. CEO Yuan said that this issue has been patched.
  • On March 31, The Intercept reported how Zoom was misleadingly claiming that calls were end-to-end encrypted, when they were not. The company later changed the language to say that “Your client connection is encrypted”.
  • On March 31, security researcher Felix Seele discovered that Zoom’s macOS installation package was working around Apple’s requirements for installing apps by just extracting a compressed archive directly into Apple computers’ Applications folder, a tactic commonly employed by malware, and not legitimate software companies. CEO Yuan responded on Twitter and a fix was rolled out two days later.
  • On March 30, New York’s Attorney General Letitia James sent a letter to Zoom questioning its data privacy and security practices, the New York Times reported.
  • On March 26, a Motherboard investigation found that Zoom was sending user data to Facebook even if users were not logged in via the social media platform, or had an account there. Zoom updated the app to remove the Facebook Software Development Kit that was causing this data leak.
  • On March 24, Consumer Reports criticised Zoom’s privacy policy, saying it left the door open for the company to sell user data. The company then tightened its privacy policy, Consumer Reports said on March 30.