Zoom Is a Textbook Example of Security Once Again Losing to Usability

The COVID-19 pandemic has led to a worldwide work-from-home experiment spiking the sales of laptops and video conferencing software around the world. Zoom’s UI-focused design goal to remove user friction in video conferencing allowed Zoom.us to become the 6th most used site in America and the 18th most used site globally, Alexa reports.

Admittedly, Zoom is easy to set up, easy to use, and lets up to 100 people join a meeting for free. It just works, but for whom?

Just as quickly as Zoom’s user base increased in size, cybersecurity experts and users across the world revealed multiple serious security gaps and vulnerabilities. Most notable are the concerns in Zoom’s infrastructure, specifically the transmission of meeting encryption keys through China.

Due to these security vulnerabilities causing a severe backlash from the community, Zoom has been diligent about fixing all reported vulnerabilities, as demonstrated by their release of Zoom 5.0 on April 27th. However, as security-focused investigative journalist Kim Zetter tweeted on April 2nd, it’s “too bad they didn’t save themselves some grief and engage in some security assessments of their own to avoid this trial by fire.”

Based on our research, we assess that Zoom’s software development is still in a stage of rapid development — its trial by fire. Although most vulnerabilities have been fixed, this trial by fire clearly shows that Zoom is still developing its platform and security practices. Vulnerabilities are still prone to occur.

Get to the Point. Is Zoom Safe to Use?

Yes, but only if you don’t mind risking the possible exfiltration of highly-confidential or private information. If you’re discussing trivial matters such as YouTube compilation videos of early 80’s city pop music from Japan, you should be reasonably fine.

Consumer Reports also argued that Zoom isn’t alone with privacy issues. Google Meet, Microsoft Teams, and Cisco WebEx all have privacy issues as well. However, it should be noted that not long after Cisco acquired WebEx in 2007, Cisco tapped Eric Yuan (now Zoom CEO) as Corporate VP of Engineering. Yuan left Cisco four years later to found Zoom.

“According to their privacy policies, all three companies can collect data while you’re in a videoconference, combine it with information from data brokers and other sources to build consumer profiles, and potentially tap into the videos for purposes like training facial recognition systems.”

-Bill Fitzgerald, Consumer Reports Privacy Researcher

Zoom Just Works, but for Whom?

We strongly recommend to not use Zoom for highly-confidential or private communication, especially for:

  • Government agencies
  • Organizations worried about cybercrime and commercial espionage
  • Medical institutions dealing with confidential patient information
  • Social activists, lawyers, journalists dealing with sensitive issues
  • Remote learning to ensure the privacy of lecturers and students, especially for children to avoid non-child appropriate Zoom bombings, as warned of in this FBI statement

Multiple organizations around the globe have banned (or heavily restricted) use of Zoom, including Google, SpaceX, NASA, the US Senate, the German Foreign Ministry, the Australian Defense Force, Taiwan government agencies and education systems, India government agencies, the Singaporean Department of Education, the New York City Department of Education, and others.

While these and other organizations have banned or put restrictions on Zoom, it still remains one of the most commonly used apps in the world. Is the latest release of Zoom 5.0 secure? Well, it’s more secure than Zoom 4.0 and is becoming more and more secure with each week; however, you, the individual user, and your meeting participants will have to decide what level of security you are all comfortable with.

Be Secure Using Zoom, Security Tips
  1. Join Zoom meetings through your web browser instead of installing native software and provide additional protection through a browser sandbox.
  2. If you must install the Zoom software, be sure to download the software directly from Zoom’s official website.
  3. Use an anonymous ID. Do not arbitrarily disclose your real name.
  4. Whenever possible, turn off the camera video function and recording function.
  5. Physically cover up the video camera on your device.
  6. When hosting a Zoom meeting, ask meeting participants to sign in with a password. This will reduce the possibility of Zoom-bombing; however, all it takes is one person to leak your Zoom meeting ID and password online to be susceptible to zoom raids/zoom-bombing. There are zoom raid groups and individuals that do this for fun and clout, so Zoom at your own risk. If you want to limit who can share their screen, video, and audio, we suggest using the Webinar (not Meeting) platform. (This is a paid add-on.)
  7. Be sure to read Zoom’s future transparency report, regarding their users’ digital rights, scheduled to be released within 90 days of April 2nd.
  8. Remember that while using Facebook to log into other applications increases usability, it also decreases security as this could unintentionally expose your identity. Be mindful of which applications you want to keep your identity public or private. Facebook-related vulnerabilities were discovered by “s3c”. While “s3c” removed his Medium article “How I Hacked Worldwide Zoom Users” and the vulnerability was patched by Zoom, be vigilantly aware of this particular malicious method as it could appear elsewhere in the wild.
  9. If you do continue to use Zoom, be aware that data breaches have occurred and may persist. Routinely enter your email into haveibeenpwned.com to ensure your credentials have not been stolen.
  10. Be very conscious of what you are discussing and where all your participants are located. Certain topics or practices are acceptable in some areas and not in others. This can lead to incidents such as this one.

What about Zoom, China, and Privacy?

One of Zoom’s three China-based companies in charge of product R&D. Two are owned by 軟視軟件(宿州)有限公司 (Soft Vision Software Ltd., located in Suzhou Province).

According to Zoom’s SEC filing, roughly 700 of the 2,500 Zoom employees (approximately 28 percent) are located in China under research and development. Forbes reported that some of the 30 original engineers hired to work for Saasbee (later renamed to Zoom) were in China.

While this business practice could reduce expenses, it raises significant concerns in the cybersecurity community as Zoom may be legally obligated to disclose encryption keys and data to Chinese authorities, due to the Cybersecurity Law of the People’s Republic of China, effective June 1, 2017.

This is further complicated by the Zoom E2E architecture. Experiments have confirmed that encryption keys of zoom meetings in North America are sometimes sent to the 5 servers in China instead of the 68 servers in the US. As the data and encryption keys are stored in servers in China, this makes it susceptible to the previously mentioned Cybersecurity Law of China.

This means Chinese authorities could ask Zoom to reveal these encryption keys, and Zoom would have to comply. Although this is in the realm of possibility, no evidence has been shown that authorities in China or any other nation-state have obtained encryption keys to Zoom meetings, nor has Zoom produced a transparency report regarding this.

By the end of April, Zoom announced that paid meeting hosts now have the option of avoiding servers in specific regions, and, by default, unpaid Zoom meeting hosts will use servers in their home regions. Zoom CEO, Eric Yuan, stated in an April 3 blog post, “it is possible certain meetings were allowed to connect to systems in China, where they should not have been able to connect. We have since corrected this.”

Countdown to Transparency Day, 90 Days from April 2, 2020

To date, Zoom has not yet disclosed a transparency report regarding, as the human rights activist organization Access Now has put it, “Zoom’s policies affecting digital rights.” Access Now requests a transparency report regarding government (America, China, or any other nation-state) requests for data, Zoom’s responses to those requests, Zoom’s notification policies informing users regarding those requests, and Zoom’s notification policies informing users of data breaches.

Zoom has seen several data breaches in just a short amount of time. Thousands of usernames and passwords have been found for sale on the dark web. 2,300 sets of Zoom login credentials that include corporate accounts, educational facilities, and healthcare providers were found being shared in online forums. The Washington Post also reported that 15,000 Zoom meeting recordings were found on unprotected servers.

Zoom has publicly promised to release such a report by July 1, 2020 (or within 90 days of April 2nd).

Trial by Fire in a Myriad of Unexpected Ways
“We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.”

Eric Yuan, Zoom CEO

“A myriad of unexpected ways”?

It certainly is a gentle way to describe the myriad of unexpected ways users have had their privacy and data violated and hacked. Surely, “a myriad of unexpected ways” wasn’t used to describe the “myriad of unexpected ways” one could legitimately use video conferencing software, unless security protocols would suddenly change whether the Zoom user was Boris Johnson in a cabinet meeting or a millennial experimenting with Snapchat filters at home.

And the world has indeed seen a myriad of unexpected ways Zoom security has failed. Based on our research, Zoom core development had security issues embedded in its core design, so more vulnerabilities (and more patches) are expected in the future. Security should never be sacrificed for the sack of usability.

Zoom, to its credit, has been diligent about fixing most of the reported vulnerabilities to the best of its ability, including account hijacking, iOS profile sharing, security flaws regarding Zoom meeting waiting rooms, the sudden increase of Zoom bombing as reported by the FBI, or using hacker-like methods to trick users in order to bypass normal macOS security precautions.


I Don’t Have Trust Issues; You Have Trust Issues.

Non-software related issues have caused some users to mistrust Zoom. While none of these, in our opinion, present a significantly high safety hazard, they do form a pattern of mistrust. And in the world of security (and James Bond in Casino Royale), trust is everything.

They received a lot of criticism from not using the industry-standard definition of “end-to-end encryption” causing Oded Gal, Zoom Chief Product Officer, to write a lengthy apology in a Zoom blog post.

Official Zoom documents claimed to use AES-256 encryption for video and audio data traveling between Zoom servers and clients, but it was later revealed to actually use a single AES-128 key in ECB mode. Although the use of AES-128 is weaker than AES-256, it cannot be said that AES-128 is insecure. However, encrypting in ECB mode is not ideal as distinctive shapes and patterns are preserved in the input. This is why STRP Standards suggest using AES encryption in Segmented Integer Counter Mode or f8-mode.

Once again, Eric Yuan apologized in a Zoom blog stating, “We recognize that we can do better with our encryption design.” Zoom 5.0 has been updated to AES-256 GCB.

In late April, The Verge, caused Zoom to admit that they misspoke a recent peak of 300 million daily “users” as opposed to the more accurate term “participants”. (Only meeting hosts, not participants, count as users.) Zoom “misspoke” this information just prior to their joining the NASDAQ. It is believed this retraction caused their stock to drop nearly 9 percent on April 30 — the day Zoom joined the NASDAQ 100 stock index.

Conclusion?

Zoom is a textbook example of the Security vs. Usability conundrum hyper-realized in the wake of the pandemic.

Despite the increasing myriad of unexpected security issues (and patches) with Zoom, the video conferencing app is one of the most popular ways people are keeping in touch with one another. With its almost frictionless UI (and now Snapchat filter integration), it’s no wonder why Zoom has quickly become one of the most used apps in the world.

Zoom could one day be the most secure video conferencing app in the world if they’re able to continue to survive their current trial by fire, maintain their market lead in a post-pandemic environment, and escape growing mistrust of business practices. (Consistently using the common definitions of technical terms would be a great place to start.)

Their publicly promised transparency report (due before July 1st) should give more light to the direction Zoom plans to take in a post-pandemic market.

Whatever Zoom’s fate, this trial by fire has clearly demonstrated the need for proper security vetting in not just video conferencing apps but all software. Popularity does not equal security, nor is ease-of-use an acceptable trade-off for privacy. Stay safe, and stay smart.

Writer: CyCraft

CyCraftについて

CyCraft(サイクラフト)は、AIによる自動化技術を専門とするサイバーセキュリティ企業。2017年に設立され、台湾に本社、日本とシンガポールに海外拠点を持つ。アジア太平洋地域の政府機関、警察・防衛機関、銀行、ハイテク製造業にサービスを提供している。CyCraft の AI技術 と機械学習技術によるソリューションが評価され、CID グループ とテマセク・ホールディングス旗下のパビリオンキャピタルから強力なサポートを獲得し、また、国際的トップ研究機構である Gartner、 IDC、Frost & Sullivan などから複数の項目において評価を受けている他、国内外の著名な賞をいくつも受賞している。また、国内外を含む複数のセキュリティコミュニティ、カンファレンスに参画し、長年にわたりセキュリティ業界の発展に尽力している。

CyCraft ニュースレター購読

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
[申し込み]をクリックすることで、CyCraftのプライバシーポリシーにしたがって個人情報が使用されることに同意したこととなります。購読の解除はいつでも可能です。