Your security and Zoom video conferencing

In this new COVID-19 world, video conferencing app Zoom has seen daily usage grow from 10 million participants a day in December 2019, to over 200 million a day in March 2020 [1]. Despite this success, concerns are apparent. Some high-profile organisations have recently banned Zoom – including the Australian Defence Force [16], the Singapore Department of Education [17], and SpaceX [18] to mention a few. Like all technologies, you should consider the benefits of its use versus the potential risks.

Concern 1: Zoombombing incidents

Zoombombing is the practice of unwanted visitors joining a Zoom conference – either secretly or overtly. Of people joining openly, some examples of recent wrongdoings include:

• Online Alcoholics Anonymous (AA) meetings invaded by trolls yelling “Alcohol is soo good” [2]
• Classrooms, where an “individual gained unauthorised (sic) access and exposed himself to [an online] class [3]. The FBI (USA) reports other online classes have experienced disruption as well [4]. New York City Department of Education has banned Zoom because of security fears [5].
• A synagogue service interrupted by abusive racists [6].

Concern 2: Zoom’s management of sensitive information

Zoom’s simplicity, whilst part of its attraction to many, can also pose additional security risks. Zoom has resolved these in releases in the last few days. If you use Zoom on an iPhone or iPad, the company was sending “data to Facebook, even if you don’t have a Facebook account.” [7] Until recently, Zoom supported a feature that matched meeting participants with their LinkedIn profiles, even if that user was signed into the Zoom meeting under a pseudonym or anonymously [8]. It was theoretically possible for someone to get your Windows password if somone posts a link to certain types of company files in the Zoom chat window [9] On Apple Macs, Zoom bypasses and weakens the operating system’s protection systems. These bypasses can – theoretically – provide a means for malicious software to take over cameras and microphones [10].

Concern 3: Zoom can view calls or messages

Communications apps from Apple and WhatsApp (owned by Facebook) are gradually moving towards ‘end-to-end encryption’ – at least they adopt this stance publicly [11] [12]. End-to-end encryption means that – in theory – communication stays private to the intended recipients (there are notable exceptions which Notion can tell you more about). However, Zoom doesn’t have this practice [13]. While Zoom encrypts information between your computer and Zoom’s servers, the technical architecture suggests that someone at Zoom – in theory – could view or record communications. Zoom says they have processes to guard against this. [15].

Concern 4: Zoom routing communications via servers in third-party countries

According to a report released by the University of Toronto [14], researchers have evidence suggesting that keys used to encrypt Zoom communications may originate from servers located in third-party countries. Given Zoom’s practice of off-shoring some of its workforce, it may leave Zoom vulnerable to third-party government requests. In addition, the Canadian research team claimed the algorithm used by Zoom to encrypt its communications is weak. Zoom has responded to these concerns, saying they are taking steps to prevent routing communications to third-party countries, and to improve their encryption [15]. Update: 15 April 2020 – Zoom has released a new feature for its paid users. Now, meeting hosts can choose where in the world Zoom communications are routed. [19] I have described how you can choose your call routing.

Recommendations: How to use Zoom in the new era

I know that many of our clients will start to or continue to use Zoom in the future. Given that reality, I advise all clients to do the following now:

1. (Updated: 20 August 2020 – This is now – generally – out of date as Zoom has forced people to update.Immediately update your Zoom software. To do this, start Zoom and go to ‘Check for updates’. Ensure your software has a version number higher than 4.6.9 (19253.0401) for Microsoft Windows, and 4.6.9 (19273.0402) for Mac.
2. Use Zoom’s ‘Waiting Room’ feature for small non-webinar meetings. That way, you can verify each participant in your meeting. See this article for more information [link].
3. From 5 April 2020, many Zoom accounts will have meeting passwords and waiting room features turned on by default. You should verify that your account, and that new meetings, have these features switched on.
4. Review previously set up or recurring meetings in Zoom to ensure they have an appropriate meeting password and appropriate settings for meeting ‘waiting rooms’.
5. Consider alternatives with more well-known security features and tradeoffs.
6. Move ‘high stakes’ discussions to platforms with more well-known security features and tradeoffs.

If you need cybersecurity advice, reach out to us at Notion Digital Forensics or a specialist cyber-security adviser.

References

1. Yuan, E.S. A Message to Our Users. Zoom 1 April 2020 [cited 4 April 2020]; Available from: https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/.
2. Holmes, A, A Message to Our Users. Zoom 1 April 2020 [cited 4 April 2020]; Available from: https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/.
3. Orange Country Public Schools, (Untitled), O.C.P.S. Teachers, Editor. 2020, Orange Country Public Schools.
4. Setera, K, FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic. 30 March 2020 [cited 3 April 2020]; Available from: https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic.
5. Strauss, V. School districts, including New York City’s, start banning Zoom because of online security issues. Washington Post 5 April 2020 [cited 6 April 2020]; Available from: https://www.washingtonpost.com/education/2020/04/04/school-districts-including-new-york-citys-start-banning-zoom-because-online-security-issues/.
6. Wakefield, J. Coronavirus: Racist ‘zoombombing’ at virtual synagogue. BBC News 2020 3 April 2020 [cited 3 April 2020]; Available from: https://www.bbc.com/news/technology-52105209.
7. Cox, J., Zoom iOS App Sends Data to Facebook Even if You Don’t Have a Facebook Account. Motherboard 27 March 2020 [cited 3 April 2020]; Available from: https://www.vice.com/en_ca/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account.
8. Krolik, A. and N. Singer. A Feature on Zoom Secretly Displayed Data From People’s LinkedIn Profiles. The New York Times 2 April 2020 [cited 4 April 2020]; Available from: https://www.nytimes.com/2020/04/02/technology/zoom-linkedin-data.html.
9. @HackerFantastic, Tweet. [cited 3 April 2020]; Available from: https://twitter.com/hackerfantastic/status/1245133371262619654.
10. Wardle, P., The ‘S’ in Zoom, Stands for Security. Objective-See 30 March 2020 3 April 2020]; Available from: https://objective-see.com/blog/blog_0x56.html.
11. Apple. iMessage and FaceTime & Privacy. 27 December 2020 [cited 3 April 2020]; Available from: https://support.apple.com/en-us/HT209110.
12. Facebook, Whatsapp Encryption Overview. 2017, Facebook: USA
13. Lee, M. and Y. Grauer. Zoom meetings aren’t end-to-end encrypted, despite misleading marketing. The Intercept 31 March 2020 [cited 3 April 2020]; Available from: https://theintercept.com/2020/03/31/zoom-meeting-encryption/.
14. Scott-Railton, J. and B. Marczak. Move Fast & Roll Your Own Crypto – A Quick Look at the Confidentiality of Zoom Meetings. The Citizen Lab, Munk School of Global Affairs & Public Policy 3 April 2020 [cited 4 April 2020]; Available from: https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/
15. Yuan, E.S. Response to Research From University of Toronto’s Citizen Lab. 3 April 2020 [cited 6 April 2020]; Available from: https://blog.zoom.us/wordpress/2020/04/03/response-to-research-from-university-of-torontos-citizen-lab/.
16. Biggs, T. Zoom says it’s safe for Australian companies to use as security concerns escalate, Sydney Morning Herald, 7 April 2020 [cited 13 April 2020], Nine Entertainment, Available from: https://www.smh.com.au/technology/zoom-says-it-s-safe-for-australian-companies-to-use-as-security-concerns-escalate-20200406-p54hj0.html
17. Geddie, J. Singapore stops teachers using Zoom app after ‘very serious incidents’, Reuters 10 April 2020 [cited 13 April 2020], Available from: https://www.reuters.com/article/us-zoom-video-comm-privacy-singapore/singapore-stops-teachers-using-zoom-app-after-very-serious-incidents-idUSKCN21S0AH
18. Vengattil, M, Roulette, J; Elon Musk’s SpaceX bans Zoom over privacy concerns -memo; Reuters, 2 April 2020 [cited 13 April 2020], Available from: https://www.reuters.com/article/us-spacex-zoom-video-commn/elon-musks-spacex-bans-zoom-over-privacy-concerns-memo-idUSKBN21J71H
19. Ittelson, B.; Coming April 18: Control Your Zoom Data Routing, Zoom Blug, 13 April 2020 [Cited 15 April 2020], Available from: https://blog.zoom.us/wordpress/2020/04/13/coming-april-18-control-your-zoom-data-routing/

Photo credit @9_fingers_ via Twenty20.