A lot happened in 2020, and almost no story rode the rollercoaster like the story of Zoom's security issues and updates. Read the most current information on this topic: Update - Zoom: Is it Safe?
Zoom is a cloud-based video conferencing platform that allows users to perform video calls, chat, telecommute, participate in distance education, and virtually interact with other Zoom members. Zoom has become as essential tool for many individuals and organizations during the COVID-19 crisis, seeing a significant increase in usage the last few months. As most people are working from home, businesses and individuals are seeking a communications service that is efficient and easy to use.
Zoom was hosting 10 million users before the COVID-19 pandemic, now the number has increased to 300 million meeting participants. This increase in usage has also placed Zoom under the microscope, revealing numerous security and privacy issues.
Zoom Security Issues
Zoom initially claimed that its video call data was “end-to-end” (E2E) encrypted, meaning that the data was encrypted at all times during transit so that not even Zoom could access call data. The utilization of end-to-end encryption turned out to not be the case, Zoom admitted. The encryption used to secure Zoom call data was actually transport encryption, meaning the encryption works the same way your web browser encrypts data between the web server hosting the website and your computer. Transport encryption allows Zoom to access unencrypted video and call data, whereas end-to-end encryption wouldn’t allow Zoom to access the data at all (think LastPass or Signal).
To pile onto the E2E encryption issues with Zoom, Citizen Lab identified several Zoom servers in China issuing encryption keys to Zoom users in other countries. Without true E2E encryption, those Zoom servers can decrypt Zoom meetings. The Chinese government could compel the operators of those servers in China to hand over the data, which is bad news for anyone discussing trade or government secrets being routed through those Zoom servers.
Additionally, Zoom’s installation executable was found to operate questionably in multiple instances. One version of the Zoom installer – not an official release from Zoom itself, but rather download from an non-Zoom website - contained malware: Zoom version 22.214.171.124 was bundled with a digital coin-miner that Trend Micro identified as Trojan.Win32.MOOZ.THCCABO. Another version of the Zoom installer bypassed security controls by utilizing administrative credentials on Mac Operating Systems without final user consent.
Hackers are also selling a critical Zoom zero-day Exploit for $500,000. Two zero-day vulnerabilities were found for Zoom, one for OSX and the other is for Windows. A zero-day vulnerability is an unknown vulnerability in software or hardware that hackers can take advantage of. The Windows vulnerability is a zero-day Remote Code Execution exploit. This vulnerability allows hackers to access the application and the user’s computer, but a source does say that a hacker must be in a Zoom call with their intended target. The MacOS vulnerability is not as dangerous as an RCE vulnerability. More details have not been released.
Numerous other Zoom security and privacy flaws have been identified, including:
- An account hijacking vulnerability
- File-sharing vulnerabilities
- Email address leaking
- Zoom’s chat function allows an external Zoom user to find the full names and Chad IDs of any registered Zoom user for an organization’s email domain
Additional Zoom Issues
Zoombombing is another reason why users should be cautious when using Zoom. Zoombombing is a new type of harassment in which hate speech, pornography, and other inappropriate content is suddenly flashed by disrupting a video call on Zoom. Zoombombing occurs when a Zoom call is not properly made private by changing default Zoom call settings, like utilizing a unique meeting ID rather than a personal meeting ID, enabling the “Waiting Room” feature to explicitly grant attendees access to a meeting, and by limiting the ability for attendees to share their screen.
Zoombombing has led to various school districts, like New York City, and companies, like SpaceX, to ban the use of Zoom.
530,000 stolen login credentials have been reported being sold for pennies in the dark web, which includes personal emails and credentials. These accounts were discovered by an independent security firm and verified by NBC News. These credentials could lead to an individual accessing a personal meeting room and inviting people to join the meeting, which can open the door to hackers exploiting a user’s contacts by sending them malware through Zoom invites or creating scenarios to extort them.
While stolen credentials are likely due to user password reuse and not directly Zoom’s fault, Zoom is certainly capable of proactively scanning for stolen credentials and alerting users that their credentials may be compromised.
Zoom is Addressing the Problems
Zoom has been working hard to mitigate these security issues and provide a better level of security and privacy for its users. Tom’s Guide has done a nice job of providing a list of issues and resolutions, including:
- Zoom 5.0.1 is the most current Zoom release (as of May 7th), resolving many of the aforementioned security issues, including stronger AES 256-bit GCM encryption (still no E2E encryption, though)
- Meeting passwords and waiting rooms will be required by default for all Zoom meetings beginning May 9th
- Zoom’s information-scraping (capturing names and Chat IDs) issue has been resolved
- Zoom now alerts users when an external user that is not part of an organization’s Zoom account joins their meeting
- Zoom meeting IDs have been removed from Zoom interface to prevent leaking
- Participants can now be banned and reported
- The account hijacking vulnerability has been resolved
- Server routing to China has been fixed
- The MacOS installer security-bypass issues have been resolved
Is Zoom Safe to Use?
The quick answer to the question of whether or not Zoom is safe to use depends on your intended use of the platform.
If you’re looking for a video conferencing or virtual meeting platform for your business, discussing corporate or government secrets, sharing confidential customer or business information, or disclosing personal health information, it’s strongly advised you avoid Zoom.
For most people who are using Zoom to communicate with their families and friends, the platform is relatively safe. Zoom has been working around the clock and has responded quickly to the security issues that have been reported, as evidenced above, and continues to publish feature, security, and privacy enhancements.
If Zoom continues to listen to its user-base and the security community as the company improves and focuses on security and privacy, the widely-used videoconferencing platform may just become one of the most secure communications platforms available.
Finally, remember that NO online platform is (or ever will be) 100% secure. There is no such thing as a completely secure anything. There will always be risk in using an application, platform, or device connected to the internet. However, there’s always a way to mitigate your risk.
Tips for Using Zoom Securely
If you’re using Zoom already, either for business or personal use, please follow these steps to secure your Zoom meetings:
- Download Zoom ONLY from Zoom itself!
- Use the Waiting Room feature to see who is attempting to join the meeting before allowing access.
- Use a per-meeting ID; do not use the same meeting ID for all your meetings and do not share your meeting ID.
- Keep Zoom software up to date. Zoom has been busy with releasing patch updates to fix important issues.
- Password-protect your meetings.
- Manage your meeting participants. Make sure there is only one host to control the meeting and make sure the host understands how to control participants, screen-sharing, camera, and mute options.
- Join Zoom meetings through your web browser, rather than the desktop application. The web-version of Zoom not only gets updates faster (no installation on the user end), but also sits in a sandbox via the browser and doesn’t have the same permissions to your devices as the application version.
Edin Y. Cardona and Jon Waldman
SBS CyberSecurity, LLC
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.