The COVID-19 outbreak has driven a surge in online video conferencing. Businesses are using platforms, like Zoom, GoToMeeting, WebEx, and Microsoft Teams, to continue business as usual with a remote workforce.
This move to videoconferencing has created privacy issues for many companies as the need to rapidly transition to telework caused a lack of due diligence in vetting video conferencing providers. This article, part of a series of research pieces designed to provide clarity regarding the security of mainstream communication platforms, highlights a number of security issues discovered in the Zoom platform and their impacts on data security.
Security Analysis Finds a Number of Zoom Security Risks
The valuation of the Zoom video conferencing platform has soared as companies and individuals have increasingly used it during the COVID-19 outbreak. With this popularity came additional scrutiny, which discovered a number of security issues with the platform
Are your conversations encrypted? not for Zoom’s staff… A “Different Interpretation” of the meaning of End-to-End Encryption
Zoom claimed to offer end-to-end encryption of video meetings, but their definition was apparently “different” than the industry standard. In theory, end-to-end encryption means that traffic is encrypted end-to-end, so that only authorized users can view it, not any eavesdroppers (including the hosting platform).
In Zoom’s view, “end-to-end encryption” meant that traffic was encrypted between each user and the Zoom server, using common protocols such as TLS.
This enables Zoom to gain access to users’ videos at any time.
Data Security Challenges in China
Some Zoom servers are located in China, and calls were “mistakenly” through Chinese servers even if no members on the call were located in China. This may mean that the company was legally required to turn over any videos passing through these servers to the Chinese government.
Additionally, the encryption keys used to secure Zoom meetings are created on servers located in China. This means that the Chinese government could legally force Zoom to hand over these encryption keys, allowing them to decrypt intercepted Zoom meetings.
Leaking Emails and Photos
Zoom is designed to make it easy for members of the same organization to find each other on the platform. To do so, it includes the functionality to search for other members with the same domain name in their email address.
However, this policy created a problem for some users registering accounts with personal email addresses. While well-known providers, like google.com, were appropriately handled, others were not. This allowed Zoom users to search for the email addresses and photos of other users of the same private email hosting provider.
Windows and Mac Zoom Vulnerabilities
Zoom’s popularity during the COVID-19 outbreak resulted in increased scrutiny by security researchers. Within a couple of weeks, vulnerabilities were detected that could impact user security on both Windows and Mac platforms.
On Windows, the Zoom software included a UNC vulnerability. If a Windows user clicks on a link to a file stored on a remote SMB server, their computer will send their username and password hash to authenticate to the remote server. A malicious link dropped in a Zoom chat window, which an attacker could access via Zoom bombing, could provide a cybercriminal with a number of usernames for phishing attacks and password hashes for offline cracking. Since this vulnerability was disclosed, Zoom has patched the UNC bug.
Mac users were not immune to Zoom security threats. A couple of bugs on the platform would have allowed cybercriminals to install malware on the user’s machine, using a malicious Zoom installer, or gain control over the computer’s microphone and webcam.
Insecure Meetings and “Zoom Bombing”
“Zoom bombing” refers to unauthorized users joining a meeting and displaying inappropriate images or using foul language. This design flaw could also allow an unauthorized user to join and eavesdrop on Zoom meetings, providing access to sensitive information.
This attack is enabled by Zoom’s lax privacy settings on meetings, which do not require a password to join or enforce a “waiting room” for participants. To join most Zoom meetings, all that is required is knowledge of the Zoom URL, which typically consists of the company’s Zoom address (their domain name followed by “zoom.us” or similar) and a nine-digit code. Gaining access to this URL is fairly simple as it is often posted on social media or can be found through random guessing.
The rise in Zoom bombing has led the FBI to label it as a crime that could lead to fines or jail time. Additionally, Zoom has enabled waiting rooms in meetings by default to make this attack more difficult.
The Need for Secure Video Conferencing
Zoom has responded well to the discovery of a
large number of security issues on their platform, apologizing for messing up
security and rolling out fixes for many of the discovered issues. However, the sheer number of issues found so
quickly suggests that more could remain undiscovered, making the need for a
more secure conferencing platform apparent.