NOTE: iON’s April 20 Update to this blog entry follows after the conclusion.
As organizations try to maintain operations with most of their employees working from home to minimize the spread of Covid-19, Zoom Video Communications has experienced an explosive increase in usage. By late February, the company had already added 2.2 million new users, surpassing their total number of new users for all of 2019, while their number of daily users has grown from 10 million in December to over 200 million in March.
Prior to the outbreak, iON already used Zoom extensively for both internal and external videoconferences, but we have recently encountered some strong criticism of Zoom based on security concerns, to the extent that people are reluctant to use it. Some of these concerns have been addressed because many of the platform’s major vulnerabilities have already been resolved. We also believe that several other concerns are misplaced because they can be easily mitigated by judiciously configuring Zoom’s options. However, some very legitimate and well-researched criticisms have recently been raised that must be factored into an organization’s decision whether to continue using Zoom.
First, let’s address the concerns about Zoom that we believe are either outdated or overblown:
Reported (and Remediated) Vulnerabilities
Zoom has already fixed a vulnerability for Mac users in which an undocumented web server was installed along with the client. The web server is removed when any updates later than July 2019 are applied.
On March 26, Motherboard reported that the Facebook software development toolkit (SDK), which enabled users to log into Zoom with their Facebook account, was sending analytics information to Facebook regardless of how the user logged in. While ‘Login with Facebook’ was implemented as a convenience feature (one found on several other apps, incidentally), Zoom promptly released an update for iOS users that eliminated the SDK and the Facebook login feature altogether to address user privacy concerns.
Zoom’s chat module has been criticized for its susceptibility to malicious links posted by infiltrators to meetings. One report claimed that credential theft using UNC was the biggest threat associated with this vulnerability. This is inaccurate, however, because existing Windows defenses prevent credential theft over the Internet, so an attacker would need to be on the same network for this to be possible. Nevertheless, Zoom eliminated all UNC links on their app in their April 2 update. Since links can still be sent via chat and phishing is an additional risk, to eliminate this possibility entirely, the meeting organizer can simply disable the chat feature for the meeting ahead of time.
Put in perspective, other commonly used apps like email clients and web browsers allow users to click on links and run programs and they inundate us with such links every day. Proper end user awareness applies to all these applications.
Unauthorized Meeting Attendees (Zoom “Bombing”)
Zoom “bombings”, in which infiltrators gain entry to Zoom meetings and cause disruptions, have become more frequent with Zoom’s explosion in usage. Fortune’s recent article on the topic also attributes the increase in attacks not to flaws in Zoom’s code, but “users’ overall cybersecurity hygiene and their imperfect command of Zoom’s privacy settings.” In many of the reported instances of Zoom bombings, the meeting organizers left the meeting set to public, and bad actors can find these addresses simply by searching for “zoom.us” on social media sites where public meeting links are often posted. Bad actors have also created tools to automatically try all possible meeting ids, enabling them to easily discover and connect to unprotected meetings.
In response, Zoom meetings are now passcode-protected by default, eliminating all but the most determined infiltrators. Additionally, Join notifications, which are also enabled by default, alert the organizer of every attendee’s arrival and prompt him/her to watch for unauthorized individuals.
While the waiting rooms feature allows organizers of large-scale meetings to vet all participants upon entry, an alleged vulnerability of this feature has recently been reported to Zoom that may render this feature unsafe. While the situation is ongoing, the prevailing wisdom among informed observers is that it is still better to use the waiting room as a safety measure against unauthorized attendees.
Infiltration via Compromised Computers
Can a user who has gained control of a meeting participant’s computer observe that meeting? Yes, but from a pure risk prioritization standpoint, one is inclined to ask what the greatest prize for the infiltrator might be: observing a meeting, or just stealing files off of the compromised computer? If a malicious actor can run programs on a user’s computer, they can cause a wide array of damage, impacting far more than just Zoom.
The Bad News
Unfortunately, there are other security concerns for vulnerabilities and aspects of how Zoom functions that are more troubling and most have yet to be resolved.
In their April 3 report, The Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs & Public Policy at the University of Toronto, identified significant weaknesses with Zoom’s encryption method and pointed out some troubling aspects of Zoom’s development and infrastructure that may expose them to pressure from Chinese authorities.
In some of Zoom’s documentation, they claim to offer “end-to-end encryption” (E2E), and the app itself displays a message to this effect when encryption is enabled.
The standard definition of “end-to-end encryption” is a system of communication where only the communicating users can read the messages sent between them.
The Citizen Lab cites Zoom’s April 2020 blog post, in which they attempted to clarify their encryption scheme. In it, Zoom used the term “end-to-end” to describe a situation where all conference participants (except those dialing in via the telephone connection) are required to use transport encryption between their devices and Zoom servers, which does not meet the criteria of the standard definition.
In their analysis of Zoom test meetings, The Citizen Lab deduced that Zoom has implemented their own transport protocol which is based on the Real-Time Protocol (RTP) standard, and participants’ audio and video transmissions are encrypted and decrypted using a single, shared AES-128 key for each meeting. More troubling, they found that meeting sessions are encrypted and decrypted using AES in ECB mode. This is a weak form of encryption that is never used today because the same plaintext input always results in the same encrypted output, preserving patterns that make it easier for a reasonably skilled attacker to decrypt.
The blog post includes the following claim: “Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes, nor do we have means to insert our employees or others into meetings without being reflected in the participant list.” Customers may take this claim at face value, but for an experienced threat group, should they be able to capture the network traffic, decrypting live Zoom meeting content would not present much of a challenge. In an April 3 blog post in response to The Citizen Lab’s report, Zoom committed to an external review of their encryption design, stating that “We are working with outside experts and will also solicit feedback from our community.”
The Keymaster Problem
In one of The Citizen Lab’s Zoom test meetings between a user in Canada and a user in the United States, they discovered that the AES-128 encryption key originated from a server in Beijing. The Citizen Lab followed up with a Censys scan using the “zoom is ok!” and “zoom.us” search terms, which revealed 68 servers in the United States and 5 servers in China apparently running the same Zoom server software as the Beijing server. Additional test sessions based in North America also connected to the Beijing server.
Zoom addressed this finding in a blog entry posted on the same day as The Citizen Lab’s report. In it, they acknowledged that the identified servers do indeed serve as bridges for the Zoom platform and that the Chinese servers were recently added in an attempt to meet the surge in demand for their service in China. They claim that during this process, “we failed to fully implement our usual geo-fencing best practices,” which should have prevented a meeting session in North America from connecting to the Chinese servers. Zoom stated that they immediately removed the mainland China data centres off their whitelist of secondary backup bridges to ensure no Zoom users from outside of China will connect to them from now on. Independent testing has confirmed that the Chinese servers are no longer used for North American meetings.
While Zoom’s rapid response to the vulnerabilities cited in The Citizen Lab report is commendable, their credibility should be weighed against some background on Zoom’s connections to China also mentioned in the report.
The China Factor
The Citizen Lab pointed out that while Zoom is headquartered in the United States, “the mainline Zoom app appears to be developed by three companies in China,” where Zoom employs 700 employees that work in “research & development”, according to their most recent SEC filing. While outsourcing to China may be more profitable for Zoom than hiring Silicon Valley-based developers, the arrangement may render them susceptible to pressure from Chinese authorities. As a case in point, The Citizen Lab points out that Zoom may be legally obligated to disclose the encryption keys distributed by their Chinese servers.
Additionally, Zoom has failed to issue any transparency reports, making them an outlier among technology companies dealing with sensitive user data. On April 2, Zoom posted a blog entry in response to a March 2020 open letter from Advocacy Now that implored Zoom to produce regular transparency reports, but in the response CEO Eric Yuan set a vague deadline of “within 90 days” to produce Zoom’s first transparency report.
Cybersecurity is all about reducing business risk for a cost lower than that of an actual security incident. In this instance, admins must weigh the risks from continuing to use Zoom (at a time when video conferencing is a lifeline for business continuity) against the risks of the vulnerabilities listed here. Zoom’s rapid proliferation is no accident; it is a powerful, easy-to-use platform for video conferencing and collaboration.
iON maintains that the first set of vulnerabilities listed here have either been addressed by Zoom or can be addressed by following these best practices for setting up Zoom meetings:
- Never post upcoming Zoom meetings on social media
- Password protect your meetings (this is the default setting)
- Never use a “personal meeting ID” because they are predictable
- Enable Join notifications for all meetings
- Disable chat if you are concerned that a participant may post a malicious link
- Enable waiting rooms and vet participants on entry
- Enable host control of screen sharing
- For broadcast-style events like AGMs, protect against “bombing” by muting all participants, not allowing them to share, and disabling chat
- Record meetings on the host’s computer rather than in the cloud
ON THE OTHER HAND, the concerns raised by The Citizen Lab require network admins and security team leads to make a judgment call. Zoom has been very quick to respond to the vulnerabilities listed in The Citizen Lab’s report, and we believe CEO Eric Yuan’s plan to address these concerns once more demonstrates Zoom’s attentiveness to security issues identified by critics.
In the end, it comes down to which narrative you believe:
- Zoom is a successful upstart that with a great product that was overwhelmed by demand but is earnestly addressing the criticisms of user privacy and security levelled against it.
- Zoom, whether by design or oversight, is being used for signals intelligence by Chinese authorities who exploit its easily-identifiable limitations in cryptography, security issues, and, for a time, exploited its servers based in China.
In iON’s view, we believe Zoom’s timely responses to recent security criticisms lend credence to their explanations for the issues raised, and subsequently we will continue to use Zoom for video conferencing and collaboration
As with everything, it is important to continually reassess risk against your threat model because threats, and their respective mitigations, change daily. For iON’s part, we will monitor the latest reporting regarding Zoom’s security and their progress in addressing any issues while reassessing our risk profile in light of these developments. Whether you choose to use Zoom or another product such as Teams, WebEx, or GoToMeeting, you must be sufficiently informed to accurately measure the risk before deciding what to do based on your risk tolerance and the risks identified with your potential choices. These alternatives for video conferencing may also have security vulnerabilities that have yet to be reported, so we recommend conducting research both before arriving at a decision and periodically after making your choice.
UPDATE – April 17
Since we published this blog entry, Zoom has been very active in addressing security concerns, summarized in their 90-day Security Plan Progress Report:
Zoom has remained in the news for other reasons, including the recent report that thousands of Zoom accounts have been posted on the Dark Web:
In the conclusion of this update, we provide two methods that show how to prevent a similar breach of Zoom user credentials at your organization.
Regarding Zoom’s overall security remediation efforts, we believe they are commendable and the major developments include:
Changes to Data Centre routing
As of April 18, account admins can choose whether or not their data is routed through specific data center regions, giving users direct control of their interactions with Zoom’s global network. The settings in question are found in the Zoom App by clicking the Settings icon, clicking View More Settings, and scrolling down to the Select Data Center Regions section. iON recommends selecting only the United States and Canada for clients whose meetings will only be conducted in that region.
Enhanced Password Security/Complexity
Account owners and admins can now configure minimum meeting password requirements to include numbers, letters, and special characters, or to allow only numeric passwords. Free Basic account users will now use alphanumeric passwords by default instead of numeric passwords.
Long-term Plan to Improve Encryption
Zoom’s short-term focus for encryption is migrating from a 256-AES ECB encryption to a more secure 256-AES GCM encryption. Long-term, they plan to develop and incorporate a totally new cryptographic design that greatly reduces risk to Zoom’s system.
Bug Bounty Program and Katie Moussouris Collaboration
Zoom will be relaunching its Bug Bounty program, a system that rewards users and security researchers for identifying bugs within a company’s product. Zoom has invited all users and security researchers to participate, including researchers who have previously reported on Zoom vulnerabilities (we presume this includes The Citizen Lab).
Equally noteworthy is that Zoom will collaborate on their reboot of this program with Luta Security, which was founded by Katie Moussouris. Ms. Moussouris started Microsoft Vulnerability Research and Symantec Vulnerability Research, and also started Microsoft’s and the Pentagon’s bug bounty programs.
Hiring of Alex Stamos
The former CSO of Facebook and the director of Stanford’s Internet Observatory, Alex Stamos will join Zoom as a consultant to help them identify and implement enhanced security measures.
The Playing Field
For context (and contrast), it is worth noting a recently updated article from Cisco regarding the limitations that result from enabling end-to-end encryption with WebEx:
Additionally, Microsoft Teams has clarified that they only provide encryption in transit and at rest and not end-to-end, as defined in our previous article:
Considering the pace, scale, and transparency of Zoom’s efforts to address security concerns identified by security researchers, iON remains content to continue using Zoom both internally and for client interface at this time.
As stated in our original blog posting, maintaining effective security controls is a continual process of re-evaluation. In the context of what video conferencing tools to use during the current quarantine, re-evaluation requires following the latest developments.
We also point out that the Zoom accounts and login credentials that were acquired and posted on the Dark Web were the evidently the result of a credential “stuffing” attack, in which accounts were stolen from other websites, tested against Zoom, and worked because the passwords were the same. The breach of these users’ security was therefore not directly attributable to any deficiency on Zoom’s part and more to other websites’ poor password complexity requirements and bad account management habits by users themselves. Details on the breach are available here:
There are two measures Zoom administrators can take to prevent this issue from occurring:
- “Local” passwords are configured in the Zoom app or website then stored and managed by Zoom. iON recommends enabling the Enhanced Password Rules setting and configuring:a. A minimum password length of 14 characters
b. Enabling New users need to change their passwords on first sign-in
- At iON, we use Single Sign-On to authenticate all our users to Zoom. This has several advantages:
- Zoom never sees, stores, or transmits our users’ passwords
- Our corporate password policy requiring the use of long passwords is enforced
- The most important recommendation that we can make for all our customers is to require passwords that are as long as possible. We recommend a minimum length of 15 characters.
- Our SSO solution also enforces multi-factor authentication to log into Zoom. MFA is a critical security measure that we recommend for all customers.
- When a strong password policy is enforced, Windows passwords are less likely to be used on other public websites, reducing the likelihood that an attacker could steal a password from another site and use it to gain access to Zoom.
With the proliferation of SaaS, most organizations use some form of Single Sign-On through Azure, Active Directory Federation Services (ADFS) or third-party services such as Okta, OneLogin, and Ping. We strongly recommend that all corporate users of Zoom configure Single Sign–On instead of relying on Zoom local accounts. Zoom has links to information on how to configure the above services to work with Zoom here: https://support.zoom.us/hc/en-us/articles/201363003-Getting-Started-with-SSO.
Finally, in addition to our recommendations in our original blog posting, we recommend the following practices to Zoom administrators to maximize security:
- Take the time to select the data centre regions where you will permit your calls to be hosted, locking the setting so your users cannot change it
- Configure an enhanced password policy requiring long passwords for all Zoom-hosted accounts
- Configure Single Sign-On to leverage organizational Windows Accounts for authentication
- Configure the SSO solution to require multi-factor authentication
- Ensure that the Zoom software used by your users is updated regularly as new updates are released frequently
- Regularly review the available configuration settings available with Zoom to see whether additional security settings can be configured