WFH darling Zoom is a security and privacy disaster - let me count the ways

Zoom Video has been the darling of both Wall Street and stranded home workers since the dawn of our current locked down existence. Indeed, while the broader stock market has entered the teeth of a ferocious bear, Zoom has defied gravity by more than doubling its share price before a recent sell-off.

By almost instantaneously becoming the preferred way enterprises, schools and lonely apartment dwellers meet with colleagues and friends, Zoom ingrained itself into the fabric of our physically isolated existence. As Zoom's stock price intimates, the euphoria over Zoom's meteoric rise has been tempered by troubling news showing that the company isn't worthy of the enormous trust put into it by millions of users.

Zoom rose to dominate the video conferencing market, becoming vastly more popular than long-established competitors like Webex and GoToMeeting, by virtue of its clean, convenient interface and sign-up process. However, that same convenience belied a cavalier attitude towards privacy and security that became acutely, embarrassingly apparent as the number of Zoom conferences exploded, approaching 5 million daily users, many hosting multiple meetings. Zoom’s lax security and loose default settings, preferring convenience over control, enabled a new form of online graffiti and defacement, “Zoombombing”, which has become a particular scourge for online classes where meeting URLs are often widely shared. However, Zoom’s security problems run deeper and became manifest almost a year ago.

 

A litany of Zoom security failures

Zoom’s first notable security problem appeared in the middle of last year when a software engineer discovered that its Mac application inexplicably and furtively installed a local web server with a “vulnerability [that] allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission.” The same security hole could have also been used for denial of service attacks against any Mac with the Zoom app by repeatedly attempting to join an invalid meeting ID. Adding insult to injury,  the stealth, buggy web server remained even after uninstalling the Zoom application.

The Mac vulnerability might have been charitably written off as sloppiness by a company more focused on growing its user base and reducing meeting friction than securing its software, however, Zoom’s dismissive response when notified of the problem is inexcusable. The developer that discovered the bugs contacted Zoom in March 2019, offered a quick fix and agreed to withhold publishing his findings for 90 days (a standard pre-publication courtesy among security researchers) while the company implemented a patch. Zoom waited until June to contact him and only released a fix three days before the 90-day deadline. It took another two weeks before Zoom shipped an update that allowed removing the hidden web server.

Zoom’s preference for convenience over security bit them again with the rise of Zoombombing, a phenomenon that exploited the relative ease with which anyone can discover Zoom meeting IDs and join random meetings for espionage and vandalism. The problem stems from Zoom’s use of 9- to 11-digit meeting IDs and the original default setting (since changed) not to password protect new meetings. It didn’t take long before hackers figured out they could find open meetings by scanning the ID address space, eventually automating the process via a zWarDial tool that evades Zoom’s lockout process by routing attempts through multiple ToR proxies and can find 100 meetings per hour.

Zoom responded by changing the default behavior for new meetings to include a password and use of a waiting room (which allows hosts to control who enters a meeting), although users can override these settings. However, even meetings with a password aren’t immune from Zoombombing since:

1. Hosts for meetings with large audiences, like online classes or webinars, often share the meeting URL, which embeds the password, and …
2. Meeting defaults allow any participant to share their screen, a setting that can be overridden, but is buried behind an ‘Advanced settings’ menu.

Indeed, the problem of Zoombombing became so acute that the FBI’s Boston office issued a warning and the following guidance (emphasis added):

As individuals continue the transition to online lessons and meetings, the FBI recommends exercising due diligence and caution in your cybersecurity efforts. The following steps can be taken to mitigate teleconference hijacking threats:

• Do not make meetings or classrooms public. In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests.
• Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people.
• Manage screensharing options. In Zoom, change screensharing to “Host Only.”
• Ensure users are using the updated version of remote access/meeting applications. In January 2020, Zoom updated their software. In their security update, the teleconference software provider added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.
• Lastly, ensure that your organization’s telework policy or guide addresses requirements for physical and information security.

Privacy another casualty of Zoom’s carelessness

Three recent revelations also illustrated a company indifferent to, if not outright disdainful of users’ privacy.

(1) Zoom was sending user metadata and application activity to Facebook. According to an analysis by Motherboard: 

The Zoom [iOS] app notifies Facebook when the user opens the app, details on the user's device such as the model, the time zone and city they are connecting from, which phone carrier they are using, and a unique advertiser identifier created by the user's device which companies can use to target a user with advertisements.

Once caught,  Zoom apologized for “the oversight” and updated its iOS app, but it wasn’t enough to prevent an investigation into Zoom’s privacy practice by New York’s Attorney General.

(2) Zoom oversold the extent and quality of its meeting security, claiming to use end-to-end encryption. Instead, independent investigators found that Zoom uses weaker TLS transport encryption between endpoints and the company’s servers, which would allow administrators within Zoom to access unencrypted content. Worse yet, the company uses ECB-mode AES-128 encryption, a weak implementation that preserves patterns in the unencrypted input that make it susceptible to cracking.

(3) Aside from nonexistent backend data security, another investigation found that Zoom used servers in China, where it conducts much of its R&D, to generate the AES-128 keys and in some cases routed meeting traffic through Chinese-domiciled servers, even if all meeting participants were outside China. According to research by Citizen Lab at the University of Toronto (emphasis added),

During a test of a Zoom meeting with two users, one in the United States and one in Canada, we found that the AES-128 key for conference encryption and decryption was sent to one of the participants over TLS from a Zoom server apparently located in Beijing, 52.81.151.250. A scan shows a total of five servers in China and 68 in the United States that apparently run the same Zoom server software as the Beijing server. We suspect that keys may be distributed through these servers. A company primarily catering to North American clients that sometimes distributes encryption keys through servers in China is potentially concerning, given that Zoom may be legally obligated to disclose these keys to authorities in China.

From disregard to acknowledgment

After a month filled with almost non-stop revelations of Zoom security holes, the company’s founder and CEO, Eric Yuan finally took action, releasing a blog post that opened with a mix of rationalization and apology, but concluded by itemizing the steps Zoom has taken and intends to pursue “over the next 90 days “ to better identify, address, and fix issues proactively.”

By freezing new features and “shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues,” Yuan seems to recognize that by violating the trust and privacy of its users, Zoom risks squandering its market-leading position and the enormous opportunity today’s WFH environment presents. The company is taking meaningful steps to regain users’ trust by recruiting independent experts and Zoom users to review its work, along with issuing a report detailing “information related to requests for data, records, or content.”

Yuan’s apology tour continued via an interview with the Wall Street Journal in which he admitted last Friday that:

I re­ally messed up as CEO, and we need to win their trust back. This kind of thing shouldn’t have hap­pened. ...If we mess up again, it’s done. … I thought a lot last night.”

The source of Yuan’s epiphany doesn’t seem to be the numerous reports over the past year, but rather the growing backlash from paying enterprise customers including many school districts and Elon Musk’s SpaceX, which recently banned employees from using Zoom citing “significant privacy and security concerns,” according to a memo leaked to Reuters.

My take

Zoom isn’t the first company experiencing phenomenal growth, with peak daily usage exploding ten-fold since December to 200 million, to get sloppy. Unlike the arrogant founders of Uber and WeWork, Yuan seems to recognize that the company made severe mistakes in the pursuit of convenience and hyper-growth.

Unfortunately, Zoom’s course correction has been slow enough to provide competitors with an opening to siphon off users in what remains a dynamic market for video conferencing services. Indeed, Microsoft just released a lengthy blog post extolling its “commitment to privacy and security in Microsoft Teams.” BlueJeans Network issued a similar proclamation about its security policies.

Google is also trying to capitalize, wooing customers to its platform by enhancing features. It recently increased the size limit for group calls using Duo and extended premium features for Hangouts Meet to all GSuite customers through Q2. Likewise, WebEx upgraded its free plan to eliminate meeting time restrictions, increase size capacity to 100 participants and allow phone dial-ins.

Hopefully, Zoom’s problems result in a more secure, robust product, however, enterprises don’t lack for choices when choosing a video conferencing system. While Zoom’s convenience made it the default choice for many, competitors offer compelling alternatives that are, at least currently, more secure. Organizations already using SaaS productivity suites from Microsoft or Google should default to their products, however others shouldn’t be stampeded into Zoom based on peer pressure, but take advantage of the generous trial offers most companies currently offer to test drive some competitors.