How Safe is Zoom?
Photo by Chris Montgomery
With many of us working from home since COVID-19, the use of video conferencing has surged. One particular platform, Zoom, has seen a notable rise in popularity. But it's also received media attention for its privacy and security concerns. So just how safe is Zoom?
Historically, Zoom has had a number of security and privacy issues - which we'll come to. However, moving forward, the company does appear to be taking things a bit more seriously. At the end of this article check out our list of 10 Tips to Increase Zoom Security.
Brief History of Zoom
Zoom - originally called Saasbee - was founded in 2011 by Eric Yuan, previously a Cisco Webex engineer and executive. The company initially struggled to gain investment because people thought the video conferencing market was saturated - but managed to raise an initial $3 million in seed money. In 2012 the company changed its name to Zoom Video Communications, Inc. (Zoom) and rolled out its first beta version - which could host up to 15 participants - and had 400,000 users by the end of its first month. Zoom's first customer was Stanford University.
Zoom became a public company in April 2019 with an initial share of $36 per share. In January 2020 its stock price was $70 per share which rose to $150 in March 2020.
It's important (and frustrating) to note that Zoom reports its user numbers in terms of "number of participants" - i.e. a single user may "participate" in multiple calls in a day. Yeah... we'll get to that later.
Whereas Teams and Skype report their user numbers as "the maximum daily users performing an intentional action in a 24-hour period across the desktop client, mobile client, and web client". A more accurate way to measure user numbers. So basically, the figures below are comparing participants to users:
According to a Zoom blog post, as of April 2020, Zoom had 300 million daily meeting participants - up from 10 million daily participants in December 2019 and 200 million in March 2020.
Security and Privacy Concerns
Zoom does have something of a history (1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11) when to comes to security and privacy concerns in the media. There's a long list over at tom's guide. But here are some of the key ones:
2019 zero-day exploit
Zoom's first major security flaw was discovered by security researcher Jonathan Leitschuh, and reported to Zoom on the 26th May 2019. The vulnerability, on Zoom's Mac software, allowed attackers to control the webcam after tricking the user into clicking a malicious link.
Leitschuh gave Zoom 90 days to fix the bug before going public - standard practice in software bug public disclosure. However, Zoom's bug was still present after 90 days. Zoom insisted this was a "low risk" issue - but eventually released an emergency patch on the 9th July 2019. This also prompted Zoom apologise:
Earlier this week, a security researcher published a blog highlighting concerns with aspects of the Zoom platform. In engaging this researcher over the past 90 days, we misjudged the situation and did not respond quickly enough — and that’s on us. We take full ownership and we’ve learned a great deal. What I can tell you is that we take user security incredibly seriously and we are wholeheartedly committed to doing right by our users.
The bug was a result of Zoom's Mac client silently installing and running a local web server. Even if you uninstalled Zoom, the web server remained and continued to run. This web server left Mac users vulnerable to denial of service (DoS) attacks. The only way to fix the vulnerability was to undertake a complex and elaborate uninstall process.
Zoom's logic behind this web server setup was to make Mac user's life a bit more convenient. It meant users didn't have to manually approve a Zoom call every time they clicked a link. However, it also made attackers' lives easier by being able to trick Mac users into joining a Zoom meeting and openly sharing their webcam.
Interestingly, Leitschuh turned down a financial reward from Zoom's bug bounty due to their non-disclosure agreement. He also advised other security researchers to report Zoom vulnerabilities via the Zero Day Initiative, rather than Zoom's own bug bounty program, due to how they responded.
Let me start off by saying having an installed app that is running a web server on my local machine with a totally undocumented API feels incredibly sketchy to me. Secondly, the fact that any website that I visit can interact with this web server running on my machine is a huge red flag for me as a Security Researcher - Jonathan Leitschuh
Misleading end-to-end encryption claim:
In April 2020, Zoom claimed its meetings use "end-to-end" encryption (E2EE). These claims were made on Zooms website and in a white paper.
In end-to-end encryption, only the users can see messages. The connection between endpoints (i.e. user devices such as mobile, laptop, tablet, etc) is encrypted. However, Zoom's definition of E2EE includes servers as endpoints. So this means the secure connection is only between a Zoom client and server. Meaning Zoom can see whatever is going on inside meetings.
Zoom released a blog post on 1st April 2020, entitled "The Facts Around Zoom and Encryption for Meetings/Webinars", to clarify:
We want to start by apologizing for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption... While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.
The blog continues by stating that Zoom holds the encryption keys - but that it doesn't decrypt users' data. Zoom is set to release true end-to-end encryption for premium users soon, after it acquired Keybase.
Misleading encryption claim
Another misleading encryption feature: Zoom claimed to use AES-256 encryption. However, in April 2020, researchers at the Citizen Lab reported that Zoom actually uses the somewhat weaker AES-128 algorithm. Not only that, but it's a custom-built implementation of the encryption algorithm that preserves patterns from the original file.
Zoom reported that it would be upgrading its encryption algorithm by the 30th May 2020.
Windows password stealing
In March 2020, TWitter user @_g0dmode reported that Windows users were vulnerable to Universal Naming Convention (UNC) path injection in Zoom's chat feature.
UNC is the naming system used by Windows for accessing shared network folders and printers on a local network. The problem is that Zoom didn't distinguish between web URLs (like http://www.website.com) and UNC paths (like \\www.website.com\malawre\virus.exe).
A malicious Zoom user only had to slip a UNC path into the chat for a server they own. A Windows user that clicked on the link from the Zoom chat would then attempt to authenticate with that server using the user's Windows username and password. The malicious user could then capture the password's hash and decrypt it.
This same UNC path injection vulnerability also allowed a malicious user to inject a path to a remote executable file. If a Zoom user running Windows clicks this link it would prompt them to install the software. Although the user still needs to authorise the installation, it's still very concerning a software installation prompt can be produced so easily.
According to a Zoom blog post this vulnerability was fixed on the 1st April.
MacOS misleading package install
Malware researcher Felix Seele noticed that Zoom's MacOS installer works around Apple's security to install itself:
Ever wondered how the @zoom_us macOS installer does it’s job without you ever clicking install? Turns out they (ab)use preinstallation scripts, manually unpack the app using a bundled 7zip and install it to /Applications if the current user is in the admin group (no root needed).
Firstly, the Zoom installer installs itself as part of a pre-requirements script. But this script tells the user it will "determine if the software can be installed". However, the Zoom installer then completes the entire installation as part of this pre-requirements script.
If the user is an admin then the pre-requirements script installs itself to the default /Applications directory. If the application is already installed, it produces a password prompt. The Zoom installer overrides the message saying that Zoom needs your password to update the existing application to "System need your privilege to change" (sic). Therefore giving the impression that the OS is requesting the permission and not Zoom. Quite misleading.
What's wrong with this? Well, the installation package is basically social engineering the user. It's installing itself before the user consents to installation. And it's also pretending that privilege escalation is coming from the OS, when it's actually Zoom making the request. These are techniques used previously by MacOS malware samples.
Zoom recordings easy to find online:
In April 2020, Cnet reported that Zoom video recordings, saved on Zoom's cloud servers, can be easily discovered. Due to Zoom's predictable URL structure it makes finding other users' video recordings relatively non-trivial. A similar issues, reported in The Washington Post, described how predictable file names can also be used to discover Zoom recordings.
Leaked Zoom user credentials
There have been various cases (Yahoo news, Insights, Bleeping Computer) of leaked Zoom credentials being posted online. These compromised accounts don't appear to have come directly from Zoom. It's likely the result of "credential stuffing", whereby criminals try to login to large numbers of account (mostly automated) using likely email addresses and password. Also, a similar technique can use credentials from previous breaches to determine if the same username and password combinations work on other sites.
Now, whilst this isn't exactly Zoom's fault, perhaps Zoom could be more proactive and alert users if their credentials have been compromised and appeared online or if an account login looks unusual.
So this is probably Zoom's most infamous feature. It's when someone, that's not been invited, joins a Zoom meeting. They can then share inappropriate images, videos, make irritating noises, etc.
Zoom-bombing has become so widespread that the FBI issued a warning about the threat and offered advice on how to protect against it. Check out our 10 Tips to Increase Zoom Security to keep yourself safe.
Misleading user number report
In april 2020, Zoom reported that it had "more than 300 million daily users" but then edited their statement to say "300 million daily 'participants'":
"We are humbled and proud to help over 300 million daily meeting participants stay connected during this pandemic. In a blog post on April 22, we unintentionally referred to these participants as "users" and "people." When we realized this error, we adjusted the wording to "participants." This was a genuine oversight on our part." - Zoom blog.
As of writing this, Zoom haven't yet revealed how many users they have now.
There have been a number of issues with Zoom using Chinese servers when they didn't really need to. In April 2020, Citizen Labs discovered that several Zoom servers in China were issuing encryption keys. Not the biggest problem in the world?
Zoom servers can decrypt Zoom meetings. Chinese authorities can force server operators to hand over data. So if you're privacy conscious - or perhaps a Government that wants to keep communications private - Zoom might not be the best option. Oh yeah, didn't the British Government defend using Zoom after the prime minister tweeted a picture in which a meeting ID was visible? Zoom has since removed meeting IDs from screens.
Citizen Labs also reported that many Zoom meetings, whereby all participants were in America, were being routed via Zoom's servers in China. Again, since Zoom handles the encryption keys, authorities in China can, if they choose to, see decrypted meetings. Another knock for privacy there Zoom. Zoom has since released a feature for paid users where they can choose which region of the world data is routed through.
So, has Zoom learnt from its past? As a result of its privacy and security issues that have been raised in the media, has the company changed their approach?
On the 1st April 2020, Zoom apologised to its users in a blog post and admitted that they have "fallen short of the community’s – and [their] own – privacy and security expectations."
They state their "platform was built primarily for enterprise customers – large institutions with full IT support" and that they "now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived".
The blog post sets out a 90 day plan to fix their issues. This includes a "focus on our biggest trust, safety, and privacy issues" and "conducting a comprehensive review with
third-party experts and representative users to understand and ensure
the security of all of our new consumer use cases". As part of this 90-day plan Zoom is also "enhancing" its bug bounty program.
In April 2020, Mozilla reviewed the privacy and security of various video conferencing apps. They gave Zoom an overall security rating of 5/5 - beating FaceTime's score of 4.5/5. Mozilla do clearly state in their review that they not only use Zoom but they've "worked closely with the company to get its privacy and security features right for us".
With so many security and privacy issues arising in the media it would be impossible for Zoom not to take some sort of action. And their 90-day plan does indeed demonstrate action. But whether Zoom takes enough action to thoroughly improve security and privacy for their users - or continue to rely on the security community to publicly disclose these issues - only time will tell.
10 Tips to Increase Zoom Security
Follow these tips to keep your Zoom meetings more secure - and reduce the chances of a Zoom-bomb participant disrupting the call. Zoom also produced a "best practices" guide for securing Zoom meetings.
1: Password protect meetings
Passwords add a layer of security to your Zoom meetings. Passwords can be set at the user, group, or account level. Account owners can also enable passwords by default for all future meetings and webinars on their account (see Zoom's support guide on meeting and webinar passwords).
2: Disable "join before host"
Make sure nobody else joins the call before you, the host. This should prevent issues with zoom-bombing and anyone that tries to abuse the call (see Zoom's support article on enabling/disabling join before host).
3: Lock down your meeting
Once all your participants have joined and the meeting is ready to start, lock your call. Simply press the Security button then select Lock Meeting (see: in-meeting security options).
4: Use randomly generated IDs - and never share your meeting ID publicly
Avoid using your personal meeting ID if possible - and definitely don't share it publicly as this allows anyone to try to join your meetings. It allows attackers that know it to disrupt your sessions. Instead, use a randomly generated meeting ID for each event (see: what is a Meeting ID).
5: Use waiting rooms
This feature allows hosts to screen participants before they enter the meeting. Whilst it might seem overkill for regular meetings, it gives the host full control over who can join the meeting. This can prevent uninvited guests from disrupting your call (see waiting Room).
6: Disable chat if it's unhelpful
Although the in-meeting chat feature can be useful in some meetings, if it's getting annoying, just disable it (see controlling and disabling in-meeting chat).
7: Regularly install updates
This goes for all software, not just Zoom. New vulnerabilities are discovered regularly - and attackers are quick to exploit them. By keeping your software up-to-date you're keeping yourself safe and protected against the latest known vulnerabilities. On default settings, your OS should automatically check and notify you when updates are available (see updating Zoom).
8: Disable participant screen sharing
To prevent any participants from sharing potentially inappropriate content, disable all participants from screen sharing. This can be accessed from the Security button then make sure Share Screen is un-ticked (see: in-meeting security options).
9: Authenticate users
Zoom has a feature to only allow users that are logged in to join your meeting. You can also take this one step further and require participants to register before they can join (see meeting registrations).
10: Remove nuisance participants
If, despite taking all the above steps, you still have an annoying participants that's disrupting the call, you can remove them. There's also a feature to enable/disable removed participants from re-joining the call (see Allowing Removed Participants or Panelists to Rejoin).
Alternative Communication Apps
There are a number of alternative apps to Zoom. Some apps have a more solid history when it comes to privacy and security. Not all of these apps offer video conferencing (such as Slack and Telegram) but can provide additional / alternative ways for groups to communicate.
Founded in 2003, and bought by Microsoft in 2011, Skype is one of the original video conferencing apps. It supports multiple operating systems, it's easy to use, and is free for one-on-one of group calls. Skype is limited to 50 participants per call, which might not work for larger organisations.
Launched in 2017, Teams is Micosoft's all-in-one communication and collaboration platform. It integrates with the Office 360 suite for ease of use. Teams allows up to 250 participants in a video call or up to 10,000 viewers on its presentation mode.
Released in 2010, FaceTime is Apple's solution to video and conference calling. It's free and comes built-in as standard on all macOS and iOS devices - so it doesn't require downloading. Apple's a strong advocate for privacy and security and boasts strong encryption practices - so the company can't snoop on you.
However, FaceTime is only available to users on Apple devices. It's limited to 32 participants per call and doesn't allow joining via link.
Initially released in 2013, Slack is a business communication platform that focuses primarily on chat-style communications (similar to traditional IRC). The app doesn't offer video or conference calls, but it's a great way for teams to communicate asynchronously (and research suggests that asynchronous communication can be good for productivity and decision making).
Slack integrates with a range of third-party services such as Dropbox, Google Drive, GitHub, etc. Slack also has a feature-rich API that's been noted for its compatibility with other apps and frameworks.
Launched in 2014, Signal is a secure messaging app with a good reputation when it comes to encryption practices. All communications to other Signal users are end-to-end encrypted and the keys are generated and stored at the end points (i.e. on the users' phone - not the server).
It's a free and open-source app - so it's code can be viewed by anyone and it's regularly scrutinised by security experts. Unfortunately Signal doesn't offer group video calls but it does offer secure one-to-one messaging and video calling.
Founded in 2008, Starleaf offers secure video conferencing and collaboration tools. They take security pretty seriously - they're ISO/IEC 27001 certified (a highly regarded international information security and compliance standard). They also have strong privacy principals that allow customers to choose where their data is stored. Starleaf target their services to larger organisations (with 500+ employees).
Released in 2013, Hangouts is Google's solution to a communications suite. Originally a feature of Google+ (which shut down in 2019), Hangouts seamlessly integrates into Gmail and other Google services. Hangouts allows up to 150 participants in a chat or 25 participants in a video call. It's a free solution, but it does mean giving Google access to yet more data.
Founded in 2009, BlueJeans offers a secure video conferencing solution for the digital workplace. All videos are encrypted by default and participants can join via a web browser without requiring an account or downloading any software.
BlueJeans don't offer a free version but starts at $9.99 per month to host up to 50 participants.
Founded in 2003 by a French student, Jitsi Meet is a secure video conferencing service that makes a good Zoom alternative. Jitsi Meet is part of the Jitsi collection of free and open-source multiplatform communication solutions - so its code is publicly visible and gets scrutinised by security experts. Jitsi Meet is a web-based application, so participants don't need to downland and extra software. One-to-one calls are encrypted with end-to-end encryption.
And now for something a little bit different - compared to the other apps we've looked at. Released in 2016, Houseparty is a social networking service that offers video chatting. It's a fun video-conferencing app that features various games, trivia, and drawing challenges within the app.
Okay, so like a few of the other apps, this one can't actually do conference video calls. Launched in 2013, Telegram is a cloud-based messaging and VoIP app. Telegram has one of the smoothest integrations across multiple operating systems and clients (in my personal opinion). The client-side code is open-source - although the server-side code is closed-source.
Telegram provides both client-server encryption as well as end-to-end encryption on calls and "secret chats" (with the exception of desktop clients other than macOS). As of April 2020, Telegram has over 400 million monthly users. Making it the 5th most popular mobile messaging app (after WhatsApp, Facebook Messenger, WeChat, and QQMobile).
Since launching in 2011, Zoom has come a long way. Initially aimed at larger organisations with IT departments, Zoom has been adopted by many of us working at home since COVID-19, looking for a way to keep communities connected. Zoom claims it wasn't built for this broader set of users which may be why there have been so many problems.
As we've seen, numerous security and privacy issues have been raised by concerned Zoom users and security researchers. Zoom does usually respond to these concerns and (eventually) patches the bugs. With it's 90-day plan, we'll see if Zoom can improve its security stance from here.
We've shown you 10 ways to improve Zoom's security and reduce the risk of zoom-bombing. Zoom isn't the only video conferencing solution out there, as we've seen. The alternatives - some of which offer significantly increased and more robust security than Zoom - may be better suited, depending on your requirements.
So how safe is Zoom? Well, it depends. You're not going to get a super high level of security or privacy by using Zoom. But, for a lot of meetings, that's probably okay. So long as you're aware of the risks - and those risks may potentially mean making your device vulnerable to future attacks.
Ultimately, Zoom has allowed many of us to keep in touch more easily at a time when social interactions have been challenging. Allowing such moments as One Zoom to rule them all: Lord of the Rings cast reunites to share memories.