ZOOM's failing security

Convenience over cybersecurity?

*updated: 4/4/20  – **updated: 4/6/20

Zoom in – you may not like what you see.

The popular video conferencing service, Zoom has enjoyed its spiking popularity – even amidst the state of our current global pandemic. But this has led to an increased focus on the company’s security & privacy practices – claiming that it uses end-to-end encryption: assures that only the two participants of a chat can read messages, and no one in between – not even the company that owns the service. It’s also a type of encryption that is intended to prevent data from being read or secretly modified when it is in transit between the two parties. But it turns out that Zoom meetings are not end-to-end encrypted, regardless on what the company has been advertising.

In a recent article by The Intercept, Zoom uses Transport Layer Security (TLS) which is the same as the HTTPS protocol used when browsing the internet. A little too late when Zoom responded, that its use of the phrase “end-to-end” in its white paper is in reference to the connection being encrypted between Zoom endpoints. This means that other people can’t access the data shared during Zoom video calls but the company itself still can.

Wait, there’s more…

Zoombombing  When trolls are using Zoom’s screensharing feature to blast other viewers using awful videos from across the internet – yes, like porn. Meeting hosts beware – Zoom’s policy that “The host does not need to grant screen share access for another participant to share their screen.” But hosts can disable this in their settings or the Admin controls of a call. This can be changed in pre-meeting Settings or in the in-call admin settings for Share Screen > Advanced Sharing Settings. Great.

Stealing Windows Credentials For Windows users, the widely used software has a vulnerability that allows attackers to steal your operating system credentials, as well. With thousands of people working from home and connecting to sensitive work networks through temporary or improvised means that don’t have the benefit of enterprise-grade firewalls found on-premises. This is a dangerous combination.

*Exposing Meeting Recordings  Zoom meeting recordings are apparently named in “an identical way” and many have been posted onto unprotected Amazon Web Services buckets, making it possible to find them through an online search.  This has caused thousands of recordings to be exposed on the web and even uploaded to YouTube and Vimeo. The Washington Post said it was able to view recordings of therapy sessions, orientations, business meetings, elementary school classes, and more.

*Routing Calls to China by Mistake  According to researchers at the Citizen Lab, some Zoom video calls  that were supposed to stay in North America or Europe for regulatory reasons were inadvertently routed to China.  This was due to incorrect whitelisting  of Chinese data centers to accommodate the dramatic spike in usage in the recent months.  China, however, is supposed to be an exception, largely due to privacy concerns among Western companies.

Other Major Issues  One discovered, is when someone with low user privileges can inject a Zoom installer containing malicious code to obtain the highest level of user privileges, also known as “root.” Those root-level user privileges can gain access to someone’s macOS operating system, which are typically off-limits to most users, making it easier to run malware or spyware without it being noticeable. The next one, is a flaw in how Zoom handles the webcam and microphone on Mac devices. The attacker can inject malicious code into Zoom in order to trick it by giving the attacker the same access to the webcam and microphone that Zoom already has. Once the malicious code loads, it will “automatically inherit” any or all of Zoom’s access rights. 

Zoom Meeting ID’s  A recent find, that an automated tool developed by security researchers, was able to find around 100 Zoom meeting IDs in an hour and information for nearly 2,400 Zoom meetings in a single day of scans. This can successfully determine the program a meeting’s link, date & time, meeting organizer, and meeting topic.

Zoom vs The CCPA  The video conferencing company may be facing a class-action lawsuit for passing on data to third parties like Facebook without properly notifying users. The suit was filed in a California court on Monday and notes that Zoom’s share price has soared in recent weeks due to the coronavirus pandemic forcing people to increasingly work from home. The person alleged that Zoom didn’t safeguard the personal information of the increasing millions of users of its app and video conferencing platform. Business Insider cites, “Upon installing or upon each opening of the Zoom App, Zoom collects the personal information of its users and discloses, without adequate notice or authorization, this personal information to third parties, including Facebook, Inc. (“Facebook”), invading the privacy of millions of users.” the suit alleges.

** The barrage of criticism over the company’s security policies and privacy practices has been so bad that New York City has officially banned the use of Zoom is schools.  City officials released a statement saying that “providing a safe and secure remote learning experience for our students is essential, and upon further review of security concerns, schools should move away from using Zoom as soon as possible”.  We agree.

Just be on the lookout!

The recent upsurge in telework caused by the COVID-19 outbreak has created a massive need for video communications tools. They are extremely useful to keep teams together and to promote collaboration and productivity. More importantly they also allow us to connect with colleagues (and family) during the difficult period of social distancing. With desired features like multiple video feeds and one-click easy access to meetings, Zoom quickly became the new hot thing to people and businesses that were new to videoconferencing. However, and as we are learning right now, the ease of access and video functionality came at a price. It has now become apparent that Zoom sacrificed key security features in the name of usability.

We recommend using Microsoft Teams

Second behind Zoom in popularity and adoption during the COVID-19 induced telework crisis is Microsoft Teams. Over the last week Microsoft Teams has seen its usage rocketing to over 44 million daily active users, an approximate usage increase of 775%.

Microsoft Teams is a unified communication and collaboration platform that combines persistent workplace chat, video meetings, file storage, and application integration. The service integrates with the company’s Office 365 subscription office productivity suite and features extensions that can integrate with non-Microsoft products. We have always been big fans of Microsoft Teams. In fact we fully migrated to the platform a couple of years ago and it has really changed how our staff communicates and collaborates. This has led to great efficiencies in productivity and innovation.  Throughout the last year we have also migrated thousands of users to Microsoft Teams and the consensus from our clients is that the communication and collaboration platform has become a must-have business tool for all organizations.

Although Teams video calls do not have some of the most coveted Zoom functionality such as up to 30 video feeds and break-out meetings, we now know that this is because of strict security built into Teams. With that said, at the time of this post, we are happy to report that multiple video feeds (more than 4 that is!) as well as “Breakout Meetings” and “Hand Raise” are on Microsoft’s expedited road-map and we are hoping to see them by the end of the quarter.

Needless to say we strongly recommend Microsoft Teams for your organization. Especially during the COVID-19 teleworking crisis.

Still want to use Zoom? Here are some tips to stay safe…

Some of the security and privacy shortcomings are due to bad “backend configurations” or bad service policies. These types of security risks will ultimately require Zoom to create and rollout patches or service updates and even changes to their service policies to resolve them. This is particularly true for the end-to-end encryption issue, the unknowing sharing of data with Facebook, the exposing of cloud recordings on the web because of the way they name them, or the fact that video calls made in North America were mistakenly routed through China. Simply put, Zoom must step up their security game to address these issues.

With that said, there are some Zoom settings and features that can be enabled to protect your virtual space and video meetings. We’ve put together a thorough list of best practices and recommended features settings.  You can find it here: Securing your ZOOM Meetings.

Stay Secure. Be informed.

Designing, implementing and supporting Modern Workplace technology is what FSi Strategies specializes in. We’ve helped hundreds of businesses implement modern security strategies in support of their missions. We invite you to discover how together, we can leverage the intelligent Cloud for the security and privacy needs of your business.