Zoom Security Considerations


Easy to use.

Free accounts for up to 100 people to join.

Intuitive interface that allows for easy screen and media sharing.

Fun and entertaining backgrounds.

Great price for the pay features.

Is Zoom too good to be true?

No, but there are concerns lurking within.

The Dark Side of Zoom

Despite a ton of scrutiny where cyber security experts have been continually and harshly criticizing the company’s consumer protection practices – in blogs and on newscasts – Zoom is still hovering around the 200 million subscriber mark. After news of these security issues gained national attention, executives at the company came out with a promise to make the video conferencing platform the safest available anywhere. While they are not yet there, Zoom has offered up a number of new security features and are progressing towards a more secure infrastructure.

In this era – when the world is struggling to adjust to a new normal – video conferencing makes social distancing easier for individuals and businesses, and having an affordable, feature rich platform with a simple interface is somethings we really need right now.

Were these security issues really that bad?

The short answer is, yes.

I know, I know. You need more than the short answer. Okay, let’s take a look at the vulnerabilities that have been discovered thus far and what has been fixed.

Zoom Accounts For Sale on the Dark Web

Cybersecurity Intelligence has announced that on or around April 1st, 2020, they started to see Zoom accounts posted on hacker forums. Many of these were free accounts that were being posted to essentially showcase a new product for the hacker community. These free accounts were being shared on text sites in lists that included the email and password – a sampling showed most of the credentials to be valid.

Those who are interested in this showcase are able to contact the seller and purchase a large number of accounts in bulk. A cyber security company called Cyble purchased 530,000 Zoom credentials for less than a penny a piece with the purpose of warning the users. What they found was that in addition to the email address and password, the account information also included personal meeting URLs and Host Keys – the Host Key is a 6 digit pin used to claim hosting in meetings. Among the companies included in these accounts are: Chase, Citibank, and a variety of high schools and colleges.

The best thing to do is assume that your Zoom account is for sale on the dark web and CHANGE YOUR ZOOM PASSWORD AND HOST KEY IMMEDIATELY!

Also, if you’ve used that password anywhere else, change it EVERYWHERE it’s been used!

False End-to-End Encryption

Zoom claimed to protect customer video conference meetings by encrypting it on both ends, so that no one could listen in, interrupt (more on that in a minute), or steal information. Except that ZOOM uses a different definition of encryption than everyone else. By end-to-end encryption they mean that the information can be decrypted at their server, allowing them to insert their employees into meetings – presumably for support reasons only – and access any of the user information or data being shared, leaving it vulnerable should they have a breach.

Although Zoom has apologized for this misleading information and have announced secure internal processes to keep employees out of the video conference meetings, so long as the encryption keys are held by their servers, this will continue to be a security issue.

For anyone who is concerned about confidential or personal information, like medical and legal practices, this is and continues to be a problem!

Email and Profile Photo Leaks

In order to simplify user invites, Zoom puts everyone who shares the same email domain into a single folder where they can all see each other’s information. This is fine for large webmail clients who have secure servers, but smaller webmail clients – the kind that small businesses and schools tend to use – are instead grouped by service, i.e. Time Warner, Comcast, etc. This has led to individuals and small businesses all being grouped together, with access to each other’s information.

The problem with this is two-fold – first it puts private information in a publicly accessible forum, and second there are no controls in place to allow users to remove their information.

Sharing Personal Data with Advertisers

Zooms Privacy Policy – that long document full of legalese that no one ever reads – gives Zoom the right to use any personal data they collect and share it with third party marketers. They have made it a point to claim that they “do not sell your personal data” but they also don’t describe how or why they share it with these third party marketers.

It’s interesting that barter agreements are different than selling agreements, yet both use personal information as currency.

ZOOM Bombing

This is one of the facets of Zoom’s security issues that has received a lot of attention. This is partly because it’s a catchy term, but mostly because its obnoxious and ridiculous and it really happens…a lot more than you think. For their meeting invites, Zoom uses simple meeting numbers that are present on URL links, making them easy to observe and guess. This has led hackers to file-share shocking images, make loud or annoying sounds, or go on verbally offensive rants right in the middle of meetings.

New controls put in place allow the host to mute or kick out such troublemakers, and using the new and improved waiting rooms and/or meeting passwords will help keep meetings safe from this type of activity. Unfortunately, it’s still only as secure as the people who have the password information.

This Zoom bombing is bad enough that the FBI put a warning out on it. Not only has it been happening, it’s been happening when teachers are trying to conduct remote sessions with students.

False Sense of Privacy

Ever been in a meeting that is not relevant, went way off topic, or is just plain boring? We all have. Well, if you’re in a Zoom meeting and use the private window to talk about it with another participant, you need to be aware that conversation is not actually private. Even though it’s called a private chat, it is all included in the transcript that the host receives at the end of the meeting.

If you’re sitting there hoping that the meeting host didn’t save a copy of that last transcript, or post it for everyone to read, you’re not alone.

War Driving

Here’s something fun. If you’re a hacker and you want to ruin someone’s day, you can randomly find a Zoom meeting with a process called War Driving – this is a retro term from the old dial-up modem days that found new relevance. As mentioned previously, Zoom has an easy to guess format for their Meeting IDs. With a simple network tool, hackers are able to find around 100 meetings an hour by running a series of automated queries.

The only way to stop this is for your meeting to be password protected.   

Fixed Issues

In their promise to make Zoom a safe video conferencing platform, they have fixed these issues:

  • Account Hijacking Flaw – primarily affecting those who associate their Zoom and Facebook accounts, there was a flaw that displayed a unique identification tag allowing hackers to change user passwords and confirm the change, without having access to the email account used to set up the Zoom account. Zoom claims to have fixed this.
  • Windows Password Stealing – since Zoom made no distinction between web addresses and Universal Naming Convention (UNC) paths in their text messages, an interloper in a meeting could easily post a “link” that when clicked on would cause the computer to reach out to the hacker’s server, and prompt for credentials. ZOOM claims they have fixed this.
  • Windows Malware Injection – using the same UNC path described above, malware and ransomware can be injected into the text chat, installing onto the users computer when it is clicked on. Again, ZOOM claims they have fixed this.
  • Malware Behavior on Macs – in the summer of 2019, it was discovered that ZOOM had used hacker-like methods to bypass mac operating system security with their install scripts. They claimed this was fixed. In March of 2020, this security vulnerability was discovered again. ZOOM claims that it has been fixed – again.
  • Mac Malware Tool – utilizing this borderline unethical installation method as a template could give malicious hackers total control over the computers, or just take control of the camera and microphone to spy on anyone in the vicinity. As stated above, ZOOM claims to have fixed this, but that doesn’t mean hackers aren’t looking for a way to use that install method in fake apps.
  • iOS Profile Sharing – Up until the last week in March of 2020, ZOOM sent iOS user profiles to Facebook as part of one of their social media log-in features. It didn’t matter if that user had a Facebook profile or not, the personal data was still sent over. The most recent iPhone app claims to fix this.
  • File-Sharing Vulnerability – even with file-share controls turned off by the host, participants could share share files with one another, leaving the possibility for infected or malicious software to be passed between participants. Zoom claims to have fixed this.

Take-Aways

Does this mean that you should stop using ZOOM immediately?
No. But you should be careful. Hackers are looking for many ways to exploit these vulnerabilities, including registering phony ZOOM domains. If your are not sure how to protect yourself, please contact us or your managed services provider.

Should you stop using ZOOM?
That’s up to you. We would recommend another service as ZOOM has certainly proven the old adage that You Get What You Pay For.

There is a positive to take from this in that not only has ZOOM has committed to fixing these flaws and have put all further development projects aside to focus on fixing their platform, but you can be sure that all of the other video conferencing providers are taking notes. No one wants to be the next Zoom in the media. It is a step in the right direction.

In the meantime, it might not be a bad idea to check out Teams, GoToMeeting, Skype, or WebEx