Zoom ... Goes the Dynamite!

With the world muddled in lockdowns and relying more and more on remote workspaces, workplace communication tools have become all the rage. Segment leaders like GoToMeeting, Skype/Teams, Zoom, CyberLink, Google Hangouts and Cisco Webex have all stepped up their presence in the marketplace. Fortunately, despite the increased use and exposure, none of those software tools have exhibited any critical flaws, with one notable exception: Zoom.

Since the onset of the “work from home” mandates necessitated by the COVID-19 pandemic, Zoom’s popularity in the meeting/video conferencing space has skyrocketed. Based on recent reports, the tool is second only to TikTok as the world's current most downloaded app. During a recent week, for instance, Zoom added close to 20 million new mobile users, which represented more than 3½ times more than Skype and 8½ times more than Google Hangouts over the same timeframe. With this monumental increase in use, however, has come a constant battle with new and evolving security threats.

Zoom Bombing

Zoom’s main security threat – “Zoombombing” – is a type of video hijacking that occurs when conferences are hosted on public channels that are shared over the internet via URLs, making them accessible to anyone and everyone. Hijackers can sometimes guess the correct URL or meeting ID for a public Zoom session, giving them access to the feed. This is a minor flaw when it comes to having a Zoom meeting with your closest friends, but can have severe security implications when hosting a meeting associated with an educational institution or major business.

Trent Lo, a security professional and founder of SecKC, Kansas City’s longest-running monthly security meetup, tested and exposed Zoom’s security issues, finding that the only meetings protected from Zoom Meeting ID auto-dialers are videoconferences that have set a password. To mitigate that issue, Lo recommends enabling the ‘Embed password in meeting link for one-click join’ function, which prevents an actor from accessing your meeting without you losing the ability to share a link to join.

The FBI has also issued a warning related to Zoom Bombing, to which Zoom CEO Eric Yuan notes, “The Company’s plan for the next 90 days is to dedicate the resources needed to better identify, address and fix issues proactively.” As things currently stand, the best recommendation a casual user can take to heart is to only share meeting links with your closest circle of trust and require meeting passwords when feasible.

Encryption / Confidentiality Concerns

In addition to the Zoom Bombing issue, the folks at the Citizen Lab at the University of Toronto have identified a plethora of additional security threats involving Zoom that are not necessarily hitting the headlines. For instance, contrary to Zoom documentation that claims the app uses AES-256 encryption for meetings where possible, Citizen Lab found that in each Zoom meeting a single AES-128 key is used in ECB mode by all participants to encrypt and decrypt audio and video. The use of ECB mode, their report notes, is not recommended because patterns present in the plaintext are preserved during encryption. Additionally, the AES-128 keys used to decrypt intercepted Zoom packets are coming from Zoom servers in China, even though all meeting participants are located outside that country. Since Zoom was primarily developed by companies based in mainland China, the folks at Citizen Lab believe Zoom to be a “U.S. company with a Chinese heart.” With the threat of malicious users attempting to intercept communications, and even enter private calls, Citizen Lab asks users to use Zoom passwords when possible, and to not use Zoom Waiting Rooms, to ensure confidentiality.

The List Goes On

It seems like every day a new gap in Zoom’s security practices is uncovered. Below is the latest breakdown of other privacy/security concerns to keep in mind when considering using the popular conferencing tool:

• Multiple class action lawsuits have been filed against Zoom for issues related to Facebook data sharing, incomplete end-to-end encryption and an existing vulnerability that allows malicious actors to access users’ webcams.
• An investigation by the Washington Post found thousands of recordings of Zoom video calls were left unprotected and viewable on the open web.
• Security expert Brian Krebs reports that an automated tool was able to find around 100 Zoom meeting IDs in an hour, gathering information from nearly 2,400 Zoom meetings in a single day of scans. 
• The New York Times reports that a data-mining feature on Zoom allowed some participants to surreptitiously have access to LinkedIn profile data about other users.
• Zoom software has now been banned for use at Google, SpaceX and a number of school districts.
• The U.S. Senate has recommended that its members cease using Zoom.
• Some Zoom installer packages have been bundled with various types of malware, including hidden Trojans and coin miners.

With the increased use of video conferencing/meeting tools, Schneider Downs believes your organization should perform thorough reviews of any new software you’re looking to implement. If you’re a general user leveraging Zoom, the recommendations in this article above should give you a leg up on anyone looking to use Zoom vulnerabilities to their advantage.

How Can Schneider Downs Help?

The Schneider Downs cybersecurity practice consists of experts in multiple technical domains. We offer a comprehensive set of information technology security services including penetration testing, intrusion prevention/detection review, vulnerability assessments, and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact us at [email protected].