Zoom and other teleconferencing platforms have increased in popularity during the COVID-19 crisis as businesses and consumers use it for communication whilst working from home. However, in the last few days, there were a number of issues identified in the Zoom security and there were questions regarding its suitability for medical use.
Researchers Uncovered Zoom Security Problems
A number of Zoom security issues and privacy concerns were identified in the last few days. Apparently, the macOS installer uses malware-like techniques to install the Zoom app without the users giving a final confirmation. This method could possibly be exploited and used for malware delivery.
Zoom’s macOS client version has two zero-day vulnerabilities identified, which could enable a local user to elevate privileges and acquire root privileges, without having an administrator password. He could then access the microphone and webcam to intercept and capture Zoom meetings.
Zoom’s feature that makes it simpler for business users to locate other people within the organization was furthermore leaking information such as the profile photos, email addresses, and statuses of users. The Company Directory function automatically adds individuals to a user’s list of contacts if they have the same email address domain. A number of users reported that strangers were added to their contact lists after signing up using their personal email addresses.
There were additionally a lot of reported incidents of Zoom-bombing. Uninvited persons were able to join meetings by guessing meeting IDs using brute force tactics. The FBI lately publicized an alert after a surge in hijacking attacks. People have reported hacking of Zoom meetings, abuses of meeting participants, and showing pornography using the screen share feature.
There are some news as well about the sharing of users’ background information with Facebook through the Facebook SDK. This is true even for users who have no Facebook accounts.
Zoom Doesn’t Offer End-to-End Encryption
The Intercept reported that Zoom’s implementation of end-to-end encryption doesn’t cover video meetings. According to Zoom’s spokesperson, it is not possible at this time to implement E2E encryption on Zoom video meetings. Zoom video meetings employ both TCP and UDP, but only UDP connections are encrypted.
The data encryption used is the same as the technique used to secure communications involving an HTTPS website and a web browser. With transport encryption, information that is moving from client to client is secured using encryption on communications between meeting participants. However Zoom’s audio and video content are not encrypted.
Zoom explained that although it is possible to access unencrypted users’ data, there are layers of protection set up to safeguard the privacy of users. First, any person including Zoom personnel cannot directly access any information revealed during meetings, which includes – but not restricted to – the audio, video and the chat content material of the meetings. Most importantly, Zoom does not mine individual data or peddle any user data to anyone.
Researchers at University of Toronto’s Citizen Lab research team discovered that the encryption and decryption keys of video conferences were sent to China. A scan indicates that China has five servers and the United States has 68 that evidently operate the identical Zoom server software program just like the Beijing server. We believe that keys were dispersed across these servers. A company mainly serving the North American customers that sometimes sell encryption secrets via the servers in China is possibly worrisome, presented contemplating that Zoom might be lawfully required to reveal these keys to people in Cina.”
Zoom announced in April 3, 2020 that its servers were already whitelisted for use in other areas as a possible backup bridge to make sure that its service is maintained, and that the servers were just utilized in very minimal instances. The problem has been fixed and Zoom announced that the vulnerabilities did not affect Zoom for Government.