Zoom has been in the news a lot lately. In this post, we try to put the Zoom security situation in perspective. This is a longread™ with a short section at the front for those that just want the takeaways.
Credit: The Onion
I really didn’t want to write an “I told you so” blog post, and when I started writing my instinct was that people should just use Zoom anyway. As you will see if you make it through the post, I’m a little less bullish on just using Zoom and part of the reason is the historical context.
Toward the end, I include a letter I wrote to be delivered to Zoom when they had their last major snafu (7/2019 where Apple had to patch their OS to prevent people running Zoom from being exposed). At that time the issue was egregious, but more importantly the response was lackluster and lacked understanding and conviction about how to build secure responsible software.
If you don’t really care about all of the details and background, and just want to know what to do, this section is for you. Our guidance for customers and partners is captured here.
Then you can probably use Zoom without worrying too much.
If the above doesn’t apply to you, you should read this post and understand what you are getting into and go into it with eyes wide open.
Note that we are using Zoom for meetings with our customers but also actively looking for alternatives. When we find one that is as stable and easy to use, we will probably shift hard. Our basic message is: it is ok to use Zoom but you should know what your risks are.
Your risks are:
If you use Zoom:
With so many people working remotely, Zoom has emerged as almost critical infrastructure. Many organizations quickly adopted it as a backbone of their new communications strategy. Frankly, that’s probably because Teams, WebEx, Skype, GotoMeeting, Hangouts, UberConference and lots of other technologies just don’t work as well (in my subjective experience). Other alternatives we’ve tried include Jitsi, Whereby, BlueJeans and Lifesize but we’re still waiting for any of them to match Zoom’s call and video quality.
Zoom is on its way to being the Kleenex of Video Conferencing. We’re getting to the point where we can say “we’re going to Zoom” or “we’re going to get on a Zoom”.
As people adoption is drastically increasing, Zoom has come under closer scrutiny from a security perspective and several issues have been unearthed. Bruce Schneier wrote a good blog post about this last week. The following sections explore these issues just a little deeper, provide some additional historical context, and present a more nuanced conclusion than the one put forward in the Takeaways section above.
Zoombombing is the idea that a user can guess a valid Zoom meeting id and join even though they weren’t invited. This became widely known when it happened to a few classes and the Zoombombers shared inappropriate content.
The thing is, there is inherently no great way to limit who can join without impacting useability.
There are really two levels of protection to this.
If we don’t password protect our meetings, truly random people can guess the ids and potentially join uninvited.
If we do password protect our meetings, this will usually be sufficient to prevent truly random crashers. But someone who actually received the meeting invitation could forward it to someone they want to join to disrupt or spy on a meeting. Or of course, if I hacked someone’s email account that had access to the invitation I would know the URL and password.
Note that this same approach could work with any video conferencing platform that is configured the way Zoom is. Teams is only “more secure” than Zoom if all of the participants are authenticated to Microsoft and invited - which is not strictly required. If I have the link to a meeting, I can potentially join.
Zoom quickly introduced the idea of a Waiting Room, which allows the host to screen attendees before admitting them to the meeting - effectively preventing this sort of Zoombombing.
What you should do to prevent Zoombombing:
There were several privacy related fiascos with Zoom that have mostly been addressed with updates. Doc Searls Blog covers these in detail. Here was his original conclusion:
These “lapses” included using a Facebook SDK and thereby sharing user data with Facebook.
There were also data mining features based on an integration with LinkedIn Sales Navigator that automatically grabbed data from LinkedIn for integration into Zoom meetings, e.g. for “Icebreakers”.
There is extensive ad network tracking embedded in Zoom and it is unclear if Zoom actually sells customer data that it gathers. Because many people use a desktop application for Zoom and not a browser, it is trickier to identify these trackers than it might otherwise be.
In a system with End To End Encryption, such as Signal or FaceTime, a message between two users is encrypted completely throughout the system in such a way that only the two end users can see the messages.
If Bob and Alice are communicating, when Bob sends Alice a message, the underlying technology between Bob’s phone or laptop and Alice’s phone or laptop can’t see the content of the message.
End To End Encryption has a specific meaning. Zoom flaunted this by saying that they employed End To End Encryption when in fact they only support transport level encryption. What does this mean? Simply put, Bob’s message to Alice could be readable on intermediate servers relaying the messages within the Zoom infrastructure. They were protecting it from external eavesdroppers, but had full access to it themselves.
We note that Zoom appears to be built on top of AWS:
$ dig zoom.us ;; ANSWER SECTION: zoom.us. 19 IN A 188.8.131.52 $ dig -x 184.108.40.206 ;; ANSWER SECTION: 250.62.202.52.in-addr.arpa. 112 IN PTR ec2-52-202-62-250.compute-1.amazonaws.com.
That suggests that the streams of data flowing through Zoom’s servers in AWS might be exposed to:
Nearly every company we work with has this type of exposure, but it is important to understand that Zoom overpromised here in a way that certainly appears sleazy after the fact.
Also note that typical channels such as phone lines, email and other mediums suffer from this very same potential issue. End To End Encryption is hard enough to implement that we would guess that very few systems that we use on a day to day basis actually implement it.
There was a legitimate windows credential stealing bug in Zoom written about by Ars Technica. This points back to a careless approach to security in general. In a more security conscious organization, someone would have reviewed this code, conducted an ethical hacking exercise or through some other means identified that this “feature” could be a problem.
The reason this should give us pause is that Zoom has had this happen before.
Last year, Zoom had an egregious security issue that signaled to me (and anyone paying attention) that their security was either not empowered or not paying attention. Here’s what I said to someone that said they could pass it on to Zoom.
I wanted to capture my thoughts about the recent Zoom security
incident and how it is shaping my impression of their internal
security program in case it is interesting or useful to you.
Feel free to share. I'm always about making the world a better
place so it is intended to be a useful, not just "tear it apart"
type of message.
First, Zoom has had several incidents. Consider for example
this one from late 2018:
I would note that at that time, I did not see a systemic issue.
If you look at the detail, the security problem was very specific,
required substantial research to find and it was addressed
quickly and comprehensively.
With the recent issues, the details were categorically different:
- The issue was gross misjudgment at several layers
- Zoom ran an unauthenticated web server on mac clients,
which is intrusive and risky - and not a minor system design
- The process was undocumented and wouldn't be removed when
you remove Zoom
- Zoom silently re-installed software on machines with this
web server running
The impact of hijacking a person's camera is just one of the actual
security issues here. Consider that Apple is releasing updates that
fix a Zoom issue (!) My impression is that this Zoom issue might be
one of the more serious security issues on Mac in recent memory.
The issue was not acknowledged, understood and dealt with reasonably
- at least not until the community became vocal about it
(and people like me cancelled their company's plans).
Combined, the handling of the recent issue leads me to believe that
the Zoom engineering / security teams cannot be counted on to make
reasonable secure architecture decisions. This may be a skill gap,
a process gap or a political pull gap - it doesn't really matter to
me - I can't reasonably believe that that gap didn't exist for years.
Organizationally, it is impossible to quickly fix a large software
product's security posture - both from a technical and people/process
perspective. Note that this latest issue is not one which a security
tool would have identified. It is so deep and structural that there
is no static analysis or any other type of security tool that could
have prevented it. You could tell me Zoom is spending $5M to improve
and it wouldn't change my mind in any near term horizon. They need
to effect cultural change in the organization and that is hard even
when there are dollars to spend.
We have helped many companies build application security programs.
The symptoms I see here at Zoom point to a lack of a program that
trains, empowers, engages and supports developers. No developer with
security knowledge and organizational support would think that starting
a web server on a local client machine would be a reasonable approach.
It is remarkable that we (Jemurai) are walking away from Zoom and
it will be painful. It is by far the most useable and reliable
conferencing solution we use. But I cannot in good conscience ask
our clients or prospects to install software that I know is likely
insecure. It's not because of this issue. It's because the
information around this issue suggests that there could likely
be more issues that we just don't know about yet..
This is not a hidden solicitation. We are busy. We assume lots
of security companies are jumping at this opportunity to go try
to win business. But I thought the An Application Security (AppSec) Program is a set of projects and activities that are undertaken to achieve Application Security across a portfolio of applications and development teams. perspective
might be useful to keep in mind.
Here’s the kicker for those that couldn’t read through that:
It’s because the information around this issue suggests that there could likely be more issues that we just don’t know about yet..
There are some common security sayings that apply here.
There is always a risk calculation.
Any time we use any system, we make decisions that impact privacy and the security of our personal data. I don’t use FaceBook, WhatsApp or Instagram. I prefer services that have better privacy rules.
Most people maybe don’t know the difference, don’t care, or decide that the tradeoff is worth it. It is funny to see a lot of people worry about Zoom while they use other insecure social, file sharing, conferencing and other solutions without realizing these are all part of a risk analysis. Whatever risk analysis we do against Zoom, we need to do the same against any alternative we propose to be making a rational decision.
Note that even phones have inherent risks. It’s just that we believe the threat actors in that case are contained to law enforcement. Whether that is truly the case or not is a whole other question. A guy on my team just told me he could tap my phone in 10 minutes from a spot down the street.
Nothing is 100% secure.
The existence of a security issue is not necessarily the most important part of a security story. The company’s response probably is. I’m just waiting for similar stories about other platforms to emerge. As you can see, there is some history here with Zoom as well, including some underwhelming responses to different issues.
We talked about End To End Encryption a bit. The ironic thing is if you need that, you probably need to be using something like Signal that won’t exist in the US if laws pass (eg. EARN IT Act of 2020 restricting the use of strong encryption like that. Here is Signal’s blog post about it.
CISOs don’t sleep at night.
That’s because they know that everything is broken, underfunded and not well understood. They live in fear of having a breach that is inevitable given the investment in security. One funny side effect of this Zoom story is that maybe CISOs will sleep better. After all, Zoom’s new hired gun, the former CISO at FaceBook and Yahoo!, obviously wasn’t negatively impacted by the breaches those companies suffered.
If you’re looking for really secure conferencing software, I wouldn’t trust Zoom. Not because of a current actual security issue, but because their historical stance has been so dang reactive.
Unfortunately, with experience as a security pro, I would bet that many of Zoom’s competitors have similar issues when you look under the microscope - so I wouldn’t trust most of them to be what we need them to be.
If you are willing to live with your data going places that it probably already does (eg. Google, FaceBook and that ecosystem), you believe Zoom has turned the corner about security, and you really want a reliable usable conferencing service, Zoom is unfortunately still head and shoulders above its competitors in terms of usability.
We are actively looking for alternatives that have a track record of being proactive about security and privacy, because that is important to us.