Zoom's (Sensationalism-Free) Cyber Security Posture

by Jeff, on 28/04/2020 7:00:00 AM

The COVID-19 pandemic, and the ever-increasing number of employees shifting to remote work has seen explosive growth for Zoom’s platform. This growth has come with heavy scrutiny of Zoom’s security posture; organisations and government agencies have seen their private Zoom meetings infiltrated by unauthorised attendees, and enterprise IT teams tasked with hastily standing up their whole organisation for remote work. Media headlines - whilst attention (click) grabbing - in some cases barely use the facts as inspiration.

Zoom has without a doubt employed some questionable and shady tactics to remain the most frictionless web conferencing software. From its ‘malware-like’ software development practices, alarming privacy policy, non-disclosure of device tracking in iOS apps and non-industry standard use of the term ‘end-to-end encryption’, Zoom has broken the trust of its users several times over.

There are however, some criticisms aimed at Zoom for which it should not bear the brunt, including unauthorised attendees finding and joining meetings that have no password or access control, video recordings left publicly exposed on the web in separate storage services, and the availability of hundreds of thousands of Zoom user credentials available on the dark web, itself a result seemingly apparent of credential stuffing and user password re-use. For all the security findings of Zoom’s platform, no vulnerabilities have yet been disclosed. The main criticisms aimed at Zoom and actual interpretation are shown below in table.

Media Portrayal	Reality
Installation of 'malware-like' Zoom web server on macOS machines
Zoom is a shady and untrustworthy company that will do anything it can, even dangerous software development practices.	While the media sensationalises somewhat, Zoom’s trickery and software development practices are not a good thing. However, this appears to be an isolated case.
Privacy concerns related to Facebook tracking and personal information for marketing purposes
Zoom’s privacy policy allowed them to use personal video and call content for advertising, and hid their tracking codes in their iOS app.	Zoom’s original privacy policy language was not clear and had been interpreted maliciously. They have since changed their policy to clarify no data is used for advertising, and removed the Facebook tracking from their iOS app.
Non industry-standard us of the term 'End to end encryption'
Zoom misled its users to believe that meetings were end-to-end encrypted, i.e. only the participants can view and decrypt meeting contents. Zoom used the term to refer to HTTPS/TLS, using the term incorrectly.	This is a fair portrayal; the term end-to-end encryption is well known and commonly accepted. Zoom’s misuse of it was in poor faith, especially given they do not publish transparency reports from data cess by governments and law enforcement.
Use of custom cryptography protocols
Zoom’s use of a custom cryptography protocol is poorly implemented, and encryption keys have been detected originating from China.	These claims appear to be suspected based on traffic analysis, though the use of custom cryptography protocol confirmed.
'Zoombombing'
Zoom’s platform is open and insecure, allowing anonymous guests to join calls on a whim and take over the meeting.	Zoom allows meetings using a static ID, and no password, however provides several options to secure a meeting including random IDs, passwords, waiting room and authentication profiles that have often not been utilised correctly.
Leaking of Zoom account email addresses through Company Directory feature
Zoom collated users with the same domain name, allowing users to view the names and email address of other private users.	This is definitive unintended leakage of personal information, though only contained to personal users on low profile email providers (i.e. not Gmail) or unknown providers outside of the U.S.
Video call recordings left exposed on the web
Zoom is responsible for the easy discovery of unsecured recorded meetings hosted on separate platforms due to its filename nomenclature.	Users who record a meeting, then save this to a separate platform or hosted storage service must own the responsibility, and ensure they secure its access, regardless of filename.
Zoom account credentials discovered on the dark web
Zoom’s service is highly insecure, leading to a data leak of Zoom usernames and passwords.	The credentials exposed are the result of credential stuffing, or using usernames/passwords from older, unrelated breaches in order to attempt to access Zoom. There has so far been no report of Zoom’s services being breached.

Update May 29, 2020

A lot has changed since Zoom’s purported problems began to surface in the media and to Zoom’s credit, they have taken the criticism on the chin, using it as an opportunity to push several security related updates to their platform. In early April, Zoom promised to freeze all feature development unrelated to security in a 90-day blitz aimed at building a more secure service[1]. Almost 60 days in, and this blitz has yielded several welcome additions, and solved or shown advancement in solving almost all their previous failings.

While Zoom’s previous use of the term end-to-end encryption was dubious and misleading, a draft design for a true end-to-end encryption platform has been released for public peer review by Zoom[2], which outlines a four phased approach and ongoing, transparent consultation with industry experts. The phases consist of an initial upgrade to the key exchange protocol, transitioning to the use of public-key cryptography and effectively ensuring that Zoom would not have access to users’ private keys[3], and hence not hold the keys to decrypting meeting contents.

Further on the encryption front, Zoom’s use of a custom 128-bit encryption protocol alarmed security experts for its potential to leave data readable in its encrypted form. Zoom has since shown its commitment to improving this, acquiring Keybase[4], creators of an end-to-end encrypted messaging and storage system and switching to a more robust, industry standard encryption scheme; AES 256-bit GCM[5], allaying any fears of data readability. It is expected that the integration of engineers from Keybase will give Zoom the resources it needs to further build out a truly end-to-end encrypted platform.

Zoom also continues to give more control to administrators in how their organisations’ data is routed and ensuring staff under the same domain join the organisational account. A study by Citizen Labs raised the possibility that data, specifically encryption keys, were being routed through servers located in China. While only suspected, Zoom have since introduced a feature that gives administrators control over which data centre regions data passes through[6], a very welcome level of control and peace of mind. Zoom has also done away with the criticised feature that saw all accounts with the same domain automatically listed as contact, and introduced ‘Associated Domains’[7]. Now, a domain must be first verified by the owner such as through addition of a DNS TXT record, and any new or existing user with an associated domain must either join the organisation account or use a different email address, giving more control to administrators and reducing shadow IT.

For end-users, Zoom’s 5.0[8] release includes several security related features aimed at improving its platform, including[9]:

Enabling passwords by default on all meetings for most users
Allowing administrators to set password complexity rules
Enabling meeting room by default (for basic, education and single-pro licences)
Ability to see all security features within one UI component
Extra host controls to remove/report users, restrict ability for users to rename themselves, and to enable features in real time, such as the waiting room

Zoom is enforcing release 5.0 from May 30; clients must be on 5.0 to join any meetings and will receive all of the above security improvements automatically, such as AES-256 GCM encryption and security UI updates[10].

Recommended Zoom Settings

Pre-Meeting Settings

Setting	General Meetings	Sensitive Meetings	Highly Sensitive Meetings
Meeting Id Scheduling all meetings using an automatic meeting ID. Once a personal ID is known, it can be used by unauthorised users to join any future meetings that have not otherwise been locked down, such as with a password.	Generate Automatically (All)
Personal ID Consider disabling to prevent users from taking the easy option to create meetings by repeatedly sharing their personal ID rather than generating a new meeting ID (as above).	Enabled (All)
Meeting Password Enable a complex password for meetings and share the password to only recipients who are authorised to attend. ^#1 Further, ensure the following account settings are enabled to ensure meetings are completely password protected: Require password for instant meetings Require a password for Personal Meeting ID Require password for participants joining by phone Disable Embed password in meeting link for one-click join to ensure password is sent separately through a secure channel.	Optional	Optional	Enabled^#1
Meeting Password Requirement Zoom admin account settings give the option to ensure passwords meet the requirements for minimum length, and that they contain letters, numbers, and special characters. It is recommended to enable these settings so users must create strong passwords for their meetings.	Enabled (All)
Join Before Host In a meeting with trusted participants (i.e. internal staff), enabling this option gives the first participant host access, and control over the meeting until the host joins. Disable this in sensitive meetings to ensure that the meeting only starts once a host has joined and can only be controlled by them.	Optional	Consider Disabling	Disabled
Only allow registered or domain-verified users By enabling this option, only those with Zoom accounts will be allowed to join the meeting. For highly sensitive internal-only meetings, this should be enabled. Enabling this option may not be possible in all scenarios, such as where external participants do not have a Zoom account. The list of allowable users can however be restricted at the account level to a set of user-defined domains by enabling Authentication Profiles.	Optional	Consider Enabling	Enabled
Waiting Room Enabling waiting room gives hosts the ability to vet all users wishing to connect to a meeting. The host can then choose to approve or deny participant entry into the meeting. This option is ideal for sensitive meetings as it provides another layer of security (e.g. on top of a password), heavily restricting access through manual verification. It can also be used to control access to sensitive meetings where authenticated user control is not feasible.	Enabled (All)
Record the Meeting Automatically The recording of meeting notes, talking points and outcomes should be taken through other means where possible, particularly with sensitive meetings. Recordings are stored on Zoom’s servers and pose a security risk in the event of compromise.	Optional	Optional	Optional
Screen Sharing For meetings where it is appropriate, ensuring only the host can screen-share removes the ability for other users to do so without approval by the host.	All	Consider Host Only	Host Only

In-Meeting Settings

The following settings can now be found in the “Security” context menu from within the Zoom client while a meeting is in progress, and should be enabled for all meeting types.

Setting

Lock the Meeting

Lock the meeting once all attendees have arrived to prevent any additional or unauthorised people from joining.

Enable Waiting Room

If not enabled in the pre-meeting settings, the waiting room can be enabled during an in-progress meeting.

Remove and Report Participants

From the security context menu, or participant list, participants can now be removed and reported such as unauthorised attendees.

Disable Annotation

Turn off annotation to avoid unwanted users from annotating the screen during a meeting. This setting can be disabled for a meetings entirety, or temporarily so should be controlled based on meeting content.

Criticisms and Findings

1. Installation of 'malware-like' Zoom web server on macOS machines

Zoom is constantly fuelled by their motivation to make their platform experience frictionless, and in July 2019[1] a vulnerability was disclosed in Zoom’s macOS installation that used a local web server to enable ‘One click’ meeting joins from Safari[2]. The vulnerability highlighted malware-like software development practices and resulted in the potential for any remote website to initiate a meeting and enable the camera on a user’s machine without their knowledge.

Zoom was criticised for their response and their inability to remove the vulnerability from user’s machines, instead relying on a user to follow relatively complex instructions[3], resulting in Apple issuing a patch of their own to push a fix at the Operating System level. Zoom doubled down on their implementation, arguing it provided a better user experience, and put some onus on the user to disable settings within the Zoom application[4] that would prevent the camera turning on automatically.

2. Privacy concerns related to Facebook tracking and personal information usage for marketing purposes

It has been widely reported that Zoom’s privacy policy allows the use of personal information (e.g. screenshots of video calls) for marketing purposes. Following the trail of sources for these reports often lead back to a blog by Harvard researcher Doc Searls[5]. However, Doc Searls published a follow up article mere days after the original, praising Zoom’s response, quick action and allaying the privacy concerns that were raised in the original article[6]. Zoom has since changed the language within its privacy policy to clarify it does not use personal information for marketing.

A separate concern has been raised from Zoom’s use of the Facebook SDK in its iOS application. The application was found to be sending app usage and metadata to Facebook’s API, even if the user did not have a Facebook account, for the likely intent of building advertising profiles or for user interface and feature development[7].

It is worth noting that the issues surrounding use of Facebook’s SDK are based on its non-disclosure in any Zoom literature or privacy policy, and this action is indefensible; Zoom should have been transparent and forthcoming with such information.

The practice of sending device metadata and usage to Facebook for advertising (even if the user does not have a Facebook account) is used by ~9% of all websites across the entire internet[8] and is not dissimilar to Google Analytics tracking for the same purpose. While the arguments for the privacy implications of such tracking are out of scope here, Zoom is by no means alone in utilising such tracking technology.

3. Non industry-standard use of the term 'End to end encryption'

The accepted and standard definition of end-to-end encryption means only the parties communicating on a platform can read sent data, while the underlying service provider cannot. That is, the service does not hold decryption keys to view and read plaintext data.

Until early April, Zoom calls were labelled as ‘end-to-end encrypted’, giving the impression that Zoom did not have the ability to access video and audio from meetings. A report by The Intercept[9] discovered this to be false, with Zoom admitting that end-to-end encryption is not possible for Zoom video meetings, and that instead these calls were encrypted using the same technology utilised by websites to encrypt data over the wire, i.e. HTTPS and TLS.

Zoom also accepted that their use of the term ‘end-to-end encryption’ differed to the accepted standard term and have changed the wording to remove reference to it in literature and in the application.

While it is not possible to say if this was semantics, or purposefully done to mislead, the issue here is furthered by Zoom’s lack of published transparency reports pertaining to access for data by government or law enforcement agencies, especially as Zoom has the ability to read said data. These transparency reports provide visibility into requests for data, and are published by several large organisations including Google, Facebook and Microsoft.

4. Zoom's use of custom cryptography protocols

A report by Citizen Lab[10] (a part of Toronto University) discovered Zoom to be utilising an in-house cryptography protocol as opposed to standard protocols, configured in such a way as to be generally thought as non-ideal for providing secrecy.

Further, the encryption keys at times appear to be distributed through servers in china, opening up the potential for access by the authorities.

At this time, these allegations are suspected based on analysis of traffic flows, and should be closely monitored as the situation continues to evolve.

5. 'Zoom-bombing' tools developed

The exponential rise in Zoom’s popularity has led to “Zoom-bombing”, or the unauthorised joining of calls to spread malicious or unwanted content to attendees. Zoom meetings not protected by a random meeting ID and password are easily susceptible, as links can be discovered in a myriad of ways, including simple Google searches[11]. Adversaries also have access to tools that automate the finding and connecting to open Zoom meetings, with only a password protected meeting enough to foil any connection attempts.[12]

Meetings configured using random IDs and complex passwords are currently not susceptible to Zoom-bombing. Meeting organisers should also consider enabling the waiting room, and configuring authorisation profiles to limit attendees by domain.

6. Leaking of Zoom account email addresses through Company Directory feature

In line with Zoom’s motivation to provide frictionless experiences, a feature exists whereby users who have emails with the same domain name, i.e. @company-name.com, are automatically collated into a ‘Company Directory’. This searchable directory contains the full name, email address and profile photos of each user in the company.

While larger email providers such as Gmail and Yahoo are blacklisted to protect personal users seeing each other, an oversight in application logic saw those on smaller email providers inadvertently included into the same ‘Company’[1], allowing personal users to view private information of others.

This is a definite data leak, though one contained to personal users, and a scenario that should have been picked up during software testing and QA. Zoom has since rectified the issue

7. Video call recordings left exposed on the web

A report from the Washington Post[14] headlined “Thousands of Zoom video calls left exposed on open Web” may deceivingly imply this to be a breach of Zooms servers. However, the recordings were actually discovered in unsecured file storage services that could include services such as Dropbox, OneDrive and AWS S3 Buckets.

The ability to find public videos using search expressions is made somewhat easier due to Zoom’s standard file naming nomenclature, though it should be stressed that the responsibility of securing access to any recorded data hosted on a separate service sits with the end user.

8. Zoom account credentials discovered on the dark web

Reports are coming in that Zoom usernames and passwords are surfacing and being sold in hacker forums and the dark web[15]. There is no indication as yet that Zoom’s services have been breached. Instead, the credentials appear to be the result of credential stuffing, i.e taking credentials from older breaches unrelated to Zoom and using these to attempt access on a Zoom account.

This is ultimately an issue of password re-use across multiple separate accounts, and not a security issue with Zoom. Out of caution, users can change their Zoom password, and always ensure unique passwords for each utilised service.

Zoom's Response and Commitment to Ongoing Security

It would be remiss to highlight only Zoom’s shortfalls, of which there are plenty, without discussing their response to the criticism and findings.

An internal memo from the U.S Department of Homeland Security, drafted by the Cybersecurity and Infrastructure Security Agency has stated that Zoom is responding to criticism seriously and appropriately[16]. Zoom have paused implementing new features to focus solely on tightening security controls[17] through switching on meeting passwords by default, and including the waiting room for all access tiers, including free. The ability to choose which data centre regions route traffic has also been added for enterprise customers, allowing the blacklisting of certain countries (outside of the user’s home region)[18]. It is expected that Zoom’s security controls will continue to evolve and improve over the coming weeks and months.

Several high-profile organisations and institutions have however banned the use of Zoom, including SpaceX, Google, NASA and German Foreign Ministry[19][20], citing privacy or security concerns, and the ban implemented out of caution. We are also seeing some institutions reverse a ban, such as Singapore’s Education Ministry[21], following the implementation of appropriate security settings such as meeting passwords and host-only screen sharing.

The situation surrounding Zoom’s security posture is dynamic and constantly evolving. Yet it is hard to ignore Zoom has partly broken trust with its users, or purported to mislead them for competitive gain. As the most well-known name in enterprise web conferencing, Zoom’s business has seen explosive growth due to the COVID-19 pandemic, and hence has had its service under much heavier scrutiny. This is not entirely a bad thing. On the contrary, this exposure will push Zoom to implement tighter security controls, more so than its competitors who have so far survived such scrutiny.

[1] https://www.theverge.com/2020/4/2/21204018/zoom-security-privacy-feature-freeze-200-million-daily-users

[2] https://github.com/zoom/zoom-e2e-whitepaper/blob/master/zoom_e2e.pdf

[3] https://ia.acs.org.au/article/2020/zoom-releases-end-to-end-encryption-plan.html

[4] https://blog.zoom.us/wordpress/2020/05/07/zoom-acquires-keybase-and-announces-goal-of-developing-the-most-broadly-used-enterprise-end-to-end-encryption-offering/

[5] https://mashable.com/article/zoom-encryption-update/

[6] https://blog.zoom.us/wordpress/2020/04/20/data-routing-control-is-here/

[7] https://support.zoom.us/hc/en-us/articles/203395207-What-is-Managed-Domain

[8] https://blog.zoom.us/wordpress/2020/04/22/zoom-hits-milestone-on-90-day-security-plan-releases-zoom-5-0/

[9] https://www.theverge.com/2020/4/22/21230962/zoom-update-security-privacy-features-improvements-download

[10] https://zoom.us/docs/en-us/zoom-v5-admin.html

[11] https://nvd.nist.gov/vuln/detail/CVE-2019-13450

[12] https://arstechnica.com/information-technology/2019/07/silent-mac-update-nukes-dangerous-webserver-installed-by-zoom/