Zoom security issues

Zoombombing

  • Zoombombing is where an unauthorized person joins a Zoom meeting or chat session with malicious or mischievous intent.
  • There have been multiple instances of intruders hijacking calls, posting hate speech and pornography, to the extent that the FBI issued a warning to users to exercise ‘due diligence and caution’.
  • Corporate meetings, academic institutions and informal social groups have all been targeted. In the UK, there were reports of a Zoom chat for fans of BBC Radio 4 soap, The Archers being bombarded with “pornography and Nazi swastikas”.
  • Zoombombers had been sharing Zoom meeting IDs, coordinating hacking attacks via online forums and recording their Zoombombing attacks on TikTok and YouTube.
  • ​Many users were failing to password-protect their meetings. Meanwhile hackers had come up with zWarDial, an automated tool for finding open Zoom rooms and meetings. In response, Zoom introduced password protection and ‘virtual waiting rooms’ by default: in other words, the type of common-sense security features that should have been in place in any event.

Encryption

  • In its marketing material, Zoom claimed that its conferencing service is “end-to-end encrypted”. In its most commonly understood sense, end-to-end encryption usually means that communications cannot be intercepted and decrypted at any point during transmission.
  • On the back of Zoom’s seemingly robust encryption credentials, the app had attracted a wide range of security-conscious users. Examples included healthcare providers, government departments, and even the British Cabinet.
  • Research by Citizen Lab showed that Zoom meetings were not actually end-to-end encrypted in the commonly understood sense. Rather, Zoom’s transport protocol encrypts and decrypts audio and video using a rather dated encryption method, AES-128. When it comes to video, this preserves patterns in the input, meaning that intercepted images can remain visible if intercepted.
  • In test calls between two participants in North America, Citizen Lab also observed meeting keys being sent via servers in Beijing. The combination of high profile users, limitations in cryptography and China-based servers was flagged as a potential recipe for nation state attack attempts.

Installer issues

Motherboard discovered that Zoom’s iOS app was sending analytics information to Facebook (e.g. a user’s time zone and city) even if the user did not have a Facebook account. This fact was not made clear in Zoom’s privacy policy. The company subsequently apologised for this and issued an iOS app update.

Zoom: tips for safe usage

  • Opt for private meetings and make use of the waiting room feature to keep control of who is joining the meeting.
  • Instead of using publicly available social media posts, send your meeting links to specific people via direct messaging.
  • Consider disabling screen sharing for non-hosts (this can be done by navigating to Share Screen > Advanced Sharing Options from the host controls at the bottom of the screen).
  • Once all intended participants are in and the meeting has started, lock the meeting to outsiders.

 

Choice and usage of video conferencing software: cybersecurity tips

 

For business uses, opt for business-grade software. This should typically have a wider range of settings to help you stay in control and lock down meetings where required.

Read the security small print. Don’t just go by vague claims made in the marketing material. For instance, if it is stated that the platform features end-to-end encryption, does that apply to actual meetings - or does it just relate to the chat function?

Keep on top of updates and patches. This is essential for ensuring any backdoor vulnerabilities are closed off.

Start using roll calls to monitor access. The frequent failure to exercise any real access control in video conferences is striking, even when sensitive material is under discussion. For instance, one survey found that 50% of conference callers admitted hosting remote meetings when they didn’t really know who was in the room.

Update your access codes. Sometimes these are used and are shared within an organization multiple times and over a long timeframe. As a result, it becomes a lot harder to control whose hands they end up in, making it harder to control access.



Monday, May 4, 2020

« Back