Mandy L. Stanton, Anton L. Janik
Coronavirus (COVID-19), Information Security & Privacy
For the time being, many Americans are at home due to the COVID-19 virus, but they are continuing to work, learning to homeschool and socializing with friends thanks to virtual platforms. Although there are a variety of applications and platforms, Zoom has landed on top and is quickly becoming a household name. However, as principally a video meeting platform for large-scale enterprises, educational institutions and government bodies that already had their own IT departments, Zoom was not built for the purpose of being an open social platform, leaving the company ill-prepared to moderate user behavior on its platform.
Last week, reports began surfacing that various state Attorneys General, including New York, Connecticut and Florida, were investigating Zoom’s security practices after “Zoombombing” incidents occurred in public meetings on the company’s platform. During these incidents, hackers crash into a public meeting and share graphic content to the meeting users. These incidents have escalated enough to prompt the Federal Bureau of Investigation to issue a warning that hijackers may face fines and even jail time.
So how can users protect themselves against these types of invasions?
Use the most recent version of the remote access/meeting application: In January, Zoom updated the security to their software where passwords were added as a default setting. The ability to randomly scan for meetings to join was also disabled.
Manage meeting invitations: When setting a meeting, only provide the meeting link to specific attendees via a direct channel, such as email. Do not share links in social media posts and comments. If you are hosting a public meeting, use a randomly generated meeting specific ID rather than using your personal meeting ID that is associated with your account. (In fact, because your personal meeting room is your permanently reserved meeting room which is accessed by your personal meeting ID, best practices would have you to never share your personal meeting ID, since that is a direct access link to any meeting you are hosting. Thus, an invite sent out with your personal meeting ID this week could potentially also be used by the recipient to drop in on any other meeting you host at any other time. Recently, images have popped up on Twitter showing British Prime Minister Boris Johnson in a private cabinet meeting conducted on Zoom, with the meeting ID prominently displayed.)
Make meetings private: Access to private meetings can be provided either by requiring a password or by utilizing the waiting room feature to manually control the admittance of guests.
Manage screen sharing: Restrict screen sharing to prevent uninvited attendees from taking control of your screen.
Manage participants: Zoom identifies multiple ways a host can restrict attendees in a meeting, such as setting up additional two factor authentication, removing unwanted participants, holding attendees audio and visual capabilities and disabling private chat, among others.
In addition to providing, extensive online trainings and tutorials, Zoom has also offered webinar trainings and free and interactive live training webinars on a daily basis. CEO Eric S. Yuan also hosts a webinar each Wednesday at 12 PM CST to “Ask Eric Anything” in a live format. Questions are submitted via email prior to the meeting.
Zoom published a blog entitled “How to Keep Out Uninvited Guests” on March 20, ten days prior to the FBI-issued warning about teleconference hijacking. However, blog posts are not an appropriate response to AG investigations, shareholder class action suits, government bans of the application and user privacy concerns regarding the issues within Zoom’s security infrastructure.
But what exactly are these issues and what is Zoom doing about them?
Inadequate encryption: Zoom investor Michael Drieu filed a class action suit in San Francisco federal court on April 6, claiming the company concealed issues in the application’s software encryption. Zoom claimed to offer “end-to-end” encrypted meetings, meaning that only the attendees can access the meetings. Additionally, as reported by Citizen Lab on April 3, Zoom has claimed the application uses “AES-256” encryption where possible, but Citizen Lab discovered in its investigation that in each Zoom meeting, a single “AES-128” key was used to encrypt audio and video. Citizen Lab also verified that this key was sufficient to decrypt Zoom packets intercepted in Internet Traffic and appear to be generated by Zoom servers.
Zoom’s Response: Zoom published a blog post on April 1, clarifying the facts around its encryption measures. Refreshingly, before any explanation came the following apology: “In light of recent interest in our encryption practices, we want to start by apologizing for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption.” In this blog, Zoom also expressly stated “[it] has never built a mechanism to decrypt live meetings for lawful intercept purposes, nor do we have means to insert our employees or others into meetings without being reflected in the participant list.” Zoom responded that enterprise customers have the option to run certain versions of connectors within the customer’s own data center to directly manage decryption and translation process. Zoom further hinted that a solution for additional control of keys would be available later this year.
Routing Information Through Servers Outside the U.S.: Speaking of encryption and Zoom’s servers, tests run by the University of Toronto’s Citizen Lab for a call between users in the United States and Canada showed that the key to encrypt and decrypt that call was routed through a Zoom server located in Beijing–even though all meeting users were located outside of China.
Zoom Response: In its urgency to add server capacity as usage exploded over the last few weeks, it had added two servers in China to a whitelist of permitted call-routing servers. However, when it brought those servers online, Zoom “failed to fully implement our usual geo-fencing best practices.” (Generally, a geo-fence is used to prevent data from one geographical area, like the United States, from crossing over into another geographical area, like China. Such data is ordinarily geo-fenced because different countries have different approaches to data privacy.) Zoom admitted that by whitelisting those two servers in China, they “potentially enable[d] non-Chinese clients to — under extremely limited circumstances — connect to them (namely when the primary non-Chinese servers were unavailable).” Zoom further admitted that, as Citizen Lab reported, “it is possible certain meetings were allowed to connect to systems in China, where they should not have been able to connect.” Zoom reported that they have now corrected this issue.
Citizen Lab also reported that Zoom owns three companies in China and employs 700 persons there. Several sources point out that China’s cybersecurity laws require that encryption keys be turned over to the Chinese government, which may allow China the ability to access to that content at will.
Unauthorized disclosure of personal information to Facebook: On March 30, a class action lawsuit was filed in the Northern District of California for providing users’ personal data to third parties, including Facebook, without prior disclosures. Zoom’s iOS application gave Facebook the user’s customer and device information, including IP addresses and the device’s unique advertising identifier, regardless of whether the Zoom user had a Facebook account. These identifiers are used to target users for advertising purposes. The law suit also alleges that Zoom was paid for sharing user data.
Zoom’s Response: Zoom acknowledged its data sharing practices and removed the feature after being made aware on March 25 that the Facebook SDK was collecting device information unnecessary for the provision of Zoom’s services. “On March 27th, we took action to remove the Facebook SDK in our iOS client and have reconfigured it to prevent it from collecting unnecessary device information from our users.” This change requires users to update to the latest version of the application.
Zoom has communicated its “commitment to ensuring that the safety, privacy, and security of [its] platform is worthy of the trust of all [its] users…” So, what else can we expect from Zoom?
- Launch of a Chief Information Security Officer and Advisory Board to share ideas and collaborate on privacy, security and technology issues and best practices from industry leaders
- A comprehensive security review of the Zoom platform lead by outside advisor, Alex Stamos, the former Chief Security Officer of Facebook
- A shift in engineering resources to focus on safety and privacy issues rather than feature development
- A transparency report detailing requests for data, records and content
- An enhancement of Zoom’s current bug bounty program
While Zoom is conducting corrective action to ensure the safety, privacy and security of its platform, the FBI recommends exercising due diligence and caution in your cybersecurity efforts. If you were or become a victim of a teleconferencing hijacking, or any cybercrime, report it to the FBI’s Internet Crime Complaint Center.
 “[W]e did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.” https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/