Due to the unprecedented spread of the novel coronavirus across the globe, many organisations were forced to adopt remote working and virtual conferencing solutions to stop their activities from grinding to a complete halt. The most widely known of these tools, due to its most recent media coverage, is Zoom.
At the time of publishing this article, Zoom has gone on to address many of its security issues in its latest update (5.0). Regardless, Zoom, its recent meteoric rise, and its security issues raise an important lesson. Companies must always take time to do proper due diligence on allowing staff to download and use unvetted software. Popularity and ease of use be damned. Hacking has become too big of an issue in the last five years for businesses of any size to be lax with software choice.
You are not likely to be a cybersecurity expert or have one readily available, but hopefully, this evaluation of Zoom’s security practices will inspire you to look at your software selection process and view it more critically.
Zoom has witnessed an unexpected growth in its number of users, due to being adopted by almost everyone as the go-to option to hold business meetings and (potentially sensitive) conversations. This is in part due to its price tag (free) and some features that make it fun and easy to use. With this massive surge in popularity, and especially within the enterprise space, a light has also been shed on Zoom’s security and privacy practices.
You might be wondering whether the usage of Zoom is secure and up to par concerning your organisational privacy requirements. The answer to this question is not simple and requires us to evaluate Zoom against several potentially indicative events subjectively.
Table of Contents
Zoom's Triage and Escalation Process
For those not so well versed in cybersecurity terms, triage and escalation is the process that happens when a bug is found, evaluated, and a decision is made on how to approach resolving it.
Back in July 2019, a security researcher disclosed in his blog post a vulnerability in Zoom, which potentially allowed webcams to be turned on without Mac users being aware. Furthermore, the vulnerability continued to affect Mac users even if the Zoom software was uninstalled. This is quite concerning, especially if your remote workspace is in your bedroom and you are the type to not to turn your computer off every evening.
Looking at the timeline of remediation, we can see that the overall reaction was not swift enough; potentially leaving all Mac users vulnerable for about 90 days after acknowledging the vulnerability. After the public disclosure from the security researcher, Zoom issued an announcement about the misunderstanding from their side about the 90-day disclosure deadline, and that they are learning from this experience and working on improving their bug bounty program and the escalation process. Furthermore, they outlined the actions taken to tackle the security issue.
We think that Zoom’s escalation process still needs to mature a lot; judging by how they handled their first potentially critical vulnerability less than a year ago. When evaluating products for your organisation, be sure to thoroughly search for or ask a representative for information regarding triage and escalation process. In the simplest terms, this is the time between being notified of a vulnerability and fixing it.
There is a myriad of tools that software development teams have been using to facilitate collaboration. For example, Git-based solutions have revolutionized version control for source code and compartmentalized development, JIRA and Trello have streamlined project management in Agile methods, and CI/CD platforms have increases releases from once a sprint occurrence to nearly daily routines.
While tools are coming into the foreground to help specialised teams continue working, despite being geographically dispersed, one important part of software development is lagging in innovation, quality assurance.
Misleading Claims of End-to-End (E2E) Encryption
Regardless of the numerous concerns about Zoom’s privacy policy and some of its intrusive data collection practices, we were surprised by the fact that they were claiming to provide end-to-end (E2E) encryption as an in-meeting security capability. However, when contacted to confirm that end-to-end (E2E) encryption is actually being implemented, Zoom spokesperson wrote, “Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection,” as reported in The Intercept.com’s article. To be clear, this is a form of encryption, one that Google Meet uses, but the issue is mainly the misleading claim.
We do not believe that this inconsistency is due to a marketing mistake. The feature was detailed in their whitepaper and relevant UI elements were implemented for it, such as the green padlock that clearly mentioned, “Zoom is using an end to end encrypted connection” when hovered over.
Another interesting fact is the lack of transparency reports from Zoom. With the confirmed technical ability to spy on video meetings, we can never be sure if and when Zoom is required by legal requests from law enforcement agencies to provide recordings of private meetings. These are serious factors to consider when deciding whether to allow employees to use this software on company devices.
Zoom's Data Routing Concerns
Zoom has been found to be sending data to Facebook, even if you didn’t log in with a Facebook account. Facebook has recently been in the news for its own issues regarding privacy and its habit of selling your data to various parties, where it was fined roughly $5 billion.
Zoom also caught some flak for routing some call traffic through China, which is a big no-no considering the internet is heavily monitored by the Chinese government. Most tech companies operating in China strictly separate their traffic, as many users don’t trust the Chinese government. The government is often criticised for its lack of respecting intellectual property rights, as well as human rights violations.
Preventing Zoombombing
Zoombombing, or that act of entering meetings uninvited to leave comments or share media using the screen-share feature, is more of a user setting misconfiguration rather than a vulnerability. While this is undoubtedly annoying and does represent a potential security risk, these issues can be solved by an attentive user or meeting host.
Several methods could mit