It’s been two weeks of Zoom being laid bare regarding privacy and security issues, with a whole laundry list of issues being aired out in the open. While there are causes for concern (and where there’s smoke, there’s fire), some of the articles that are out in the media have been blown out of proportion. In this article, I’ll be discussing some of the issues that have come up, and where Zoom stands with them as of the 6th of April.

Now, a note before we continue. Yes, governments and companies like SpaceX are banning the use of Zoom – predominantly due to matters of state security or top secret information. This is not unexpected for a service of this kind. Jumping straight in to a Zoom call (and then taking a photo of it and publishing it) without due diligence (ahem, UK Government) is probably bad governance and a bad risk assessment of your upstream provider.

Sending Analytics to Facebook

In this issue, Zoom was found to be sending analytics data to Facebook even if you didn’t have a Facebook account. This was not listed in their privacy policy, which is where a lot of the issue came in. Zoom released an update on the 27th of March which since removed the Facebook SDK from their iOS app, and updated their privacy policy on the 29th of March.

Verdict: No Longer an Issue

Read more: Zoom Press Release, Motherboard, Zoom Privacy Policy

End-to-End Encryption and Certificates

Possibly one of the more dangerous (and dishonest) practices from Zoom, was the claim of End-to-End Encryption, which has since been proven false and a marketing action. While the communications between Zoom servers is encrypted, meeting content is either not encrypted, or encrypted with a weak approach. Certificates to enable this encryption were also problematic, in which Zoom stored encryption keys on Chinese servers, potentially exposing these keys, as well as accidentally routing traffic through China.

Update (2020-04-15) – As of the 18th of April, paid Zoom users can opt-in or opt-out of routing zones within the platform.

Verdict: End-to-End Still Problematic for Sensitive Info, Certificates and Routing Resolved

Read more: ZDNet Article, CitizenLab Report, Zoom Update re Routing (2020-04-13)

Exposed Contacts

The way Zoom works for it’s contacts, is that it automatically shares contacts within the same domain with each other. So if your company domain is “company.com”, you’ll be able to see the contact details of all folks that have an email address ending in “company.com”. This is great for corporates, but not great for those that use email addresses at public ISP’s. Gmail.com, Yahoo.com etc are all blocked by Zoom, but there are so many service providers out there that it’s not a scalable feature.

Verdict: A Potential Issue for Public ISP Email Addresses

Read more: Motherboard Article

Exposing Windows Passwords

In certain circumstances, someone could have sent a link (called a UNC link) in the Zoom chat. On selecting this link, a user’s computer would send an NTLM hash of their Windows credentials. This hash could have been intercepted and then subjected to a rainbow table / dictionary attack which could have exposed weak Windows passwords. This was since resolved in an urgent update for Windows users.

Verdict: No Longer an Issue

Read more: Bleeping Computer Article, Zoom Press Release

Mac “Root” Access

In certain circumstances, and also requiring the attacker to physically be present at your Mac, an attacker could escalate their privileges on the computer in question by exploiting the way Zoom installed on a Mac computer. This has since been resolved in an update issued by Zoom on the 2nd of April.

Verdict: No Longer an Issue

Read more: TechCrunch Article, Zoom Press Release

Mac Camera Access

Piggybacking from the above, a similar exploit could allow an attacker (who is physically present) to take over the camera and microphone on a Mac computer. This has since been resolved by the same patch release mentioned above.

Verdict: No Longer an Issue

Read more: Bleeping Computer Article, Zoom Press Release

Exposed Video Recordings

In some very irresponsible headlining, BGR posted that Zoom videos are exposed online. While these videos were recorded in Zoom, these were not exposed because of Zoom. Yes, Zoom does have a regular naming convention and videos can still be enumerated. But in the case of the BGR article, these were exposed because people shared their own videos in unsecured online services.

As a sidenote, Zoom does avail any recordings hosted in the cloud if you have the shareable link. In some cases, this may mean that cloud recordings may be found if someone can guess the link. You can secure your Zoom recordings by going to the settings page on Zoom.

Verdict: A Non-Issue

Read more: BGR Article, Original Washington Post Article, Zoom Recording Settings Page

Waiting Room Security

In the same CitizenLab report that identified the encryption issues, a new vulnerability was detected that has since been escalated to Zoom. The details of this have not been made public and the issue has been privately communicated to Zoom.

Verdict: No Longer an Issue (as of 2020-04-07)

Read more: ZDNet Article, CitizenLab Report, CitizenLab Update (Added 2020-04-08)

Zoom Credentials on the Dark Web (Added 2020-04-15)

In another spectacular capitalisation on sensational headlines, Zoom seems to be being indirectly blamed on a number of sites for over 500k Zoom accounts being sold on the dark web and hacker forums. This is not Zoom’s fault, this is the fault of users using poor password management techniques (ie – none at all, using the same password for every service).

These credentials have not been leaked by Zoom. These credentials have been harvested from other breaches (as rightfully stated by Bleeping Computer) and have been used in a “credential stuffing” attack against Zoom’s service. I guarantee the same is happening to every other service out there, but because Zoom is in the news, it’s easy to go after them. Bleeping Computer has a great article on this, that includes Zoom’s statements and the fact that this attack is also used elsewhere.

Verdict: A Non-Issue (on Zoom’s side)

Read more: My article on saving passwords, Bleeping Computer article

Recommendations

As is evidenced here, Zoom is actively working to resolve the issues that are surfacing. Any company that has exploded in users as they have will be under scrutiny (and rightfully so). Many of these issues are things you are most certainly going to come across in the software development space, although some of them do point to rather deceptive practices. Their CEO is being very proactive in addressing the user base, and I’m sure we’ll see them continue to address issues as they are raised.

Having said that, if you are dealing with sensitive and highly confidential information (at the time of writing this), perhaps you should look into alternative services that may better suit. In circumstances where I am working with highly sensitive information, I will, at least for the interim, be switching to Microsoft Teams. If, however, you are not dealing with sensitive information – such as offering online Pilates classes or holding a public AGM, there is no reason that Zoom shouldn’t be a platform to consider.

As I said in the beginning, where there is smoke, there is fire, and Zoom is unfortunately expelling a lot of smoke right now. I am concerned about the decisions they have made along the way and the sacrifices to privacy that were rubber stamped that should never have been. Time will tell on how this plays out. Their lack of Privacy by Default is just staggering, and I find it incredibly frustrating that I have to hunt in online accounts for buried optional security settings that should be enabled by default.

If you are going to continue using Zoom, please log in to your Zoom account from their website, and secure what settings you can. The Electronic Frontier Foundation has a great article about hardening you account – but don’t forget to look at the recording settings I listed above. Lastly, please ensure that no matter what platform you are on, you are running the latest version of Zoom.

Ross G Saunders Consulting is a niche data protection consultancy, working with a number of professional partners in order to help you as a business comply with data protection regulation. They help with business process, compliance, documentation and more, and can offer a full range of services to take the hassle out of data protection. Why not reach out to find out how they can help you gain a competitive advantage while simultaneously garnering support from your existing and potential customers.

Share This

Share this post with your friends!