To Zoom or not to Zoom

Today I saw in the news that the government has issued an advisory against using Zoom. While it makes sense for secret government business not to be carried over zoom, it makes no sense to provide misinformation regarding zoom to general public. A lot of schools are using zoom for teaching and engaging their students online through zoom. There is nothing confidential discussed during those sessions. Zoom is perfectly fine for such purposes. Also, some of the vulnerabilities for MacOS, iOS versions of Zoom client, and windows version of zoom client have been fixed. So as long as one uses the latest version of the zoom client -- they should not have any attack on their platforms. Even those attacks, that were disclosed for these platforms were very unlikely to be exploited as most of them require either an attacker be part of your zoom session or in one MacOS case, the attacker must be on the same machine.

In any case, I was disappointed by the government advisory that was misinformed and also which misinforms public in general. Another point made in the advisory was that most Zoom servers are in China -- which is totally untrue.

Recently I received a query from the local school principal -- that parents are writing to him to stop use of zoom for engaging student. This was totally unwarranted as school material is neither confidential nor subject to any attack. Zoom bombing could be an issue there exposing students to illegal material or videos. But that can be easily stopped by the host of the meeting by taking necessary precautions on how the settings of the meeting are configured and how the meeting is run by the host.

So I decided to write this in ordre to dispell some misinformation. Regarding security and privacy issues related to the usage of Zoom -- here are the points I have surmised by reading all disclosures made by various security researchers. The media headlines are misleading and they are creating frenzy for no good reason. In any case, I will make 6 points below to set some of the issues straight.

1. The problems with Zoom clients on MACOS and IOS platforms have been fixed in the latest patches -- so as long as the users download the latest version of zoom clients -- it should be fine. There was another problem with hyperlinks in Zoom chat that has been fixed also. So downloading the latest version for any software is always the best defense against attacks based on vulnerabilities already known in the public domain. 

2. It is true that the Zoom client downloads a lightweight web-server on client machines but so far no report indicates any compromise due to that web-server installed on clients.

3. It is true that Zoom does not provide end-to-end encryption in the way Whatsapp does -- what that means is that data from a zoom user to Zoom servers go encrypted, BUT then that is decrypted at the zoom server and again encrypted with a different key to the other user of the same conference. What this means is that all the data (video/audio/screen share) are safe from snooping at the local network and on the Internet, but they are unencrypted at the Zoom server. So depending on the country in which these zoom servers are located (they may be in multiple locations) and extant IT laws there -- the information on zoom servers can reveal your conference content. So if you are discussing classified content, business secrets, confidential intellectual properties -- you should not use zoom. But the problem is that we do not know the webex, or go2meeting etc have the same problem -- as they have not been targets of such scrutiny yet. So for normal discussions, teaching etc -- zoom is fine -- not for secret information.

4. Zoom has key servers located in many countries including few in China -- majority of them in the US. The key servers if compromised can leak your encryption key material -- therefore -- could breach confidentiality. But that is again related to point 3 above. One has to see how confidential the meeting is to decide whether to use the medium or not.

5. Zoom bombing is not an issue if the host does the following: (i) never configure the meeting to accept guests before the host joins (ii) use passwords/pins to join the meeting and ensure that the password/pin are sent in a separate email than the link to zoom -- better not to send the link at all -- and just send the meeting number/pin in separate emails; (iii) Zoom has a waiting room facility -- host may configure the meeting such that every person first has to enter the waiting room -- and then host can one by one choose each member from waiting room to the meeting after ensuring it is the right person. Zoom bombing is not so much a cyber security problem -- but more of how you configure, and run your meeting. Zoom host can also mute or kick out a person from the meeting.

6. There was a news story this morning -- about 500,000 username/passwords leaked in the darkweb = but the headline is actually misleading. This is called credential stuffing attack. If you go to "https://haveibeenpwned.com/" website and type in your various email addresses one by one (yahoo, gmail, hotmail, iitk email etc) -- you will find there are many databases that have your username/password leaked. Usually this is either from the email system (like in case of yahoo mail) or from other sources (linkedin.com) which got hacked some time ago -- and you used your email address as a username there. However, the password that is leaked is probably not your zoom password. But some people use the same password in many places, and it turns out that passwords from these old leaked credentials -and zoom passwords matched for many people. This is what attackers do in credential stuffing. So this is not a zoom problem -- but rather a problem of users who reuse the same password in many places. So best way to avoid this is to not use any old password as a zoom password. 

I hope it helps someone.

PS: Update on 20th April 2020 -- there are reports that a windows remote-code-execution vulnerability and an Mac OS vulnerability but not remote-code-execution are present and in the dark web hackers are selling exploits for those for 0.5 million USD. However, those who have previewed the offer -- it seems that to use the remote-code-execution -- the hacker has to be on the same conference call to use it. So it is even more important for Zoom meeting organizers to white list the people they want to attend meetings organized. The MaC OS bug seems to be less of an issue : https://www.vice.com/en_us/article/qjdqgv/hackers-selling-critical-zoom-zero-day-exploit-for-500000

Note that, such vulnerabilities come up in Windows, Linux, Android, facebook, Chrome, Firefox -- all software -- and they are usually quickly patched by the developers of the concerned software. So this is not something special about Zoom. It should also be noted that any software which attracks public attention is likely to be looked into with considerable interest by blackhat hackers to monetize any vulnerability they may find. So I would like Zoom to figure out the vulnerabilities as soon as possible and develop a patch but I would not worry too much if my meeting host is careful about who they let into their meetings.