Take on security and privacy problems by Zoom: Lockdown Version

Owing to COVID-19 lockdowns in most parts of the world, organizations are shifting from home culture towards work. Getting the right videoconference platform for meetings is the most critical aspect of the job from home. Established in 2011, due to its feature sets and ease of use, Zoom became a popular option in the lockdown time frame. This popularity attracted the attention of security researchers around the world, and they began looking into security and privacy problems on this particular video conferencing platform.

The Ministry of Home Affairs (MHA) also released an advisory on 16 April saying that the video conference on the Zoom is not a secure forum. The advisory also noted that Government officials/officials are not using the site for official purposes.

Details of preventive measures to be taken by individuals were released in a document stored there. The highlights are:

  1. Setting new user ID and password for each meeting
  2. Enabling waiting Room, so that every user can enter only when the host conducting meeting admits him
  3. Disabling join before host
  4. Allowing Screen Sharing by host Only
  5. Disabling “Allow removed participants to re-join.”
  6. Restricting/disabling file transfer option (if not required)
  7. Locking meeting, once all attendees have joined
  8. Restricting the recording feature
  9. To end meeting (and not just leave, if you are an administrator)

The question is, does Zoom warrant all of the bashings it has so far received?

ISSUECOMMENT/RESPONSESTATUS
End to End EncryptionThe misleading claim about the “end-to-end encryption” of zoom meetings was rectified by Zoom.Zoom admitted that the calls are only “encrypted” and not “end to end encrypted” and have updated the website to reflect the same.
Data Going through China  Accepted as tech glitch. An increase in load on a server leads to a distribution of load to other data centers.Fixed
UNC Path  A malicious party could use UNC links to leak a user’s hashed passwordFixed
Zoom Bombing via Unprotected Meeting Links  The password is now enabled by default. The provision for the waiting room has been added.Fixed
Installation during pre-install-check  The application could be installed during the pre-install check phase, without actually clicking the “install” button.Fixed
Zoom app for iOS was sending information about users to Facebook even if the users didn’t have Facebook accounts  Zoom told Motherboard that sending analytics data to Facebook was an error, claiming that it was Facebook’s fault.Fixed
Attention Tracking: It was found that the zoom app notifies the host if a participant’s focus had shifted to any other window for more than 30s.  Zoom permanently removed the attention tracking functionality.Fixed
Harvesting of Participant Information via LinkedIn  Permanently removed the LinkedIn Sales Navigator app after identifying unnecessary data disclosure by the feature.Fixed
Use of Vulnerable Mac Frameworks Leads to Zero-Day Local Exploits  Zoom fixed these issues and released a new version of the client on 1 April 2020.Fixed
Allegedly a 0 Day RCE for 500,000$ is available on a darknet forum.   This is true for any other popular software, including Windows/Mac OS. If your threat model includes adversaries with large pockets, then zoom is probably not for you.  

Not all meetings are for discussion of trade secrets and confidentiality; at times, you are worried about the right of others to access the meeting (facility of use). Zoom explained that the meetings do not embrace end-to-end encryption, but are “encrypted,” so that it cannot be accessed by any third party other than zoom. The organization has demonstrated commitment to end-user privacy and protection by patching bugs as soon as they are discovered, and has assembled a team of external protection researchers to examine their software weaknesses.

You may also like...