The Zoom video chat service has experienced an incredible increase in popularity in the last few weeks. As it became undisputed winner among programs used for home office, home schooling and “physical distancing”, the users’ number growth practically exploded. On the pro side, it is a video chat solution as simple and straightforward as possible for participants with different devices and platforms. On the contrary side, increasingly harsh criticism of security standards.
“Zoombombing” – just the tip of the iceberg
The now common term “zoombombing” describes a possible security gap in the service, which caused a great stir, but is actually quite easy to control. By default, all Zoom video chats are public – with the matching group ID, anyone can join, unless otherwise set up. This ID should therefore remain confidential, but can be guessed. With a limitation to 9 to 11 digits, not an impossible task – or often just a Google search away. This has already made it possible to eavesdrop on other people’s meetings and bring in unwanted content. The problems have now been defused with virtual waiting rooms and additional queries or codes. The exact analyses of some security researchers, however, do not give the all-clear for an unscrupulous use of the service and mostly advise against its use. [1]
Application with malware manners?
In general, video chat applications are a complex matter: direct access to microphone, data communication and screen output is usually closely monitored and restricted by the systems to prevent misuse. This serves to ensure the security of the users, because such accesses have a high potential for unwanted exploitation. Zoom advertises with a high degree of user-friendliness. The goal was to require as little interaction and clicks as possible in order to participate in a meeting even as an inexperienced user.
With increasing popularity, the entire service structure of the app was examined more closely. The result of the analyses was not very pleasant: questionable routines are used that are not considered serious or safe. The Zoom application installs itself unsolicited deep within the system, suppresses and confirms further security checks on its own and asks users to enter their password without showing up as a Zoom. These and other procedures were classified as questionable. With these methods, an application cannot be considered secure.
Is promised encryption only marketing?
Another point of general concern is the promised end-to-end encryption. This is a considerable challenge, especially because of the large number of endpoints. While the competition is playing with open cards, Zoom has been advertising with false claims. The promised encryption has not been implemented, only a transport route encryption. Data that runs via Zoom’s central servers can be viewed there by the operator. Complaints due to misleading users have already been announced. [2]
Is the promised improvement even possible?
Zoom is feeling contrite because of the problems, promises improvement and a new focus on the security of the service.[3] This too raises questions: How well can an application be “repaired” without basic implemented security measures? Some security researchers express clear concerns, as even the long-term history of Zoom does not exactly show an exemplary approach.[4]
As a result, more and more companies and organizations from Google to NASA now prohibit the use of the services.
Collaboration Tools as new security vulnerabilities
Apparently, thousands of Zoom accounts are available in underground forums, even from large companies such as banks or consulting firms. However, this problem is not limited to one provider. It is a sign of a general rethink: cybercriminals are looking for new ways to get access to financial information or trade secrets. Tools that are increasingly being used due to initial restrictions represent new opportunities. [5]
Is the use of Zoom now generally not advisable? If you work with sensitive, confidential data, you should definitely look around for other providers. Regardless of the provider, possible risks must be well thought through and services and claims must be carefully examined.
Links:
Cyber-criminals work from home too!
[1] https://nymag.com/intelligencer/2020/04/the-zoom-app-has-a-lot-of-security-problems.html
[2] https://www.computerworld.com/article/3537193/zoom-hit-by-investor-lawsuit-as-security-privacy-concerns-mount.html
[3] https://www.theverge.com/2020/4/8/21213847/zoom-ceo-security-privacy-apology-fix-china-videoconference
[4] https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5
[5] https://threatpost.com/compromised-zoom-credentials-underground-forums/154616/