Everyone’s Talking About Zoom… But Who’s Listening in?

DSC_3662_copy-approved-V2 Everyone’s Talking About Zoom… But Who’s Listening in?
Harvey Boulter, Chairman, Communications Security Group

A couple of months ago few people would have heard of Zoom, let alone be relying on it for social interaction or as a professional tool. Awareness and use of the platform has grown exponentially, from 10 million daily meeting participants in December to 200 million in March. But it seems most of these users don’t fully understand the nature of the tool they’re using or the associated risks.

Last week the UK government was lambasted when Prime Minister Boris Johnson, self-isolating having been confirmed to have Covid-19, tweeted a picture of a virtual cabinet meeting using Zoom and even with the meeting ID clearly visible. In contrast, New York City’s Department of Education has responded to reports of issues impacting Zoom privacy and security, saying “Based on the DOE’s review of those documented concerns, the DOE will no longer permit the use of Zoom at this time.” The New York Attorney General is currently investigating the company.

What then, is the truth about Zoom? The Citizen Lab, an interdisciplinary laboratory based out of the University of Toronto, have issued a report into the confidentiality of Zoom meetings, stating “Given the business value of meetings currently being conducted on Zoom, it is reasonable to expect that the platform is being closely scrutinized by groups engaged in industrial and political espionage, and cybercrime.”

Encryption, flaws and vulnerabilities

Zoom has marketed itself on having end-to-end encryption – a claim that does not stand up to inspection. When challenged on the matter, a Zoom spokesperson admitted, “Currently, it is not possible to enable end-to-end encryption for Zoom video meetings.” Instead, Zoom uses transport or point-to-point encryption, which unlike end-to-end encryption allows Zoom to access the unencrypted video and audio content of meetings. As Matthew Green, a cryptographer and computer science professor at Johns Hopkins University, suggests, “They’re a little bit fuzzy about what’s end-to-end encrypted. I think they’re doing this in a slightly dishonest way. It would be nice if they just came clean.”

But a lack of encryption is just the tip of the iceberg. A large number of videos from Zoom meetings are viewable and searchable online, with content ranging from company financial info to therapy sessions and school children’s’ classes. The flaw was discovered by Patrick Jackson, chief technology officer at privacy-software Disconnect, who found 15,000 videos in just one search. “This was stuff I didn’t feel good watching, and I doubt all of the people here know these videos are public,” he said.

Unfortunately, these are not isolated incidents; previously reported Zoom flaws have included platform bugs that allowed hackers to compromise security in Apple Macs, and others to steal Windows passwords. In April two new flaws were reported by former NSA hacker Patrick Wardle, who claims they can be used to take over a Zoom user’s Mac, including “tapping into the webcam and microphone”. In other words, not only does the user not have end-to-end security for their Zoom session, but they might end up compromising their personal computer or device.

And the list of flaws continues, including one that allowed hackers to “hijack various components of a live meeting such as forcefully enabling desktop control permissions and sending keystrokes to meeting attendees sharing their screen.” Citizen Lab has even found newer issues with Zoom’s Waiting Room, which it has passed on and will refrain from publishing the details of until “Zoom has had a chance to address the issue.”

Privacy and protection

Zoom’s privacy policy informs us that they collect a host of personal information about the user, including username, email and physical addresses, phone number, job, Facebook profile information, IP address, technology hardware specs, and information created or uploaded. According to technologist Bruce Schneier, up until last month Zoom’s privacy policy stated ‘Does Zoom sell Personal Data? Depends what you mean by “sell.”’ That same privacy policy used to claim the right to collect and store personal data, includes “the content contained in cloud recordings, and instant messages, files, whiteboards … shared while using the service” and could be shared with third parties such as advertisers. Although this was updated last week, for Schneier the message is clear that Zoom “uses all of this surveillance data for profit, against your interests.”

Technology website Motherboard has reported that Zoom’s iOS app sends user data to Facebook – even if the user does not in fact have a Facebook account. Pat Walshe, of Privacy Matters reacted on Twitter, saying “That’s shocking. There is nothing in the privacy policy that addresses that.” Zoom responded, issuing a statement claiming “We were recently made aware that the Facebook SDK was collecting unnecessary device data… We sincerely apologize for this oversight.” Even accepting Zoom’s response that this was inadvertent, it’s hard to argue with Schneier’s statement that “Zoom’s security is at best sloppy, and malicious at worst.”

There are a multitude of other examples of Zoom making design decisions that reduce privacy and security, including installing a hidden web-server on Mac computers to circumvent a Safari popup. Felix Steele, of malware detection firm VMRay, has highlighted a Zoom feature that removes a password prompt during the installation process, which he describes as “not strictly malicious but very shady and definitely leaves a bitter aftertaste. The application is installed without the user giving his final consent and a highly misleading prompt is used to gain root privileges. The same tricks that are being used by macOS malware.” Another choice that undermines the platforms security is the use of 9 or 10 digit meeting codes, which has led to well-publicized episodes of “Zoom Bombing”. There is even a secret data-mining feature that displays data from meeting participants’ LinkedIn profiles.

Who is behind Zoom?

The prospect of “normal” third parties gaining access to such a treasure trove of personal data is daunting to say the least. However, with their significant operations in China, Citizen Lab asks if Zoom is “a US Company with a Chinese Heart?” They continue, “An app with easily identifiable limitations in cryptography, security issues, and offshore servers located in China which handle meeting keys presents a clear target to reasonably well-resourced nation state attackers, including the People’s Republic of China.”

It’s no wonder then that Citizen Lab describes Zoom as “Not suited for secrets” and discourage usage by those that require strong privacy and confidentiality. This multitude of privacy and security issues has even led 19 House Democrats to write a letter to Zoom on Friday, asking for details on their data-collection and recording rules. If you can’t trust a platform’s encryption, programming, privacy policies and potentially even ownership, what else is there left to place your faith in?

Make the secure choice

Cellcrypt offers the highest level of end-to-end, certified encryption for voice, messaging, conference calling and attachments, with mobile and desktop clients that can be downloaded and in use on existing hardware in minutes. The platform integrates with existing IT infrastructure, and offers optional add-ons ranging from regulatory compliance auditing to private stacks that provide full management control, and secure gateways for PBX extensions. Apps and platforms without encryption certification simply cannot be relied upon and will sooner or later result in some form of vulnerability. Cellcrypt was first FIPS 140-2 certified in 2010, with UK CESG CAPS certification in 2012 and of course US NIAP (National Information Assurance Program) certification in 2014. Cellcrypt exceeds Suite B encryption mandated by the NSA for Top Secret communications utilizing a double wrap of AES-256 and ChaCha20-256 with key establishment using ECC-521. Each message or call has a unique encryption key, and each session is authenticated at the end points making spoofing impossible. Cellcrypt is relied on at the most senior level of Governments around the world for its trusted security.

We are proud to have launched our Remote Work QuickStart initiative, offering our military-grade encryption with unparalleled discounts on licenses and full enterprise solutions, supporting government and commercial enterprises affected by the global health emergency. Organizations needing to transition to telework while ensuring business continuity will be able to employ Cellcrypt rapidly to lessen the strain, costs, and vulnerabilities during this emergency.

Please visit our specially set up page more information, and to learn more about how Cellcrypt is contributing our military-grade business solutions during this public health crisis.