An analysis of Zoom’s take on Security & Privacy issues: Lockdown Edition

    pratik
    29-April-2020


An analysis of Zoom’s take on Security & Privacy issues: Lockdown Edition

Because of lockdown due to COVID-19 in most parts of the world, organizations are moving towards work from home culture. The most important part of the work from home is having the right video conferencing platform for meetings. Founded in 2011, Zoom became a trendy choice in the lockdown period due to its feature sets and ease of use. This popularity caught the attention of security researchers all over the world, and they started to dig into security and privacy issues of this particular video conferencing platform.

alt text

On 16 April, the Ministry of Home Affairs (MHA) also issued an advisory stating the Zoom video conference is not a safe platform. The advisory also noted that the platform is not for use by Government officers/officials for official purposes.

The original press release is located at here

The details of protective measures to be taken by individuals were released in a document located here

The highlights of this advisory document are:

  1. Setting new user ID and password for each meeting
  2. Enabling waiting Room, so that every user can enter only when the host conducting meeting admits him
  3. Disabling join before host
  4. Allowing Screen Sharing by host Only
  5. Disabling “Allow removed participants to re-join.”
  6. Restricting/disabling file transfer option (if not required)
  7. Locking meeting, once all attendees have joined
  8. Restricting the recording feature
  9. To end meeting (and not just leave, if you are an administrator)

The question is, does Zoom deserve all the bashing it has received so far? Let us have a peek at the issues found so far:

Issue Comment/Response Status
End to End Encryption The misleading claim about the “end-to-end encryption” of zoom meetings was rectified by Zoom. Zoom admitted that the calls are only “encrypted” and not “end to end encrypted” and have updated the website to reflect the same.
Data Going through China Accepted as tech glitch. An increase in load on a server leads to a distribution of load to other data centers. Fixed.
UNC Path A malicious party could use UNC links to leak a user’s hashed password Fixed.
Zoom Bombing via Unprotected Meeting Links The password is now enabled by default. The provision for the waiting room has been added. Fixed.
Installation during pre-install-check The application could be installed during the pre-install check phase, without actually clicking the “install” button. Fixed.
Zoom app for iOS was sending information about users to Facebook even if the users didn’t have Facebook accounts Zoom told Motherboard that sending analytics data to Facebook was an error, claiming that it was Facebook’s fault. Fixed.
Attention Tracking: It was found that the zoom app notifies the host if a participant’s focus had shifted to any other window for more than 30s. Zoom permanently removed the attention tracking functionality. Fixed.
Harvesting of Participant Information via LinkedIn Permanently removed the LinkedIn Sales Navigator app after identifying unnecessary data disclosure by the feature. Fixed.
Use of Vulnerable Mac Frameworks Leads to Zero-Day Local Exploits Zoom fixed these issues and released a new version of the client on 1 April 2020. Fixed.
Allegedly a 0 Day RCE for 500,000$ is available on a darknet forum. This is true for any other popular software, including Windows/Mac OS. If your threat model includes adversaries with large pockets, then zoom is probably not for you.

Not all the meetings are for discussion of trade secrets and confidential; sometimes, you are concerned about everyone’s ability to join the meeting (ease of use). Zoom clarified that the meetings do not support end-to-end encryption, but are “Encrypted” so that any 3rd party other than zoom cannot access it. The company has shown a commitment towards the privacy and security of the end-users by patching the vulnerabilities as fast as they are found and assembled a team of external security researchers to examine their platform weaknesses.

Source:

Research Powered Cybersecurity Services and Training

Close the overlay

I am looking for
Please click one!

Latest news See all news

21-May-2020
Webinar, Online

Visit

Arun Magesh will be delivering a webinar on <em>Introduction to IoT Reversing Firmware</em> and discussing how to get started with IoT pentesting with hands-on.

25-April-2020
Workshop, Online

Visit

Ashfaq Ansari is conducting a workshop to get you started with kernel vulnerability analysis and exploitation in the Android platform.

15-April-2020
Virtual Conference, Online

Visit

Aseem Jakhar will be delivering the talk - “Busting the IoT Security Assessment Blues with Super Powers” at IoXt Alliance Spring Virtual Conference.