Zoom Caught in Cybersecurity Debate — Here’s Everything You Need To Know

The app has skyrocketed to 200 million daily
users^[2] from an average of 10
million in December — along with a 535 percent increase in daily
traffic to its download page in the last month — but it’s also seen
a massive uptick in Zoom’s problems, all of which stem from sloppy
design practices and security implementations.

Zoom may never have designed its product beyond enterprise chat
initially, but with the app now being used in a myriad number of
ways and by regular consumers, the company’s full scope of gaffes
have come into sharp focus — something it was able to avoid all
this time.

But if this public scrutiny can make it a more secure product, it
can only be a good thing in the long run.

A Laundry List of Issues

Zoom’s rapid sudden ascendance as a critical communications service
has led to it drowning in a sea of privacy and security flaws.

But is Zoom a malware?

As the Guardian reported^[3], some experts believe
so. But no, Zoom is not malware. Rather, it’s a piece of legitimate
software that’s, unfortunately, just full of security
vulnerabilities and we’re just now getting to know about it as the
app was never scrutinized this thoroughly before —

• Zoom’s privacy
  policy^[4] came under criticism for
  making it possible to collect extensive data about its users — like
  videos, transcripts, and shared notes — and share it with
  third-parties for personal profit. On March 29, Zoom tightened its
  privacy policy to state that it doesn’t use data from meetings for
  any advertising. But it does use the data when people visit its
  marketing websites, including its home pages zoom.us and
  zoom.com.
• Zoom’s iOS app, like many apps using Facebook SDK, was found
  sending analytics
  data^[5] to the social network
  even if the user doesn’t have a linked Facebook account. Later, it
  removed the feature.
• Zoom came under the lens for its “attendee
  tracking^[6]” feature, which, when
  enabled, lets a host check if participants are clicking away from
  the main Zoom window during a call. On April 2, it permanently
  removed the attendee attention tracker function. A host of a Zoom
  meeting can, likewise, read private text messages sent during the
  call if it’s recorded
  locally^[7].
• Security researcher Felix Seele^[8] found that Zoom uses a
  “shady” technique to install its Mac app without user interaction
  using “the same tricks that are being used by macOS malware,” thus
  allowing the app to be installed without users providing final
  consent. On April 2, Zoom issued a fix to resolve the bug.
• Researchers discovered a flaw in Zoom’s Windows
  app^[9] that made it vulnerable
  to UNC path injection’ vulnerability that could allow remote
  attackers to steal victims’ Windows login credentials and even
  execute arbitrary commands on their systems. A patch was issued on
  April 2 to address this flaw and two other bugs reported by Patrick
  Wardle^[10] that allows bad actors
  to gain root privileges and access the mic and camera on macOS,
  thereby allowing for a way to record Zoom meetings.
• Zoom was found using an undisclosed data mining
  feature^[11] that automatically
  matched users’ names and email addresses to their LinkedIn profiles
  when they signed in — even if they were anonymous or using a
  pseudonym on their call. If another user in their meeting was
  subscribed to a service called LinkedIn Sales Navigator, they were
  able to access the LinkedIn profiles of other participants in their
  Zoom meetings without those users’ knowledge or consent. In
  response, Zoom has disabled the feature.
• Vice revealed that Zoom is leaking thousands of
  users’ email addresses^[12] and photos, and letting
  strangers try to initiate calls with each other. That’s because
  users with the same domain name in their email address
  (non-standard email providers that are not Gmail, Outlook, Hotmail,
  or Yahoo!) are being grouped together as if they work for the same
  company. Zoom blacklisted these domains.
• On April 3, 2020, the Washington
  Post^[13] reported that it was
  trivial to find video recordings made in Zoom by searching the
  common file-naming pattern that Zoom applies automatically. These
  videos were found on publicly accessible Amazon storage
  buckets.
• Researchers created a new tool called “zWarDial^[14]” that searches for open
  Zoom meeting IDs, finding around 100 meetings per hour that aren’t
  protected by any password.
• Zoom’s claims that it uses end-to-end
  encryption^[15] to secure
  communications were proven to be misleading. The company stated
  that in a meeting where every participant is using a Zoom client
  and which is not being recorded, all sorts of content — video,
  audio, screen sharing, and chat — is encrypted at the client-side
  and is never decrypted until it reaches the other receivers. But if
  one of the value-add services, such as cloud recording or dial-in
  telephony, is enabled, Zoom has access to the decryption keys,
  which it currently maintains in the cloud. This also makes it easy
  for “hackers or a government intelligence agency to obtain access
  to those keys,” security expert Matthew
  Green^[16] said.
• Subsequent research by Citizen
  Lab^[17] found that they were
  also vague about the type of encryption used, with the keys
  generated for cryptographic operations “delivered to participants
  in a Zoom meeting through servers in China, even when all meeting
  participants, and the Zoom subscriber’s company, are outside of
  China.” The audio and video in each Zoom meeting is encrypted and
  decrypted with a single AES-128 used in ECB mode that’s shared
  among all the participants. The use of ECB
  mode^[18] is not recommended
  because patterns present in the plaintext are preserved during
  encryption.
• Zoom CEO Eric S. Yuan responded to Citizen Lab’s
  findings^[19], stating given the
  period of high traffic, they were forced to add server capacity
  quickly, and “in our haste, we mistakenly added our two Chinese
  datacenters to a lengthy whitelist of backup bridges, potentially
  enabling non-Chinese clients to — under extremely limited
  circumstances — connect to them.”
• Then there’s Zoombombing^[20], where trolls take
  advantage of open or unprotected meetings and poor default
  configurations to take over screen-sharing and broadcast porn or
  other explicit material. The FBI issued a warning, urging users to
  adjust their settings to avoid hijacking of video calls. Effective
  April 4, Zoom began enabling the Waiting Room
  feature^[21] (which allows the host
  to control when a participant joins the meeting) and requiring
  users to enter a meeting password to prevent rampant abuse.

Should You Use Zoom or Not?

To give credit where it’s due, Zoom largely responded to these
disclosures swiftly and transparently, and it has already patched a
number of issues highlighted by the security community.

In addition, the company has announced a 90-day
freeze^[22] on releasing new
features to “better identify, address, and fix issues proactively.”
It also aims to conduct a comprehensive review with third-party
experts and release a transparency report that details information
related to law enforcement requests for data, records, or
content.

Ultimately, it all boils down to this: should you be continuing
to use Zoom? It would be easy to look at all of these flaws and say
that people should simply stay away from Zoom. But it’s not that
simple.

Interestingly, for the very first time, we are witnessing different
opinions from experts in the cybersecurity community. Some say it’s
wrong to criticize Zoom at
this critical phase of time when the software is helping people do
their work remotely, while others believe it’s best to abandon the
platform for other
alternatives.

However, some also took a neutral stance, concluding that
choosing Zoom totally depends upon an individual’s threat
model^[25].

The fact that Zoom has designed and implemented its own
encryption is a major red flag, as custom schemes don’t undergo the
same scrutiny and peer review as the encryption standards we all
use today are subjected to.

“The most prominent security issues with Zoom surround
deliberate features designed to reduce friction in meetings, which
also, by design, reduce privacy or security,” Citizen
Lab^[26] wrote in its
report.

The most important takeaway for regular users is simply to think
carefully about their security and privacy needs for each call they
make. Zoom’s security is likely sufficient if it’s just for casual
conversations or to hold social events and organize lectures.

For everything else that requires sharing sensitive information,
there are more secure options like Jitsi Meet and Signal.

Citizen Lab, which has identified a severe security issue with
Zoom’s Waiting Room feature, has encouraged users to use the
password feature for a “higher level of confidentiality than
waiting rooms.”

So if you are worried about being Zoombombed, set a meeting
password^[27], and lock a meeting
once everyone who needs to join has joined. For more tips on how to
make Zoom calls secure, you can read EFF’s handy guide
here^[28].

^[1][23][24]