Zoom Security Review

Zoom has come under a lot of fire for various reasons including a lack of basic user privacy protections and security issues leading to the recent “Zoom-bombing” trend.

Why Zoom?

The recent coronavirus pandemic is forcing people to isolate themselves and maintain minimal interactions with others. However, there are many essential functions like school, government, and healthcare that require collaboration. Almost everyone who can is telecommuting, and many have turned to Zoom for their virtual meetings. 

In the wake of the COVID-19 crisis, Zoom’s simple usability and one-click meetings made it the go-to platform for teleconferencing, causing its user base to explode from 10 million to 200 millions in just a few months. While none of this sounds nefarious yet, the sum is greater than its parts.

The 20x uptick in users and use in critical sectors makes Zoom an enormous target. Its usability-centric design means that there are minimal barriers to joining a call, and now millions of people are bored at home and very familiar with its use. What could go wrong?

Zoom-bombing

Since large numbers of people have begun using Zoom, reports of video-teleconferencing hijacking (also called “Zoom-bombing”) are emerging nationwide. Zoom-bombing is when unwanted users join and disrupt an ongoing call. The FBI has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language. Schools, colleges, businesses, and all levels of government have fallen victim to meeting hijackings. Who are these trolls? Elite hackers? Russian misinformers? No, they can be anyone. From bored highschoolers to hatemongers or ideological extremists. Zoom-bombing has become such a widespread problem that the FBI released a how-to guide for preventing these cyberattacks, suggesting users restrict screen-share settings, password protect all meetings and avoid posting about gatherings on social media.

Most of the bombed meetings were posted publicly. Using basic Google dorks, prebuilt search terms to find specific information, anyone with an internet connection can easily find and join meetings that are posted publicly. 

So why is everyone using Zoom if its security is so lax? The answer: Because Zoom’s security is so lax.

No one likes jumping hurdles. If you give someone the option to set up a video call in 20 clicks vs just one click, which do you think they’ll choose? What would you choose? It’s in our nature to prefer the simplest solution. In times of crisis, many problems can confront us at once and we only have so much bandwidth to deal with all of it. The simplest solution to an immediate need seems like the best way to go, right? 190 million new users chose Zoom, not because it was the most secure option, but because it got out of their way and let them do what they needed.

Our desire for ease of use incentivizes companies to remove as many steps as possible because unnecessary extra steps are viewed as user barriers. If there are too many perceived barriers to a user, they’ll choose a different platform.  

Zoom actually has many security controls to lock down calls, but they’re turned off by default because most users don’t want to deal with them. The Zoom-bombing epidemic is easily mitigated using the waiting room, meeting passwords, invite-only meetings, and participant locking. As many continue transitioning to online lessons and meetings, its recommended that you exercise due diligence and caution in your cybersecurity efforts. 

Transparency, Security, Privacy

One of the greatest criticisms levied at Zoom is its lack of transparency in privacy and security. Zoom’s privacy policy grants them ownership of all data shared through the service and doesn’t restrict their use of it. They may retain video, transcripts, files, and messages from any call. There are also privacy concerns with the application itself. By default, Zoom allows the call host to record the call without consent from the participants. In Zoom’s defense, they do display a “recording” icon and give each user the option to be prompted for consent in their account settings, but they must explicitly configure that themselves. If anyone really wanted to, they could just use screen-recording software and bypass consent, anyway.

Zoom also just recently removed functionality on the Mac client which ran a local web server that interacted with every site a user visited. If the user visited a site with a Zoom embed, it would automatically launch the Zoom client without the user’s permission. Uninstalling Zoom did not uninstall the web server. The web server could then secretly update and reinstall Zoom.

Zoom claimed that calls were end-to-end encrypted in both their white paper and client user interface. End-to-end encryption means that only the participants can decrypt the data and is the gold standard of confidentiality and privacy. However, Zoom also claimed they used Transport Layer Security (TLS) between the client and server, which is not end-to-end. To clear up confusion, CitizenLab conducted independent research of Zoom’s protocols. They found that Zoom used TLS when distributing the encryption keys for the call, and used poorly-implemented, custom cryptography for the data transport. This means that Zoom had the keys to decrypt the call, and the call was potentially vulnerable to attackers. The researchers also noted that several times during testing, the keys were generated by servers hosted in China.

Conclusion

Zoom is in the spotlight because of its gigantic influx of users and the ensuing platform abuse from protagonists. It has adequate controls to prevent unauthorized or disruptive participants, however, due to its history of security and privacy problems, we don’t recommend it for general usage. I wouldn’t trade a few clicks for potential software vulnerabilities or break of confidentiality. Zoom is especially not suitable for communication of sensitive information like student information protected by FERPA, medical information protected by HIPAA, or trade secrets.

Some Zoom alternatives:

Jitsi Meet - Open source video conferencing you can set up on-premise

Google Meet - Google’s enterprise video conferencing solution

Google Duo - Facetime-esque, end-to-end encrypted video chat and conferencing

Microsoft Teams - Microsoft’s enterprise video conferencing solution  

As well Wildcard Corp. has developed a system we built for the FBI (https://sos.fbi.gov) which is a FREE program available to help educators/teachers etc... provide security awareness training to themselves and students alike.

If you or your company have had a security breach such as this and require assistance contact our experts on Cybersecurity and Information Technology at info@wildcardcorp.com