Our thoughts on Zoom
by Varun Hemachandran on April 18, 2020
Ever since the pandemic broke, the world has flocked to video conferencing for everything from online Yoga classes, to everyday work meetings, to online courts. A large part of this new demand has moved towards Zoom, a previously little known company whose products have now become ubiquitous with the remote workspace. The estimated net worth of its founder has grown by more than $4 Billion since the pandemic broke.While there’s no evidence to suggest that any sensitive data was being sent to Facebook, the fact that there was no acknowledgement of this practice in any of Zoom’s documentation made this ripe for a class-action lawsuit.
Ever since there’s been an avalanche of scrutiny into Zoom’s security practices and exposure of vulnerabilities that put its users at great risk. The important milestones in this saga, post the first investigation by Motherboard, are listed here:
- March 30: FBI issues a warning, identifying the phenomenon of “Zoombombing” for the first time. Online classrooms get disrupted by miscreants, who invade online conferences and either disrupt the meeting or share lude images, including pornography
- March 30: Another investigation by The Intercept highlighted how Zoom might be deceiving users about the quality of its end-to-end encryption. Specifically, what Zoom defines as end-to-end encryption, is not end-to-end encryption as the general market understands it. So, while the connection was secure and private from outside snooping, Zoom itself had access to the unencrypted data
- ~April 1: More bugs are detected in the Windows and MacOS apps of Zoom. The windows app allowed a remote user to potentially take control of your webcam and microphone, while the MacOS app created vulnerabilities in Mac systems that would potentially allow malicious code to inherit “Root” permissions on your system – the highest level of privilege on a Mac system
- April 1: Yet another investigation by Motherboard found that Zoom was leaking email IDs and photos to people through a Company Directory feature. This gave people access to potentially hundreds of thousands of contacts that weren’t known to them
- April 2: A feature on Zoom was found to be leaking details of people from their LinkedIn accounts
- April 2: Hackers were using a tool to automate farming of meeting IDs. In their research, they discovered 100 Zoom meeting IDs in an hour and gathered information for nearly 2,400 Zoom meetings in a single day
- April 3: Recordings of Zoom calls were left exposed on the open web. After an investigation by the Washington Post, it was found that all your recorded Zoom calls were available to anyone on the web, unsecured
- April 5: Calls mistakenly routed through Chinese whitelisted servers. Zoom admitted that its calls were accidentally routed through servers in China when it shouldn’t have been
- April 6 & April 13: 352 Zoom accounts were found on the dark web, followed by a further 500,000 accounts
- April 15: A bug with a bounty of $500,000 on the dark web was discovered that could cause industrial-scale espionage. The bug relates to both Windows as well as MacOS, although the Mac exploit was less serious than Windows
- April 16: 2 more critical Zoom exploits were discovered. These exploits allowed people to download recorded videos of Zoom calls from the cloud, even if the user had deleted them
- April 22: A new malware that could trigger a recording of your meetings without letting everyone know, was discovered
A series of blunders has lead to 4 class-action lawsuits against Zoom, plus lawsuits against both Facebook and LinkedIn. Several governments, such as Singapore and Germany have either issued bans or advisories against the usage of Zoom. Space X famously banned its employees from using Zoom for official purposes.
So, what’s the case for continuing to use Zoom?With over a 1000 signees for the event, we were faced with the challenge of moving to a completely new platform for our final webinar in the series.
Ever since the Government of India, came out with an advisory that banned officials from using Zoom for work, there’s been enormous pressure on organizations like ours to switch to other platforms. On April 16, as the advisory was released and making waves in the media, Agami was caught off guard in the middle of a 5 day long webinar series for Online Dispute Resolution. With over a 1000 signees for the event, we were faced with the challenge of moving to a completely new platform for our final webinar in the series. There was little time to assess the risk to our community, and so we made the decision to shift to WebEx. Not before a subset of the team, including myself, spent the entire night trying demos of various alternatives and reading reviews of competitors.
We concluded that Zoom did provide for the best overall experience and that Webinars themselves were not at any security risk to our community base. However, it would be untenable to continue using Zoom immediately in the aftermath of the media blitz around Zoom. We decided that the responsible decision to make, would be to move to another stable platform in the interim, till we had a chance to fully address the concerns of our community and the Zoom platform.
Our experience of WebEx was not flattering to say the least. If anything, the shift to another platform and the testing of at least 8 other platforms gave us a renewed appreciation for the ease of use and superior functionality that Zoom provided. It was clear, at least for our use case, that Zoom was perhaps still the best platform to be on.
But how do we reconcile the security issues? We did write to Zoom asking for their response to the multiple advisories by various governments and organizations. Zoom did respond by saying they’ve applied new encryption protocols, moving to a 256-AES encryption, similar to the encryption used by banks and payment apps. Furthermore, Zoom did apply the option for us to choose which countries’ servers we could route our data through. This allowed us to disable China, Hong Kong and other countries through which we did not want data passing through, even at the cost of some performance.
Over the past few days, I’ve researched dozens of articles and papers on Zoom to ensure we at Agami secure our Zoom account to to the best possible degree for our staff, as well as our community. Though we are limited by the strength of Zoom’s own systems, we think that the intense scrutiny of Zooms functioning actually makes the platform more secure than lesser-known ones, whose own flaws may yet to be exposed. Even as some governments have issued advisories against the use of Zoom, others have in fact decided to continue the use of Zoom. And despite Zoom’s patchy history with security, the new scrutiny of its systems by the US Senate, the FBI, multiple governments in Europe and Asia, have forced Zoom to take affirmative action, including rolling out regular patches and upgrades to the Zoom system; hiring of an external security consultant to lead Zoom’s “Security-first” approach to product development.
Zoom has also implemented a slew of other security measures, as well as issued advisories to users to secure their own account. These advisories include measures you can take to secure your account from “Zoombombing”, and other security attacks.
Measures Agami has taken to secure its Zoom account
Agami, specifically has reviewed these measures and done the following:
- Enforcing only local recording on the Host’s PC, rather than recording meetings in the cloud. This prevents our meetings from going online and potentially being vulnerable to any weaknesses in Zoom’s cloud infrastructure
- Disabling “Join before Host” for all meetings
- All meetings require a password by default, whether scheduled or instant
- Disabling audio via phone. This was done to avoid the risk of poor encryption over phone lines. Phone lines do not have the same encryption protocols as Zoom apps on other devices
- Muting participants upon entry. This is more to ensure proper etiquette on video calls, and avoid interruptions from late attendees joining the call with their mics turned on
- Enabled Encryption for 3rd Party Endpoints
- Disabled file transfers between meeting participants
- Disabled remote-control, in case someone accidentally gives control to their PC in a call
- Allow the option for Hosts to report participants for abusive behaviour. This could get bad actors bumped off the platform
- Disabled far-end camera control and other similar options that may allow 1 user to take control of peripherals of another through Zoom
- Identify guest participants in the meeting/webinar. If anyone who doesn’t belong to our Zoom account attends the call, they are highlighted in the participant list
- Selecting only safe data centres in countries we believe that do not pose a risk to data security