ZOOM Security Options
With the recent COVID-19 pandemic, users have been forced to hold a lot of their meetings in online
forums. Zoom has positioned themselves in an ideal market for this growing need, but they had never
anticipated the rapid growth in usage. As such they missed many opportunities to secure and thoroughly test their products, and are seeing a very rapid decline in usage. After reviewing the information available about the Zoom software, I believe that the software is safe to use, but needs to be used with some caution. Many of the flaws found in the last month have already been addressed, and the company is pledging continued improvements and active security testing.
One of the most annoying concerns is Zoom meeting bombing. This is where uninvited guests access
your meeting and usually display graphic images, or generally make a nuisance of themselves. The
meeting host is able to remove them, but there is nothing to prevent them returning:
The largest contributing factor to this is users publicly posting Zoom meeting details to the internet. This is basically an open invitation to the whole of the internet. Zoom meeting IDs are pretty easy to guess, and all possible combinations can be cycled through by a computer very rapidly, adding to the inevitability of a uninvited guest. To resolve this issue, use a meeting password, and provide that information directly to the attendees, DO NOT POST THIS INFORMATION ONLINE.
gathered. Some of these concerns have already been addressed, like the iOS version sharing details to a user’s Facebook profile, but more will need to be done. There are a lot of concerns with them being a Chinese company, and the leverage the Chinese Government can apply to gather information. This is likely only a concern if you are working with Government secrets. There are North American servers in place, if all attendees are in North America then local servers will be used, and information should be locally secured.
In an effort to sound more security conscious Zoom advertised that they had end-to-end encryption
within their meetings, and technically this is true. The concern I have is that they consider their servers
an endpoint, and thus all data exists within their systems in an un-encrypted state. They claim they do
not have tools to look at the data. Additionally, Zoom has chosen to use an older encryption standard to build their own encryption system. Although this doesn’t mean it is insecure, the general consensus from security professionals is to use Open Source encryption protocols, as they have been vetted by a very large group of engineers, and are likely to be free from decryption shortcuts. An important note: very few meeting companies can offer end-to-end encryption, as it is extremely difficult to implement, and they will need to use European servers to be out of the reach of the US Government demanding access.
The non-standard .com is causing a lot of issues, allowing malicious actors to distribute malware with
the Zoom installer, or phish login credentials. Thousands of new domains with the word “Zoom” in it
have been registered in the last couple of weeks, indicating there will be a lot of phishing attacks
centered on this choice. Additionally the software itself is not hardened, and allows DLLs to be unloaded and fake one’s to be loaded, meaning existing malware on a system could interface directly with Zoom without the user’s knowledge. Users will need to always download from the original source, and run antivirus software to mitigate this risk. https://zoom.us
There are some issues with information leakage in that the Zoom software assumes everyone with the same domain name in their email address belongs to the same company. This is ignored for most webmail providers, but not all, and this can allow you to see names and other details of strangers who use the same email host. Within an organization this may not be a concern, but it could be an issue for residential users, or anyone signing in with their personal email address.
Recently Zoom has fixed a lot of really scary vulnerabilities, like allowing UNC links in a chat. When using a UNC path the client computer automatically sends authentication details when connecting, and this can be harvested and used against the user’s Windows login. A similar issue allowed remote code execution through UNC paths. Both issues have been resolved, but only just recently. Additionally, they recently patched multiple MacOS vulnerabilities which allowed other applications to run as root, without correctly notifying the user.
I believe Zoom is a safe general use meeting software that is still very juvenile. With the use of meeting
passwords, and ensuring good phishing awareness with a user base most situations Zoom will be a good fit. If you are talking about business confidential information, or government secrets, I suggest other options.
Media release from the CEO: https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/