Zoom at Your Own Risk

Zoom — the video conference platform which has shot in popularity in the wake of the ongoing COVID-19 coronavirus pandemic and as remote work becomes the new normal — has turned the latest platform to be scrutinised for its privacy and security architecture, or lack thereof.

The app has skyrocketed to 200 million daily users from an average of 10 million in December (along with a 535 percent increase in daily traffic to its download page in the last month), but the last few weeks have also seen an explosion of Zoom's problems, all of which stem from bad privacy and security practices.

To put it bluntly, Zoom has been sloppy. The company, now used in a myriad number of ways beyond enterprise communication, risks becoming a victim of its success. It may be great at video chat, but it's nothing short of a privacy and security disaster which went largely unnoticed because of its relative obscurity. Here's a handy timeline of what went wrong and the steps the company has taken so far as it battles a surge in demand -

1. Last July, the video conferencing app fixed a vulnerability that could let websites hijack users' webcam and "forcibly" join them to a Zoom call without their permission.
2. Earlier this January, the company squashed another bug that could have allowed attackers to guess a meeting ID and join an unprotected meeting, potentially exposing private audio, video, and documents shared throughout the session. Following the disclosure, Zoom introduced default passwords for each meeting that participants need to enter when joining by manually entering the meeting ID.
3. Zoom's privacy policy came under criticism for making it possible to collect extensive data about its users — like videos, transcripts, and shared notes — and share it with third-parties for personal profit.
• On March 29th, Zoom tightened its privacy policy to state that "We do not use data we obtain from your use of our services, including your meetings, for any advertising." But it does use the data when people visit its marketing websites, including its home pages zoom.us and zoom.com. Which means, it's still employing third-party trackers on its websites.
4. Zoom's iOS app, like many apps using Facebook SDK, was found sending analytics data to the social network (such as, when a user opens the app, details on the user's device such as the model, the time zone and city they are connecting from, the phone carrier they are using, and a unique advertiser identifier created by the user's device for targeted advertising) even if the user doesn't have a linked Facebook account. Later, it removed the feature.
5. Zoom came under the lens for its "attendee tracking" feature, which, when enabled, lets a host check if participants are clicking away from the main Zoom window during a call. On April 2, it permanently removed the attendee attention tracker function.
6. Security researcher Felix Seele found that Zoom uses a "shady" technique to install its Mac app without user interaction using "the same tricks that are being used by macOS malware," thus allowing the app to be installed without users providing final consent. On April 2, Zoom issued a fix.
7. Researchers discovered a bug in Zoom's Windows app that could potentially allow an attacker to steal someone's operating system credentials just by sharing network location strings that are automatically converted to clickable links, which when clicked on networks that aren't fully locked down, sends the Windows usernames and the corresponding hashed passwords to the address contained in the link. A patch was issued on April 2 to address this flaw and two other bugs reported by Patrick Wardle that allows bad actors to gain root privileges and access the mic and camera on macOS, thereby allowing for a way to record Zoom meetings.
8. Zoom was caught displaying data from people's LinkedIn profiles, which allowed some meeting participants to snoop on each other. The undisclosed data mining feature automatically matched users' names and email addresses to their LinkedIn profiles when they signed in — even if they were anonymous or using a pseudonym on their call. If another user in their meeting was subscribed to a service called LinkedIn Sales Navigator, they were able to access the LinkedIn profiles of other participants in their Zoom meetings by clicking an icon next to their names — without those users' knowledge or consent. In response, Zoom has disabled the feature.
9. Zoom's claims that it uses end-to-end encryption to secure communications were proven to be misleading after it emerged that the company can still access video and audio from meetings hosted on its app. It uses TLS encryption and it later apologised for causing confusion.
• The connections from meeting endpoints are encrypted to Zoom's central servers, where the data is decrypted (if organisations have enabled its cloud-based recording option) before being re-encrypted and transmitted to other participants via text, audio, or video.
• In response, Zoom said it has safeguards in place to "protect our users' privacy, which includes preventing anyone, including Zoom employees, from directly accessing any data that users share during meetings, including — but not limited to — the video, audio and chat content of those meetings. Importantly, Zoom does not mine user data or sell user data of any kind to anyone."
10. A subsequent research by Citizen Lab found that they were also lying about the type of encryption used, with the keys generated for cryptographic operations "delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber's company, are outside of China."
• Zoom's White Paper claims that the app uses "AES-256" encryption for meetings where possible. However, we find that in each Zoom meeting, a single AES-128 key is used in ECB mode by all participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption.
• CEO Eric S. Yuan responded, stating given the period of high traffic, they were forced to add server capacity quickly, and "in our haste, we mistakenly added our two Chinese datacenters to a lengthy whitelist of backup bridges, potentially enabling non-Chinese clients to — under extremely limited circumstances — connect to them."
11. Vice revealed that Zoom is leaking thousands of users' email addresses and photos, and letting strangers try to initiate calls with each other. That's because users with the same domain name in their email address (non-standard email providers that are not Gmail, Outlook, Hotmail or Yahoo!) are being grouped together as if they work for the same company. Zoom blacklisted these domains.
12. On 3 April 2020, the Washington Post reported that it was trivial to find video recordings made in Zoom by searching the common file-naming pattern that Zoom applies automatically. These videos were found on publicly accessible Amazon storage buckets.
13. An independent security researcher Youssef Abdullah found that if attackers tried to attach a Facebook account to their Zoom account via an organisation's email address that is already in Zoom's database, the interloper could have gained access to all email accounts associated with the account's organisation. On April 1, Zoom issued a fix.
14. Then there's Zoombombing, where trolls take advantage of open or unprotected meetings and poor default settings to take over screen-sharing and broadcast porn or other explicit material. The FBI issued a warning, urging users to adjust their settings to avoid hijacking of video calls. Zoombombing is now also a crime.
• Researchers created a new tool called zWarDial, which borrows its name from the technique of wardialing used to automatically scan a list of telephone numbers, that searches for open Zoom meeting IDs, finding around 100 meetings per hour that aren't protected by passwords.
• Effective April 4, Zoom began enabling the Waiting Room feature (which allows the host to control when a participant joins the meeting) and requiring users to enter a meeting password to prevent rampant abuse.
15. To help address the wide plethora of issues, Zoom has announced a 90-day freeze on releasing new features, and aims to conduct a comprehensive review with third-party experts, and release a transparency report that details information related to law enforcement requests for data, records, or content.

As security researchers and privacy advocates continue to dig into Zoom's software and its practices, it's clear the company needs to find a better way to balance default settings, user privacy, and ease of use, and prevent weaponisation of its platform. The product may not have been originally designed for regular consumers, but the problem is that it always was. Zoom's unprecedented popularity — nearly 200 million meetings are held on it every day — is a testament to this fact.