Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Pandemic Shines Security Spotlight on Zoom Collaboration Risks

Pandemic Shines Security Spotlight on Zoom Collaboration Risks

This item in japanese

TechRepublic has reported on a growing number of prominent companies and government agencies which are banning their staff from using Zoom. This is in response to a range of security and privacy shortcomings which Bruce Schneier, security technologist speaker and author, recently described as falling into three categories: "(1) bad privacy practices, (2) bad security practices, and (3) bad user configurations." Zoom has responded to their users with a public letter by CTO, Eric Yuan. Yuan described the company’s drive to educate users about Zoom’s current security settings and also committed to a feature-freeze while focusing on security issues.

In response to the current backlash, Zoom recently published their 90-Day Plan to bolster privacy and security initiatives. Zoom explained that they are collaborating with Alex Stamos, Facebook’s former chief security officer, on a 90-day "comprehensive security review" of their platform. Zoom described that they expected Stamos to aid in implementing "controls and practices that are best-in-class." Despite this, TechRepublic’s report stated that the Taiwanese government, Google, Nasa, SpaceX, and the Australian Defence Force have all banned the use of Zoom for their employees.

Former NSA security researcher Patrick Wardle recently went into detail about two severe vulnerabilities which he uncovered in Zoom, allowing bad actors to take advantage of privilege escalations on a user’s computer. Zoom has recently fixed both of these issues in their April 2nd release. Wardle demonstrated that the Zoom installer could be used by a "malicious party," including other malware, to gain additional privileges to a computer. The other vulnerability was demonstrated as allowing a "malicious party with local access," such as existing malware, to "gain access to a user’s webcam or microphone." Wardle revealed that zoom circumvented user approvals and made use of Apple APIs deprecated due to security concerns.

Schneier also wrote about the recent revelation that Zoom's website's claim of using "end to end encryption," as it is commonly understood, may be misleading. He explained that Zoom only provides transport layer security which "means everything is unencrypted on the company's servers." At the current time, Zoom’s website has clarified this by modifying its wording from "secure a meeting with end to end encryption" to "secure a meeting with encryption."

Schneier also highlighted a recent study by researchers at the University of Toronto’s Citizen Lab on the strength of Zoom’s transport layer encryption. The report states that "Zoom has "rolled their own" encryption scheme, which has significant weaknesses." The report’s authors Bill Marczak and John Scott-Railton demonstrated that contrary to Zoom’s claims of using a strong "AES-256" encryption scheme, the application’s video streams actually use a single "AES-128 key" in "ECB mode." The researchers wrote that this is "not recommended because patterns present in the plaintext are preserved during encryption." The researchers also stated that:

AES-128 keys, which we verified are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, are outside of China.

Zoom is also currently facing a class action law suit in the state of California by a user impacted by Zoom’s sharing iOS user data with Facebook, even for non-Facebook members. News of this privacy concern was broken by Motherboard’s discovery of Zoom’s iOS application leaking private data to Facebook. A recent report by Vice quoted Zoom’s claim they were not aware of the data collected by Facebook’s SDK and that they rapidly fixed this. Schneier severely reprimanded this unfamiliarity with the behaviour of their own application, stating that Zoom’s "response should worry you about its sloppy coding practices in general."

The Verge recently reported on a fix for a similar data privacy issue involving LinkedIn which was released in response to a New York Times report revealing that Zoom was harvesting LinkedIn data for users. Personal details of users with anonymous identities were made available to meeting hosts.

In a recent piece titled "Zoom, Google Hangouts attract phishing and malware hackers: how to protect yourself," Kimberly Gedeon of Laptop Mag presented a graph by Check Point Research showing that the covid-19 pandemic has been accompanied by a sharp rise in the number of domains registered containing the word "zoom."

Check Point Research demonstrate a sharp rise in registration of domains containing zoom

Gedeon wrote that there has been an "uptick of pandemic profiteer" bad-actors targeting Zoom users through phishing attacks. According to Gedeon, while focus had been placed on Zoom users, Check Point researchers had "also discovered that opportunists were capitalizing off other popular conferencing platforms such as Google Hangouts and Google Classroom."

TechCrunch reported that one of the motivators for the Australian Defence Force’s ban was a "zoombombing" by an Australian comedian during one of their meetings. TechCrunch has also reported on other zoombombings, citing the example of a Happy Hour between Verge reporters being gate-crashed by uninvited screen-sharers "bombarding" attendees with "disturbing imagery." Schneier wrote that:

Turns out that Zoom didn't make the meeting ID long enough to prevent someone from randomly trying them, looking for meetings. This isn't new; Checkpoint Research reported this last summer. Instead of making the meeting IDs longer or more complicated -- which it should have done -- it enabled meeting passwords by default ... there are now automatic tools for finding Zoom meetings.

A recently tweeted picture by UK prime minister Boris Johnson also revealed the risk of accidentally sharing private meeting IDs. The Verge reported that Zoom has pushed out an update to reduce the risk of such slips. Unlike some of the other risks, zoombombing can be mitigated against by following Zoom’s guidance on securing meetings.

Schneier summarised Zoom’s security advice with the reminder to minimise sharing of meeting IDs, enabling passwords on meetings and using waiting rooms. He also reminded users to "pay attention to who has what permission." Gedeon adds to this the reminder to "update your Zoom software regularly." She also warns users to beware of phishing attacks involving "look-a-like domains and installation files." Schneier wrote:

Zoom has a lot of options. The defaults aren't great, and if you don't configure your meetings right, you're leaving yourself open to all sort of mischief.

In his letter, Yuan explained that during the period of this current pandemic, Zoom has had to suddenly scale from 10 million users to "more than 200 million" daily meeting participants. He wrote: of the end of December last year, the maximum number of daily meeting participants, both free and paid, conducted on Zoom was approximately 10 million. In March this year, we reached more than 200 million daily meeting participants, both free and paid. We have been working around the clock to ensure that all of our users – new and old, large and small – can stay in touch and operational.

Rate this Article