Zoom Use Update
Because of COVID-19 many companies had to quickly turn to videoconferencing solutions to keep on doing business. As millions of workers from all over the world were suddenly forced to work remotely, concerns over videoconferencing privacy surfaced. Many of you have seen articles about Zoom privacy in news feeds. The Facebook SDK was the tip of the iceberg for Zoom’s privacy issues, of which many more have sprung up last week. Privacy should be important to everybody and as such, we need to take seriously these recent news articles and the impact on our privacy and our work environment.
The recent articles raise several issues which can be categorized into the five issues summarized below. You will also find some tips you could implement to adjust your use of the tool and adopt additional safety recommendations.
We advise updating Zoom to the latest version, follow normal security practices such as those listed below and recommended to our employees the continued use of Zoom int the normal course of business.
Just like any technology or similar commercial solution, if you are exchanging classified information in sectors that are targeted by espionage, then a more comprehensive risk assessment should be conducted.
The news about an FBI investigation of Zoom relates to a recent phenomenon called “Zoombombing”. Zoombombing refer to hijackers trying to infiltrate videoconference sessions without being formally invited. Here are two examples:
- In late March 2020, a Massachusetts-based high school reported that while a teacher was conducting an online class using the teleconferencing software Zoom, an unidentified individual(s) dialed into the classroom. This individual yelled a profanity and then shouted the teacher’s home address in the middle of instruction.
- A second Massachusetts-based school reported a Zoom meeting being accessed by an unidentified individual. In this incident, the individual was visible on the video camera and displayed swastika tattoos.
How to protect against Zoombombing and other similar attacks
As with other video conferencing solutions, there are several options offered within Zoom to greatly reduce any risk of Zoombombing. Password protection is probably one of the most efficient security mechanisms.
As individuals continue the transition to online lessons and meetings, due diligence and caution must be exercised. The following steps can be taken to mitigate teleconference hijacking threats:
- Do not make meetings or classrooms public. In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests.
- Do not share a link to a videoconference or classroom on an unrestricted publicly available social media post.
- Provide the link directly to specific people that you invite.
- Password protect a videoconference
- Create Waiting Rooms for attendees
- Require host to be present before the videoconference starts
- Manage screensharing options. In Zoom, one can change screensharing to “Host Only.”
- Expel any unauthorized participant or participants
- Only allow individuals with a given e-mail domain to join
- In some cases, the host can also mute all attendees.
- Enable/disable a participant or all participants to record
FBI released this to provide additional guidance.
Zoom has also a great repository of videos and how-to guides on its site that addresses each of these setting.
Users must take notice of these options and decide which might be applicable based on their own requirement or use. A board meeting would obviously not have the same videoconference settings as a Zoom café.
Leakage of personal data to Facebook
Given the current pandemic situation, members of the general population have been signing in to Zoom to connect with friends and family. Many of these users do not have a “corporate” account and have been authenticating to Zoom using their Google or Facebook accounts. On Wednesday, March 25, 2020, Zoom was made aware that the Facebook Software Development Kit (SDK) was collecting device information such as device OS, version, any other information unnecessary for Zoom to provide its services.
They have since removed the SDK from their iOS client and have reconfigured the feature so that users will still be able to log in with Facebook via their browser.
By then a class-action suit had already been filed by a California resident alleging that the app illegally shared sensitive personal data with Facebook. On the same day, the New York Attorney General's office sent a letter to the U.S. start-up seeking clarification on how users' privacy is protected.
How do you protect against data leakage to Facebook
Corporate users of Zoom would normally see their users using Zoom clients to connect to the videoconferencing solution.
- Use a Zoom client to log in on Windows or iOS platforms. Do not log in through Facebook
NTLM Issue - Clickable links in Zoom chats
As Zoom usage explodes, it was recently demonstrated how regular URL and the UNC path were both converted into a clickable link in Zoom chats.
The problem with this is, when a user clicks on a UNC path link, Windows will attempt to connect to a remote site using the SMB file sharing protocol to open the remote file. And at the same time, by default, Windows sends a user’s login name and NTLM password hash. This could be cracked by a skilled attacker with malicious intentions.
How do you protect against the NTLM issue
- First and foremost, users are the first line of defense. Educate your users.
- Never click on a link coming from untrusted individuals!
- Scrutinize any links coming from trusted individuals!!
- Update to the latest Zoom client version. (Zoom Release notes of 4.6.19253.0401). The latest version quickly corrected this issue.
End-to-end Encryption Shortfall
One of Zoom's selling point was end-to-end encryption. And for those who have worked in this field long enough and understand the complexity of end-to-end encryption, it did not come as a surprise that there were reported concerns about Zoom’s actual ability to encrypt video, audio and chat communications flowing through its network.
Given the increase scrutiny, Zoom recently release a thorough description of its encryption process (https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/) and does acknowledge that in certain conditions, some of the content may not be encrypted end-to-end.
But that`s not all, the Citizen Lab has unveiled that Zoom`s Key Management was consistently using suboptimal cryptographic keys. Instead of using AES-256, AES-128 keys, in electronic code book (ECB) mode, were used instead and key were at times delivered from Zoom`s servers in China.
How to protect against this shortfall
From the start, implement end-to-end encryption on all zoom video, audio, and chat content of meetings. While enabling this feature will limit the users search capability in chats it will increase overall confidentiality.
- Record your meetings locally. Then backup your recordings to a cloud storage of your preference.
- Review Zoom security practices to ensure they satisfy your requirements and applicable regulations specifically with regards to encryption requirements. While AES-128 is susceptible to cryptanalysis, one needs to assess the nature of their videoconference traffic and evaluate its worth to international threat actors.
Videoconference Recording Dangers
While video conference recording could be a very useful feature in some contexts, it also raises concerns with regards to privacy. Videoconferencing is now being use for all kinds of application including telemedicine or to access health services. In these situations, a patient could understandably object to videoconference recording.
How to protect against the dangers of cloud recording
- Educate your users that is mandatory for host to ask and warn participants before starting to record sessions.
- Educate users on spotting when a host is recording a session
- Review your security practices to ensure they satisfy your requirements and regulations concerning cloud storage (location, encryption, logical accesses, levels of protection, etc.)
For more information, please contact Alithya CISO, Benoît Renaud.