Is Zoom Safe for Work?
With the new vulnerability in the Zoom cloud video conferencing solution announced late last week, companies using Zoom have been asking if Zoom is still safe for work. Usage of this platform is at an all-time high with people everywhere using Zoom from home for work, school, and personal meetings. In this blog, we will share information about the vulnerability, what threats is poses to your business and what you can do to be safe while working from home.
The Zoom Vulnerability Details
We've fielded many questions over the last few days and weeks about the vulnerabilities in the zoom platform. Some of the vulnerabilities are in the platform itself and some are in the way it’s being used. Just like any piece of software, you need to understand how to use Zoom safely. Here’s an update on the technical vulnerabilities people are reporting:April 6th Update: Zoom Recordings Exposed
Reported on April 5th by Security Boulevard, the Washington Post uncovered last week that Zoom recordings are stored
- Zoom video calls encryption
Reported on March 31st, there are some vulnerabilities in Zoom’s end-to-end encryption for video calls. To be clear, calls still use encryption and are not visible to anyone on the internet, but from a cryptology purist’s perspective, it is not true end-to-end encryption. This doesn’t mean your Zoom calls have no security. Zoom has since altered their marketing language around end-to-end encryption.
Reported on April 3rd, by The Intercept covering an in-depth examination of Zoom’s encryption methods by Citizen Lab at the University of Toronto, Zoom’s implementation of Advanced Encryption Standard (AES), in Electronic Codebook (ECB) mode, makes encryption keys easier to guess. In addition, there are claims that encryption keys are not long enough. These issues along with the fact that keys are stored on servers in the US and in China open up some risks to companies engaged in top secret or highly sensitive video calls.
- Zoom MAC OSX preinstall script
Reported on March 30th, Zoom’s preinstall script for their OSX package doesn’t just do the pre-check, it installs the package. If the Zoom package needs elevated privileges, the user receives a popup asking for their credentials. While this isn’t technically a vulnerability, the way the preinstall script executes makes the Zoom package appear to act more like malware than a legitimate application.
- MOSTLY FIXED: Zoom puts your passwords at risk
Reported first on March 23rd and made more public on March 30th,2020, zoom chats turn UNC Paths into click-able links. The vulnerability allowed an attacker to trick a user into clicking on a link that would send their username and password hash to the attacker’s site. Zoom released a patch on April 1st to fix this bug, however, if an attacker can gain access to your zoom call, they can send you a malicious link. This exposes vulnerabilities that may exist in your underlying systems on your computers which ARE NOT ZOOM VULNERABILITIES.
- FIXED: Zoom leaks data to Facebook even if you don’t have a Facebook account.
As reported by Motherboard on March 26th, the leak did not expose personal information (PI) to Facebook, but did disclose Make, Model, Browser type and gross geographic data to Facebook. This leak was subsequently shut down by Zoom within days and is now closed.
- FIXED: Zoom allows attackers to install malware
On April 1st, two vulnerabilities were reported on TechCrunch impacting MAC OSX. One takes advantage of the above mentioned preinstall script function to piggyback malware on a Zoom package installation. The second allows an attacker to take advantage of a computer’s mic and webcam without the user knowing. Zoom released a patch that addresses both issues.
Threats to Your Business and Workforce
If you are communicating with friends, colleagues or having conversations or events that you would otherwise have in public, the vulnerabilities listed above should not concern you any more today than in the past.
If you are conducting Top Secret business, are highly regulated or having sensitive conversations (intellectual property, trade secret or discussing anything that would get you in trouble with regulators, authorities or repressive governments), we strongly recommend using another video calling platform until Zoom releases a fix for their encryption stack.
To be fully transparent, we are a Zoom customer and enjoy the features and user-friendliness of Zoom. We will likely continue to be a Zoom customer for the foreseeable future and have high confidence that Zoom will focus their considerable energy and resources on this problem as they have stated in their blog this week.
What to Do if You Do Use Zoom
If you use zoom over the coming weeks before a patch is released, this blog post from Zoom gives some tips to help keep your video call safe. Most importantly:
- Use a password.
- Allow only signed-in users to join.
- Do not share your Personal Meeting ID publicly.
- Use a “Waiting Room”.
- Lock the meeting after everyone has joined.
Read more tips to secure your Zoom call Here.
Stay safe and as always, contact us if you have any questions. We’re happy to help.