Zoom’s Security Crisis

The video conferencing service Zoom has seen a huge rise in popularity – especially during the current global pandemic. But this has led to an increased focus on the company’s security & privacy practices. Zoom claims that its service uses end-to-end encryption (which assures that only the two participants of a chat can read messages, and no one in between – not even the company that owns the service). But it turns out that Zoom meetings are not end-to-end encrypted, regardless on what the company has been advertising.

What you see isn’t what you get.

As reported recently by The Intercept, Zoom uses Transport Layer Security (TLS) which is the same as the HTTPS protocol used when browsing the internet. Zoom responded to the report saying that its use of the phrase “end-to-end” in its white paper referred only to the connection being encrypted between Zoom endpoints. This means that other people can’t access the data shared during Zoom video calls but the company itself still can.

Issues keep mounting.

Zoombombing  Trolls use Zoom’s screen-sharing feature to blast other meeting participants with unwelcome images or videos – yes, even porn. Zoom’s policy states that “The host does not need to grant screen share access for another participant to share their screen” – Meeting hosts, beware! To combat this, Meeting Hosts should disable this feature in their settings or the Admin controls of a call.

Stealing Windows Credentials For Windows users, the widely used software has a vulnerability that allows attackers to steal your operating system credentials. With thousands of people working from home and connecting to sensitive work networks through temporary or improvised means, employees may not have the benefit of enterprise-grade firewalls, creating a dangerous work environment.

Exposed Meeting Recordings  Recordings of Zoom meetings are saved in “an identical way” and many have been posted onto unprotected Amazon Web Services buckets, making it possible to find them easily through an online search. Thousands of recordings have be exposed on the web and even uploaded to YouTube. The Washington Post said it was able to view recordings of therapy sessions, orientations, business meetings, elementary school classes, and more.

Routing Calls to China  According to researchers at the Citizen Lab, some Zoom video calls that were supposed to stay in North America or Europe for regulatory reasons were inadvertently routed to China. This was due to the company taking measures to increase their ability to handle demand by incorrectly using Chinese data centers causing privacy concerns among Western companies.

Zoom Meeting IDs  An automated tool, developed by security researchers, was able to find around 100 Zoom meeting IDs in under an hour and information for nearly 2,400 Zoom meetings in a just single day of scans. The tool can also successfully determine a meeting’s link, date & time, meeting organizer, and meeting topic.

Zoom vs Privacy  Zoom may be facing a class-action lawsuit for passing on user data to third parties like Facebook without proper notification. A suit was recently filed in a California court and highlights that Zoom’s share price has soared due to the coronavirus pandemic forcing people to increasingly work from home. The suit alleges that Zoom didn’t safeguard the personal information of the increasing millions of users of its app and video conferencing platform.

Other Major Problem First, someone with low user privileges is able to inject a Zoom installer with malicious code allowing them to obtain the highest level of user privileges, also known as “root.” Those root-level user privileges can gain access to someone’s macOS operating system, which are typically off-limits to most users, making it easier to run malware or spyware without being noticed. Another flaw comes to light in how Zoom handles the camera and microphone on Mac devices. An attacker can trick your computer into giving it the same access to the camera and microphone that Zoom has. Once the attacker’s code runs, it inherits all of Zoom’s access rights. 

Be on the lookout!

The barrage of criticism over the company’s security policies and privacy practices has been so pervasive that New York City has officially banned the use of Zoom is schools. City officials released a statement saying that “providing a safe and secure remote learning experience for our students is essential, and upon further review of security concerns, schools should move away from using Zoom as soon as possible”.  We couldn’t agree more.

We recommend using Microsoft Teams

The recent upsurge in remote working caused by the COVID-19 outbreak has created a massive need for video communications tools. They are extremely useful to keep teams together and to promote collaboration and productivity.

More importantly they also allow us to connect with colleagues (and family) during the difficult period of social distancing. With desired features like multiple video feeds and one-click easy access to meetings, online meetings quickly became the new hot thing to people and businesses. However, and as we are learning right now, the ease of access and video functionality came at a price. It has now become apparent that Zoom sacrificed key security features in the name of usability.

Second behind Zoom in popularity and adoption during the COVID-19 induced telework crisis is Microsoft Teams. Over the last week Microsoft Teams has seen its usage rocketing to over 44 million daily active users, an approximate usage increase of 775%.

Microsoft Teams is a unified communication and collaboration platform that combines persistent workplace chat, video meetings, file storage, and application integration. The service integrates with the your Office 365 productivity suite and features extensions that can integrate with non-Microsoft products.

We have always been big fans of Microsoft Teams. In fact we fully migrated to the platform and it has fundamentally changed how our staff communicates and collaborates, even with third-party vendors! Throughout the last year we have also migrated many of our clients to Microsoft Teams and the consensus is that the communication and collaboration platform has become a must-have business tool for all organizations.

Although Teams video calls do not have some of the most coveted features of Zoom, we now know that this was deliberate because of the strict security built into Teams. With that said, we are happy to report that some features, such as multiple video feeds (4+) as well as “Breakout Meetings” and “Hand Raise” are on Microsoft’s expedited road-map and we are hoping to see them by the end of April 2020.

Needless to say, we strongly recommend Microsoft Teams for your organization. Especially during the COVID-19 remote working crisis.