Beyond the noise – Why CIONET feels it is safe to continue to use Zoom

Careful analysis by leading security experts confirms that Zoom delivers a safe and secure virtual meeting environment, when used with the appropriate safeguards to protect meetings and webinars.

Zoom has been – and continues to be – the video-first communication platform of choice for CIONET.

Zoom is very successful since the start of the Corona crisis and the usage continues to increase. In a few weeks, it evolved from a successful B2B communication platform to a household name. This exponential growth painted a huge target on Zoom’s back. The company has experienced scrutiny over security and privacy issues and significant bugs were found. But all complex software has bugs, so we judge Zoom on its response to security issues, more than on the issues themselves. However, the issues need to stay within reason and the responses need to be quick and effective.

The seven most important areas of concern

Let’s have a look at the 7 most important area’s of concern. This is not an exhaustive list and surely more bugs will be found in the future. However, the trend emerging from the analysis of this list does allow us to get comfort on the security response capabilities of Zoom and the level of diligence and priority devoted to security and privacy. To date, Zoom is hitting its aggressive milestones in the 90-day plan to proactively identify, address, and enhance the security and privacy capabilities of the Zoom platform.

1.  ‘Zoombombing’

This has been one of the main talking points, with many people finding their Zoom meetings being hijacked by unwelcome intruders.

In the Before Times, Zoom had short meeting IDs that an attacker could guess pretty easily and then join and cause disruptions. Now, Zoom strengthened the security of the Personal Meeting ID solution. However, if you share your Personal Meeting ID on social media, unwanted visitors can still get hold of it. Zoom recommends to use unique meeting IDs and encourages the use of passwords for confidential meetings. This makes it harder, but not impossible, to stumble upon meetings. If you use unique meeting IDs, passwords and waiting rooms, the risk of strangers dropping in drops to nearly zero.

In the end, if someone joins our calls and you don't recognize them, as the host of the call, use Zoom meeting controls to kick them out. Once you kick them out, they can’t rejoin.

2.  Sending data to Facebook

Some versions of the iOS App were sending data to Facebook, even if you didn’t have a Facebook account. Zoom has pulled the Facebook SDK from its iOS app for Apple platforms by removing the "Login with Facebook" feature in less than 2 days.

3.  Eavesdropping

Zoom meetings aren’t End-to-End Encrypted, leaving the calls vulnerable to eavesdropping. Despite the advertising, Zoom, similar to the other video conference providers today, does not actually enforce true E2E encryption. To be clear, this doesn’t mean our communications are wide open to just anyone. Anyone other than people sitting on the endpoints of the clients or wherever Zoom terminates its connections remains in the dark, as is the case with any other HTTPS interaction. Zoom used AES-256 ECB, the industry best class for encrypting conversations on your computer or phone.

True E2E encryption place severe limitations on functionality like joining from conference rooms, sharing screens, joining before the host and more. Due to these limitations, the commercial video conference providers don’t implement true E2E encryption today.

The existing encryption features are sufficient to guarantee confidentiality for CIONET purposes.

4.  Zoom can expose your Windows passwords

The headline in the news read: “Zoom can expose your Windows passwords to other users”. This is quite a misleading statement.

These messages and related weakness found its origin in the fact that Zoom chats turned UNC paths, like \\example.com\, into clickable links on Windows clients. If someone were to click on that link, their Windows username and NTLM credential hash (a crackable version of a password) might be sent across the internet to the site provided by the attacker. You cannot force someone to reveal their username and password hash with Zoom, as far as we know today. Instead, the attacker needs to get the user to click on the link. Such specifically crafted link can also be delivered through another channel, such as email. We recommend you to block SMB traffic on the internet, if you don’t do this yet.

Zoom fixed the UNC path rendering issue in a matter of hours.

5.  Zoom is tricking users to install it

Another headline that surfaced in the past weeks read: “Zoom impersonates system prompts in the OSX system interface to trick users into installing it”.

Zoom uses the preinstall scripting feature of OSX to do the actual installation. During the installation, it pops up a system-generated (but application-controlled) password prompt. Normally, this prompt would say something boring and normal like, "Zoom needs your password to update the existing application," but in this case, the dialogue box is retitled as, "System need your privilege to change." This sounds pretty shady and like something you'd expect from malware and not a legitimate application. However, we don’t think that this malicious-seeming behavior categorically defines Zoom as malicious or dangerous?

6.  Attackers can use Zoom to install malware

Local attackers can use Zoom to install malware. In short, two local privilege escalation exploits exist that take advantage of some software architecture decisions made by Zoom.

After three or four dozen hours of becoming aware of the bugs, Zoom released an update that addresses

7.  Your data is sent to the USA

All data goes to the USA, even when European. Since the release of Zoom 5.0, Zoom admins and owners of paid accounts can opt in or out of any data center region (apart from their home region) at the account, group, or user level.

What CIONET does to use Zoom securely

1. We generate unique IDs for our meetings and avoid sharing the personal meeting IDs. When sharing joining instructions for Zoom meetings on social media, we don’t share the Zoom meeting link, but use another url to redirect to it.
2. We enable the ‘Waiting Room’ for our Web Conferences, allowing us as the host to let people in or refuse them if considered appropriate.
3. We recommend all Zoom users to set up automatic updates on Zoom to ensure vulnerabilities are patched as soon as possible.
4. We carefully reflect on the privileges needs by the participant and restrict the ability to share screens and annotate on the host’s shared content
5. If we share photos of Zoom calls on social media, we make sure that they don’t inadvertently give away meeting IDs
6. We choose the European Data Centers for our European communications.

Conclusion

Zoom actively and quickly addressed specific security concerns as they were raised over the past few weeks. They’ve assured us that their focus for the next 3 months will be prioritising security and privacy and delivered on their promises to date. We therefore conclude that Zoom delivers a safe and secure virtual meeting environment, when used with the appropriate safeguards to protect meetings and webinars. CIONET continues to use Zoom as its platform of choice for video first communication.