The 2019 Novel Coronavirus pandemic has forced many employees into telecommuting with them maintaining contact with the office through videoconferencing apps such as Zoom. Zoom has proven to be one of the most popular choices during the COVID-19 crisis, registering a 535% increase in traffic in the past month, but the number of Zoom security concerns have been mounting.
Zoom Security Concerns are Mounting
Zoom security concerns have been mounting over the past few days following the discovery of new security flaws and the rise in Zoom meeting hacking incidents, known as Zoom bombing. Taken in isolation, each issue is worrying, but together they add up to a privacy and security disaster. Security researchers have called the platform “fundamentally corrupt,” with others going further and claiming Zoom is “essentially malware.”
macOS Installer Acts Like Malware
Zoom used a very shady trick for it’s macOS installer, which was highlighted this week by software engineer Felix Steele. When apps are installed on Mac computers, final consent must be given by users before the app is installed, but the Zoom app bypasses those controls by using a technique common with malware developers.
According to Steele, “[Zoom uses] preinstallation scripts, manually unpack the app using a bundled 7zip and install it to /Applications if the current user is in the admin group (no root needed).” By doing so, the standard step by step installation process that users will be familiar with is avoided and the application is installed automatically without users having to give final consent. It’s how malware is installed on Macs without the user’s knowledge.
Zoom responded quickly to the discovery and released an update within two days to correct the flaw. The installer now installs the Zoom client through a manual process with final consent now required, as is the case with other apps for Macs.
Zero Day Zoom Vulnerabilities Could Serve as a Backdoor for Installing Malware
This week, security researcher Patrick Wardle discovered two flaws in the macOS installer which could potentially be exploited to allow local, unprivileged users to gain root privileges and access users’ webcams and microphones.
Wardle investigated the installer following the revelation by Steele about the shady tactics used to install the Zoom client on Macs and discovered several security issues. The first zero-day is a privilege escalation flaw that could be exploited to escalate privileges and gain full control of a device, without even having the administrator password. Wardle.
The second flaw is a code injection issue. Wardle showed it is possible to insert a malicious script into the Zoom client would allow an attacker to gain access to the microphone and webcam. An attacker could also spawn Zoom at any point to access to the microphone and camera and could also record ‘private’ Zoom meetings.
In order for the flaws to be exploited, an attacker would need to have local access to a user’s device. If malware was already installed on the device, it could be used to exploit the flaws for espionage and surveillance. “Given Zoom’s privacy and security track record this should surprise absolutely zero people,” explained Wardle. Zoom responded quickly to the flaw and the vulnerability has now been addressed.
Zoom Bombing Attacks Prompt FBI Warning
The number of reported cases of video-teleconferencing (VTC) hijacking have prompted the FBI to issue a warning and offer advice on how to defend against attacks. The problem is not limited to Zoom, but the massive popularity of the platform has seen many Zoom meetings targeted in “Zoom-bombing” attacks.
The attacks are possible if a security feature is not activated by the meeting owner. The issue was highlighted back in January by Check Point Research, which reported that attackers could join meetings uninvited if certain settings were not enabled.
When setting up a Zoom meeting, if the “require meeting password” or “waiting room” are not enabled, anyone can join a Zoom meeting if they have the Zoom meeting ID. While the 9, 10, or 11-digit meeting ID should be difficult to guess, the researchers identified a quick and easy way to brute force the meeting ID, which was made possible due to the way that the meeting IDs are randomly generated.
The researchers were able to automate the brute forcing of the meeting ID and in some cases guessed valid IDs in a matter of seconds and reported a very high level of success. The vulnerability was reported to Zoom and changes were made to make attacks more difficult, but they have continued at high levels. There have been many reported cases of Zoom Meetings being hacked with people joining meetings uninvited, shouting racial abuse and other hate speech, then exiting.
Zoom Exposes Users’ Email Addresses and Photos
Motherboard recently reported that Zoom has leaked at least a few thousand users’ email addresses, profile photos, and statuses as a result of its “Company Directory” setting. This feature automatically adds other people to a user’s list of contacts if they sign up to use Zoom with an email address on the same domain. The purpose of this feature is to make it easier for individuals in the same company to find other company users; however, several users have reported that they signed up with a personal email address and have been grouped together with other individuals as if they were from the same company. Dozens of total strangers have been added to some users’ contact lists. This flaw does not occur with major email services such as Gmail and Hotmail, but it can be an issue with less common email providers.
Zoom has been Slow to Correct Serious Security Issues in the Past
This is not the first time that Zoom security concerns have been raised. Last year, Zoom security was called into question when a bug in the Mac Zoom client was discovered that allowed threat actors to spy on users of the platform via their webcams.
It was not the zero-day bug that was the problem per se, but the response time correcting it. The vulnerability was first identified in March 2019 but it took several months for the flaw to be fixed. A further bug in the platform was identified that allowed attackers to remove people from Zoom meetings, hijack shared screens, and spoof messages from meeting participants. A further flaw was identified that saw Mac users forced into joining meetings without their knowledge as a result of a hidden web server that Zoom quietly added during the installation process.
Zoom Doesn’t Have End to End Encryption as Advertised
One of the major Zoom security concerns to be raised in the past few days is Zoom doesn’t have end-to-end encryption, even though the company claims its platform does have end-to-end encryption. Many teleconferencing applications offer secure communications protected by end-to-end encryption, as does Zoom, according to its website. However, The Intercept revealed Zoom has been falsely advertising the platform as having end-to-end encryption. Zoom’s definition of end-to-end encryption is the encryption of communications from Zoom client to Zoom client. Zoom itself is able to access users’ video and audio calls.
A spokesperson for Zoom told The Intercept it was not possible to fully implement end-to-end encryption for Zoom meetings, “Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.”
The encryption used to prevent people from eavesdropping on meetings is known as transport encryption, which is not the same as end-to-end encryption. This is the same method for encrypting communications as is used for connections between browsers and HTTPS websites. True end-to-end encryption would only give Zoom access to encrypted content, and since Zoom would not have the key to unlock the encryption – only meeting participants would have those – audio and video would remain totally private. While Zooms says it does not mine data from customers’ meetings, the company does have access to unencrypted audio and video data can access the data should it so wish. Other videoconferencing solutions such as Signal and Apple FaceTime have true end to end encryption and do not have access to users’ communications.
Encryption/Decryption Keys for Zoom Meetings Sent to Chinese Servers
University of Toronto’s Citizen Lab research group conducted an analysis that revealed another problem with the encryption used to protect users’ privacy. In tests conducted between users in Canada and the United States, the researchers found that the key to encrypt and decrypt video conferences was sent to a server in Beijing, China.
“A scan shows a total of five servers in China and 68 in the United States that apparently run the same Zoom server software as the Beijing server. We suspect that keys may be distributed through these servers,” explained the researchers. “A company primarily catering to North American clients that sometimes distributes encryption keys through servers in China is potentially concerning, given that Zoom may be legally obligated to disclose these keys to authorities in China.”
In a blog post published on April 3, 2020, Zoom explained that the issue has now been corrected. Zoom stated that in order to maintain reliability, during times when there is congestion, clients reach out to two secondary datacenters which are appropriate for each region. In this case, the Chinese datacenters had been included and whitelisted for use in other regions, which meant they could be made available to users in other countries.
Zoom has been Sending User Data to Facebook
Motherboard recently reported that the Zoom iOS app is sending background user data to Facebook, even for users that do not have a Facebook account. Zoom is hazy about this data sharing in its privacy policy. Zoom’s privacy policy only states that Zoom has access Facebook profile information when user’s login-in or create an account for its products and makes no mention of Facebook as a third-party advertising partner.
When the app is downloaded and installed, it connects with Facebook’s Graph API and then sends data to Facebook about use of the app. The data transfers include information about when the app is opened, the user’s device type and model, mobile carrier, and a unique ID for targeting users with ads.
In response to the story, Zoom issued a statement saying, “Zoom takes its users’ privacy extremely seriously. We originally implemented the ‘Login with Facebook’ feature using the Facebook SDK in order to provide our users with another convenient way to access our platform. However, we were recently made aware that the Facebook SDK was collecting unnecessary device data.” Zoom has now removed the offending code.
Zoom also introduced a controversial feature that alerts Zoom meeting owners if meeting participants click away from the screen for more than 30 seconds. This in-app surveillance has attracted a considerable amount of criticism.
Zoom has also been criticized for its lack of transparency over requests received from law enforcement for access to content. While many companies are open about those requests, Zoom does not publish transparency reports. The digital privacy advocacy group Access Now published an open letter to Zoom in March 2020 calling for the company to start publishing transparency reports.
Implications of Zoom Privacy and Security Issues
Many businesses have told their employees to use Zoom while telecommuting believing the platform ensures private and confidential communications. In business Zoom meetings, sensitive private and confidential company information may be discussed that should not be divulged outside the company. It will be of concern that voice and audio meetings are accessible by Zoom employees.
The lack of end to end encryption could have legal implications for employers who have instructed their employees to use Zoom to communicate during the coronavirus lockdown. Employees could potentially sue their employers for not disclosing who has access to their personal information when using the Zoom platform.
Zoom meetings are also being held by the UK government for cabinet meetings – On March 31, 2020, UK Prime Minister Boris Johnson tweeted a screenshot of cabinet members holding a meeting on Zoom – even though the UK Ministry of Defense (MoD) has previously voiced Zoom security concerns and has banned use of Zoom in the MoD.
Zoom, HIPAA, and Patient Privacy
The Department of Health and Human Services’ Centers for Medicare and Medicaid Services recently announced it has expanded coverage for telehealth services during the 2019 Novel Coronavirus public health emergency in the United States. Rather than only providing reimbursement for telehealth services for Medicare beneficiaries in remote areas, reimbursement is being provided for telehealth services for all beneficiaries. During the COVID-19 crisis, many healthcare professionals will be providing telehealth services using videoconferencing platforms such as Zoom.
The HHS’ Office for Civil Rights has issued a Notice of Enforcement Discretion during the COVID-19 public health emergency and, in an unprecedented step, has said that sanctions and financial penalties will not be imposed on HIPAA-covered entities for noncompliance in the good faith provision of telehealth services. OCR also said that videoconferencing services may be used by HIPAA covered entities for the good faith provision of telehealth services, even if use of those platforms may not normally be permitted under the HIPAA Privacy Rule. While public-facing platforms are prohibited (Facebook Live, Twitch, TikTok…), other videoconferencing platforms such as Skype, Google Hangouts Video, and Zoom could be used. Healthcare providers that have been using Zoom for the provision of telehealth services should reconsider the choice given the recently disclosed lack of end-to-end encryption and the security issues, if they want to ensure that patient privacy is assured.
New York Attorney General Raises Zoom Security Concerns
These Zoom security concerns have triggered an investigation by the New York attorney general, who is now scrutinizing the company’s privacy and data security practices. In a letter to Zoom, Letitia James said she is “concerned that Zoom’s existing security practices might not be sufficient to adapt to the recent and sudden surge in both the volume and sensitivity of data being passed through its network,” and questioned whether there has been a broader security review of security practices in light of the increase in popularity of the platform. She also expressed concern in light of Zoom’s slow response to security issues in the past.
Zoom Responds to Backlash About Privacy and Security
On April 1, 2020, Zoom CEO and founder, Eric S. Yuan, explained in a blog post that the company has been experiencing some ‘growing pains’ and that its engineers are working flat out to correct privacy and security issues. “We recognize that we have fallen short of the community’s — and our own — privacy and security expectations,” said Yuan.
Some of the security flaws uncovered in the past few days have already been addressed and Yuan explained that Zoom will be spending the next 3 months concentrating on correcting and improving the privacy and security that have come to light in recent days. He also explained that all regular development of the platform has been put on hold.
“We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived,” said Yuan.” These new, mostly consumer use cases have helped us uncover unforeseen issues with our platform. Dedicated journalists and security researchers have also helped to identify pre-existing ones.”
Yuan also said the company will be conducting a comprehensive review of the platform and will be engaging third-party security experts and representative users to help ensure the security of the platform for all new use cases.
Zoom Targeted by Cybercriminals
The rise in popularity of Zoom for telecommuting workers has not gone unnoticed by cybercriminals. They are taking advantage of the popularity of the platform for phishing and malware distribution campaigns. According to Check Point, there has been a massive increase in registration of Zoom-themed domains this year in response to the increase in the popularity of the platform. In 2020, 1,700 Zoom-themed domains have been registered, 25% of which were registered in the past two weeks. Check Point’s analysis of the domains revealed 4% have suspicious characteristics. Check Point has also found fake Zoom installers being distributed that are being used to infect users with malware.