An in-depth look at the recent security issues at Zoom, from security researcher Thunderson.
COVID-19 came like a monster and took over the world. A large number of governments made the decision to go on lock-down and that in return pushed every single company and organization to invest in the infrastructure and setups to enable working from home.
Some of the required technologies to make WFH happen:
- Secure access into the internal network through secure devices (e.g. VPNs).
- Work management solutions to organize tasks for teams and individuals.
- Messaging application for teams to stay connected during working hours (e.g. Slack, Discord).
- Meetings application in order to conduct meetings without having to congregate in a specific, physical location.
This post is going to focus on the news revolving around Zoom, the issues being showcased, and how one should consider the usability of the tool.
Meetings and Video-Conferencing
Due to the way work is conducted on a daily basis, meetings are a necessity in the majority of workplaces. In order to tackle this issue, multiple services present themselves:
- Google Hangouts/Meet
- Cisco Webex
- Citrix GoToMeeting
- Microsoft Teams
And the list goes on.
In no way is this post related to or sponsored by any of the above-listed products, and they are not listed in any particular order.
Unsurprisingly, one of the above applications took an unbelievable amount of heat.
The Zoom Hype
If you look around any news website or follow any security-focused journalist, Zoom is all the hype right now and coming under fierce criticism.
Zoom started out as one of the most widespread conference applications being used, and thus attracted the attention of many communities, among them the cyber security and privacy communities. Bug hunters and security researchers essentially focus on targets that will provide a high return on their investment (e.g. Windows), which could be anything from fame and exposure to selling 0-days.
There's no smoke without fire.
That much can be said, so let's dig deeper to understand whats causing the smoke.
Comparing Zoom to other technologies and companies that are implementing video conferencing for free ( I realize that they offer paid plans, but that is not the topic at hand), they should not be the sole receivers of such heat. They are only in the fire because their adoption rate skyrocketed during the current pandemic.
Risks and Issues
Zoom has fallen short on several security and privacy concerns, such as:
- Zoom's web server that was used as workaround to security measures in Apple's systems. It was patched after security reports came out last year.
- Device information was shared through the Facebook SDK on iOS. Zoom was made aware on March 25, and this was patched 2 days later, March 27.
- Local privilege escalation, which is done through the exploitation of a helper tool named
zoomAutenticationToolthat runs as
root. By abusing it, a local user would be able to gain root access on the machine. This was published on March 30, and is patched as of April 1.
- Mic and camera access, achievable through library injection in MacOS by disabling the
Hardened Runtime. This was published on March 30, and is patched as of April 1.
- UNC path injection, abusing a Windows feature that allows access to shares. This is no longer viable as of April 1. As this actually relates to a function of Windows and relies on a user interacting with a bad link, the problem isn't specific to Zoom in any way.
- Attendee Attention Tracking, which was disabled as of April 1. This was considered as a feature in Zoom.
- False claims about End to End Encryption (E2EE), wherein Zoom feature documentation misrepresented TLS encryption as end-to-end encryption. This was later clarified by a Zoom spokesperson.
- Zoombombing, which is more or less a form of trolling where uninvited users join unsecured meetings to share disturbing, inappropriate, or humorous (or all of the above) things to the unsuspecting participants. This can be mitigated with proper meeting settings.
- Utilization of Chinese-based servers for some services. Research published on April 3 indicated that some Zoom traffic was being routed through China. Zoom replied on April 3, explaining the design of their data centers and the reason they were ignoring the Chinese geofencing.
- Bad cryptography implementation. The same research mentioned in point #9 also drew attention to a potential discrepancy in documentation wherein Zoom claimed that meetings are using AES-256, but according to observation and a previous statement by Zoom in 2014, they actually employ AES-128. In the same response to that research, Zoom stated that they will endeavor to strengthen their cryptographic implementation while also ensuring widespread usability.
It is clear that Zoom has an issue with its culture and development mindset. It lacks security by design, a concept which endorses applications to implement security from their inception, and as such lowers all future costs pertaining to security and privacy issues that might arise.
Security Response Time
It is clear that Zoom has had its share of issues. However, one can hardly overlook the expeditious nature with which the Zoom team has responded to and tackled security concerns, drawing praise from many in the infosec space.
The company has been one of the most receptive out there in terms of handling security issues. This is rare to find, as companies can sometimes take years to tackle bugs related to security, if they even reply to the researchers informing them at all.
This can be viewed in one of two ways. Either the company is suddenly taking good care of their security, or they’re trying to cover their tracks as the Zoom fiesta dies down and senior executives take huge profits as their share price soars.
Avoid Risks by Modeling
A key identifier in engineering is modeling, which is re-worded as threat modeling in the security realms. Even non-engineers do it in their daily lives (e.g., "I need to cross the street when there are no cars passing by, or I'll get hit by one"). Below are some suggestions that users or hosts should keep in mind to ensure maximum security during their Zoom experience.
Threat modeling is mentioned above in order to properly assess and avoid the risks previously mentioned.
- Privacy is almost non-existent in free solutions, as the user is the product (e.g. Google, Facebook, etc.). Zoom has stated multiple times that it respects user privacy, as well as encrypts the data in transit and at rest (yet the employees could theoretically use the key to decrypt and read said data, which the company refuted). This refutation may or may not soothe privacy concerns for users. In the end, this is a third party, cloud-based technology; privacy will always be a black-box, and the company should be kept under review against their privacy SLA. Other top conferencing tools suffer from similar issues, and, as such, Zoom should not be judged and scrutinized as the only sinner in this regard. That having been said, Zoom should not be used for sensitive meetings. Instead, the go-to would be on-premises solutions that can be locked down, ensuring that communication only happens between the users and the servers with security validation. However, not everyone has the proper IT means to implement such systems. In other words, we're barking at trees to give us meat.
- Ensure the usage of passwords for meetings, which should be an obvious security measure taken by any person holding meetings, as meeting IDs are public to allow non-registered users to access them. Thanks to this tool, anyone can grab all publicly exposed and crawled Zoom meetings. To be fair, Zoom could have generated random tokens for meetings instead, but that's an engineering decision with reasoning unknown to us.
- Use the web client instead of downloading the application, which removes risks pertaining to installing tools on any platform.
- Disable the text-based chat service if you're managing a domain, which will help against risks that arise from the application's chat (refer back to the UNC issue). As an alternative, consider using the company's chosen messaging application.
- Activate 2FA (Two-Factor Authentication) to protect the account from takeover attempts. If other, newer and more critical issues arise in the future, it’s best to have your account covered by 2FA.
Security does not move on the basis of fear mongering, but rather by analyzing risks. No application or tool is free of security issues; complete security is a fallacy.
Although security was clearly not the priority while Zoom was being developed, it is clearly the primary interest now; they have set their feature development on hold and have switched gears to tackle security instead. Based upon the CEO's latest message to the application's users, Zoom is hiring third party experts to tackle the trust, safety, and privacy issues. We suspect they have also hired infosec influencers to help temper the negative noise emanating from the infosec space.
It is crucial to model the applications that you and your company use. Everyone can do it, and everyone should be doing it. Don't let trends overwhelm you; be prepared in advance. Don't use applications blindly, and don't follow trends aimlessly. You are the sole gatekeeper of your security and privacy.
Check SANS's webcast ZOMG it's ZOOM, which discusses how to analyse this whole situation, if this article wasn't quite enough.
We'd like to thank @theprescomm and @kingthorin_rm for reviewing this article, and @secureITtoday and @SeanWrightSec for their opinion and analysis on this situation! A special review was conducted by a student starting out in the security field to ensure the article's readability.