March 30, 2020
8 Privacy and Security Issues to Think About if You’re Using Zoom
March felt like the longest month in modern history, and nobody knows what April holds.
One thing can be said with utmost certainty though – there will be a lot of meetings held remotely, and most of them would probably be organized in Zoom. Many of you probably heard of the platform before or used it while working remotely.
In case you don't know anything about it, Zoom is a cloud-based remote conferencing service that has nearly 13 million monthly active users.
I wrote a post about Zoom once, and I can seriously say this is the last time I will mention this app here. Down below I’ve compiled 8 solid reasons to stop using Zoom, and I think most of you will find them fascinating.
Private Chats in Zoom Are Not Private
Let’s start from something less obvious, and something that you wouldn’t be able to read in the news.
If you have handled a meeting via Zoom, you might have used a private chat function to share your honest opinion about the general meeting. It could be a little snarky comment, or it could be something worse. Nobody will see it in real-time, but under special circumstances, that information could get exposed and make things very awkward.
Imagine a situation where the meeting goes on for quite some time and you forget about the comment you made altogether. You then save the chat locally on your computer and decide to attach the chat log to a mass email, so people could go through the notes and ideas dropped during the talk.
That’s where things could go sour.
When you save chat locally on your computer, Zoom also saves the private chats you had with other meeting participants. So if you copy the chat log without manually deleting the messages, everyone could see what was typed in the private chats.
A golden rule of any video conference chat – everything you send can be discovered sooner or later, even when you choose to use “private” chats.
iOS Zoom App Has Quietly Sent Data to Facebook
When we talk about privacy (or the lack of it) we can’t leave Facebook out of the conversation.
As Motherboard recently found out, the iOS version of the app sent analytics data to Facebook.
The kicker? You don’t even have to own a Facebook account for that data to be retrieved. This is not something awfully surprising, as a lot of apps use software development kits, but the lack of transparency keeps most users unaware of it.
Zoom connects to Facebook’s Graph API, thus notifying when the user interacts with the application, shares details about the device, discloses the time zone and city where the connection takes place, etc.
Too much unnecessary data is scraped.
Zoom has removed the code after people started expressing their opinions about the practice. It does state "our third-party service providers, and advertising partners automatically collect some information about you when you use our Products," but it doesn’t mention Facebook at all.
Additionally, administrators can also see the location data and device information of each participant, so make of that what you will.
Public Zoom Meetings Can Be Easily Raided
There have been a lot of stories about outsiders crashing Zoom meetings out of the blue.
Zoom-bombing is a term used to describe an action in which nefarious users gate crash the meeting with sexually explicit or violent images, loud sounds, or any other unwanted content.
As described in a short article by TechCrunch, one troll has used a rather infamous shock video from 2007 to disturb the audience. I will not mention the name of the video here (you can find out yourself by going over the link above), but I will clarify that it is not Rick Astley’s song.
Preventing zoom-bombing from happening is quite easy actually.
Never openly share Zoom links on public forums or social media, generate random meeting IDs for each conversation, lock the meeting, use “The Waiting Room” feature to moderate newly connected users, and prevent participants from screen sharing.
A lot of hassle, which would make you wonder if the app is even worth it.
But just imagine how many people are bored at this time and have nothing to do, think about how violent images from the web could be, and remember that people can switch between their troll accounts, which would make the moderation challenging, if not useless.
As I write this blog post, I see news about Boris Johnson posting a screenshot including a Zoom ID of the Cabinet. There’s a need to guess a password though, and people are joking around about what it could be.
Zoom’s Popularity Made It Easier for Hackers to Infect Users
Zoom has seen its user base expand massively in the past few months, now boasting nearly 13 million monthly active users, according to CNBC.
This information couldn't get past the more sophisticated hackers, who quickly identify the latest trends and choose the most suitable platforms to carry out their attacks. Because of this popularity spike, hundreds of new Zoom-related domains have been registered since the start of the year.
"More than 1700 new domains were registered and 25% of them were registered in the past week. Out of these registered domains, 4% have been found to contain suspicious characteristics."
Those domains are used in the phishing emails, that provide users with malicious links or poisoned attachments because hackers started to add 'zoom’ in the name of their malware, disguised as the conference software installer.
When executed, the downloaded file would install unwanted third-party applications or malicious payloads through InstallCore. InstallCore can add files to launch on startup, tamper with browser settings and configurations, and add more browser extensions, some of which can also be malicious.
Zoom users have also been infected with Virus.Neshta that collects information on your currently installed apps, running programs, and SMTP email accounts.
There’s an “Attention Tracker” Feature for Admins
Meetings are never fast, are they?
They are most certainly longer than our attention spans, especially if the meeting is held by a “let’s circle back” guy. When being stuck in the position of the listener, many of us choose to minimize the window and do something else, leaving the chatters in the background.
Well, Zoom has a built-in feature that allows the host of the call to find out if the attendee’s screen is not focused on the app for more than thirty seconds.
“Hosts can see an indicator in the participant panel of a meeting or webinar if an attendee does not have Zoom Desktop Client or Mobile App in focus for more than 30 seconds while someone is sharing a screen. "In focus" means the user has the Zoom meeting view is open and active.”
The indicators of carelessness are not violating your privacy but can put you in a tough spot when you least expect it. Actually, they do put your security to test.
Job security, to be clear.
Zoom Installs Stuff Without You Agreeing to It
Now let’s get to the more shady stuff. There are plenty more reasons to question how trustworthy Zoom really is.
It’s all in the headline.
Zoom on macOS abuses pre-installation scripts, unpacks the 12MB zip file, and installs it to Applications if the user is in the admin group. All that without you clicking 'Install', mind you, so it makes its thing during the install check.
If the app is installed, but you're not an admin, a 'zoomAuthenticationTool' and the AuthorizationExecuteWithPrivileges API spawn a password prompt identifying as “System” to gain root.
As many have already said, this is malware-like behavior.
It spoofs a credential check to escalate privileges and doesn’t write anything to /var/db/receipts, so there’s no way of telling what’s installed and where.
But wait, there’s more!
It Could Expose Email Addresses and Photos to Strangers
This problem stems from the "Company Directory" setting that adds other users to the list of contacts if they share the same domain as you in their email address. Good for finding colleagues, bad for everything else.
"If you subscribe to Zoom with a non-standard provider, then you get insight to ALL subscribed users of that provider: their full names, their mail addresses, their profile picture (if they have any) and their status. And you can video call them," - Barend Gehrels says, one of the users affected by this "feature".
If you try to sign up with your personal email, you can get pooled with other perfect strangers, as that has already happened in the Netherlands. Dutch internet service providers that offer email services got confused for companies, and there you have it, people are asking questions on Twitter with a GDPR hashtag.
Zoom’s spokesperson said that now those domains are in the blacklist, which in his mind would fix the problem.
Let’s finish this thread at last.
Zoom Meetings Are Not End-to-End Encrypted
The cherry on the top of the chocolate cake.
It only feels right to save the best for the end, as Zoom has used the E2EE term for its marketing purposes, using transport encryption in reality. Let’s hear it from the horse’s mouth to reaffirm the accusation with supporting evidence.
“Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection. When we use the phrase ‘End to End’ in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point.”
There’s also a piece about how the meetings are secured with “end-to-end encryption” only as long as everyone connects using “computer audio”, not a phone. I have no real reason to get in-depth with this anymore, given the information provided above.
They are acting dishonestly, and they are not willing to come out clean. Zoom is only acting when they get caught, and if we’re being honest, not a lot of people would care enough to switch to something else.
Because comfort is king.
History often repeats itself, and you don’t want to be in the meeting seat when it repeats itself next time.
Are There Any Alternatives to Make Video Conferencing More Private?
I can offer a couple of good options myself, as I’ve tested quite a few solutions in my own company.
Jitsi Meet is a great project all things considered. It is open-source, free, and you can achieve actual privacy by installing Jitsi Meet on your own Linux server. As I always say, the only way to guarantee your privacy is to keep all resources in your secure perimeter.
There’s always a way to start the calls right away, and video chat with the whole team if you go to meet.jit.si. I also like that you can see all attendees at once, even if there are a lot of people signed in.
Among other open source platforms, RocketChat sticks out, as it is a GDPR ready solution, which is handy for many European companies. It has a lot of similar features to Slack, but its security is way better. You can start a cloud trial or start your own server, with plenty of installations options to choose from. RocketChat even talks about how it can “replace” email, so you might find it interesting.
There's also Tox chat, an open source and decentralized platform that can cover up all your enterprise needs, such as video and voice calls, screen and file sharing. It has iOS and Android clients, Antidote and Antox respectfully, so you can call it mobile-ready. Encrypted and totally free, it's also a good option for review.
If your company wants to try out a product of a more established company, Microsoft Teams offers a free 1-year trial. Certainly a viable alternative you could test out in the corporate setting, that won’t need to be explained as much.
Lastly, I would like to mention that March 30th was a national Doctors Day. They are working days and nights to help our society cope with the pandemic, so please express your gratitude to them.
We don’t need a special day to respect them for their sacrifices, in my opinion.