The Truth About Zoom

April 06, 2020

Did we think TikTok was bad? Man, oh man, it only gets worse from there. Enter stage left and we welcome Zoom onto the stage. If you hadn't heard of Zoom as of two weeks ago, I'm sure you have now. Schools are using it for distance learning, employees have started using zoom for work and for new-found virtual happy hours, friends are using it to introduce game night or trivia night, and families are using it to stay connected.

To put it bluntly, it is a security and privacy disaster. I first head of Zoom about two years ago when I did a security assessment on it for work. Even at that time, I did not feel like Zoom had a place with the workforce. I received a lot of frustrated comments on that one by the way. But I continued on and didn't use it in my personal life either. Now the FBI has come out to warn us of potential vulnerabilities and concerns for Zoom.

Fast forward and the majority of people I know are now using it, whether it be for work, for school, or for catching up with family. There have been reports of Zoombombing, where uninvited attendees break into and disrupt meetings. Then Zoom got called out for sharing user data with Facebook and on April 1, The Verge posted an article claiming Zoom was leaking personal information of "at least thousands of users, including their email address and photo, and giving strangers the ability to attempt to start a video call with them through Zoom." That wasn't an April Fools joke. Then Zoom told everyone that the platform was encrypted "end-to-end", but had decided to redefine the way they defined the encryption. All this in addition to a report on attackers stealing users' passwords and running malware, allowing attackers with local access to take over a Zoom user's Mac, tapping into device's webcam and microphone, and a generally sketchy privacy policy. Oh and it tended to turn on video by default.

But yet, Zoom is flourishing. It has gone from an average of 10 million daily users to 200 million daily users. As of early morning April 3, Zoom has become a top performing stock on the NASDAQ, showing up to 130% gains.

Who knows how long that will last with the latest string of troubles coming their way. Sure, they have taken steps to beef up their security and educate users, so maybe they are beginning to take this seriously.

Until then, there are still some seriously sloppy security practices to be aware of. This topic is constantly evolving, so what is in the news today is probably going to be outdated come mid-week. But if we don't have people talking about these concerns now, they have no reason to change.

Let's talk about the primary concerns.

Security
Privacy

There are very general buckets, I know. Let's get specific.

Security - Zoom claimed to implement end-to-end encryption, which is exactly as it sounds - communication is encrypted on both sides so it cannot be read or modified except by the intended sender and recipients. Unfortunately, Zoom seemed to be using its own definition of that term. A definition that allowed Zoom itself to access the unencrypted video and audio from meetings. Basically what happened is Zoom actually only offered transport encryption. Zoom uses TLS to protect its meetings, which is what web servers use to secure HTTPs websites. So the actual connection between Zoom on someone's computer or phone is encrypted in the same way between a web browser and a website, for instance, an article you are reading. What does this actually mean? The information will be protected from someone sniffing your WiFi network, but it won't stay private from the company. More on that below. True end-to-end encryption would mean that the data would be encrypted so that only that participants in the meetings will the ability to decrypt it. Zoom would only have access to the encrypted data, but would have no method of decrypting it. For example, secure messaging services like Signal or Wire.

I hate to say it again, but it gets worse. Citizen Lab reported that while Zoom claimed to use "AED-256" encryption, in reality it is only a single AES-128 key used in ECB mode by all participants to encrypt and decrypt audio and video. These keys appear to be generated by Zoom servers, and in many cases, through servers in China (even if there are no meeting participants in China). This Silicon Valley based company also owns three companies in China to do development work for Zoom's software. So, we have a company who has risen to the top very quickly, with strong Chinese ties. Could they potentially insert backdoors? Could they intercept potentially and decrypt traffic? Well…..

Last summer, security researchers found that there was a vulnerability in Zoom that would allow any website to forcibly join a user to a Zoom call, with the video camera activated, and without the user's permission. This has since been fixed, thankfully. But then, just a few days ago, we got more news that Zoom for Windows could be used to steal users' Windows credentials. The vulnerability that caused this bug has been frozen for the next 90 days so Zoom could focus on securing the features that are already in place.

Phew. That was a doozy. And that's only surface level. It's one thing to encrypt data, it's actually somewhat difficult to do for a group video conference service to do, but it's another for it to claim to do one thing, and to actually do another. And on top of that to have such strong Chinese ties? And all the bugs from the past? That is kind of sketchy when you put it all together. Now let's deal with the privacy issues.

Privacy - I think this is where Zoom has been in the news more often. Let's talk about the most visible problem first - Zoombombing, which would also be considered a security issue at the same time. It has been in the news lately for people hijacking video conferences and sharing pornographic images, doxxing participants, or taunting people with threats. It was as easy as looking for URLs that included "Zoom.us", or from finding links plastered all over social media channels, like your friends trivia night(?!). Clearly the dangers of this could be terrible for children if someone were to hijack a classroom or joined in on a family update. What if it were a sensitive work meeting? To be fair, Zoom is working on this issue. Starting April 5, Zoom will either require passwords to enter calls and it will enable virtual waiting rooms by default so the hosts has to manually admit attendees.

Zoom collects a significant amount of personal data about its users - username, email address, phone number, job information, Facebook profile information, computer/phone specs, IP address, and anything the user would create or upload. It went from going with a "depends what you mean by "sell"" mindset to then rewriting their privacy policy on March 29th, saying "we do not sell your personal data". The problem here is that Zoom considers its home pages a "marketing website", meaning it is still using third-party trackers and surveillance based advertising. You know, the thing where you are talking about buying something one second and the next time you log on to Facebook you're seeing ads for it?

Then there was the sharing of data with Facebook and we all know Facebook has it's own issues. It was recently reported that Zoom's iPhone application was sending its user data to Facebook, even if the user didn't have a Facebook account. Zoom's excuse was they use the Facebook SDK in order to provide their users with a convenient way to access the platform. So Facebook would get notified when a user opened the app, what kind of device they were using, the city and time zone they were in, the phone carrier, and a unique ID created by the user's device, which companies are able to use to target users with advertisements.

Got all that?

I'm struggling to keep this on the shorter side, too.

So let's talk about what we can do. Just this last week, Zoom implemented a feature freeze so they can focus on their current security issues. They say they are committed to fixing their issues, though I have a feeling this isn't the last we are going to hear.

Starting simple, make sure your systems are patched and updated. Use the waiting room feature, use random meeting IDs and set meeting passwords. Prevent screen sharing during the call, only allowing the host to control these features. Disable your video by default and turn it on only when you want it. Use a camera cover just in case another bug pops up that automatically turns video on.

I know a lot of us are using it to stay connected during this time. I can't, in good faith, recommend people not to use it; it is doing great things for people who live far away from friends and family, and I appreciate the connection that it provides. I just say be careful. Understand the potential downfalls of it, secure the settings you're able to secure, and be cognizant of the things you say when you are on a Zoom call or conference.

Originally posted at http://www.allymarie.net/the-truth-about-zoom/