Zoom Users Beware: You Are NOT Safe!
It’s the basic principle of life, a problem arises and so does a solution. While the world finds itself in a battle against the global COVID-19 pandemic, the professional workplaces have had to restructure.
Entire conglomerates with thousands of employees have had to move everything online. Rather expectedly, this has led many managers to rely on new innovative ways to maintain coordination and communication with their employees.
Zoom, a videoconferencing tool is an essential part of this new wave of innovation. The service has added 2 million new users since the beginning of February and expects to at least double that number by the end of April.
While for Zoom this is undoubtedly a cause of elation and celebration, it also brings its security practices under the microscope.
While on the surface, this should be the best time to be sitting inside Zoom’s office, the reality is starkly different. This week was full of bad surprises for the service as multiple cases emerged of several vulnerabilities within the app itself.
Big Brother Is Always Watching
Like millions of other users, I was initially impressed with the sleek, compact, and almost flawless interface of Zoom. Everything on the UI seems to serve a purpose.
I found myself using the Chat function quite a lot since I could switch easily between communication with the entire team in attendance on a Zoom call or send a chat to someone privately.
However, it turns out that that may not be such a good idea after all as the host can download the chat and access any private chats that may have been made.
If a host chooses to record a Zoom meeting on a cloud, then this isn’t an issue. However, if the meeting is recorded locally, then all chats are saved, and accessible.
I was perplexed by how a service currently being used by millions of users has missed such an obvious and dangerous vulnerability.
And if that weren’t bad enough on its own, there have been fresh allegations that Zoom shares data with Facebook.
Zoom’s End-to-End Encryption A Farce?
A major reason why so many corporations and users opted for Zoom in the first place is that the service claims to provide complete end-to-end encryption.
Zoom followed the industry benchmark claiming that even the service itself cannot access users; chats. However, it has since become clear that Zoom’s claim is completely misleading.
It is beyond my understanding why does this service claim on its website that end-to-end encryption is available to all its users. In my personal opinion, either Zoom does not understand what end-to-end encryption really is or the service is intentionally misleading its users and withholding such an important declaration.
Zoom offers users transport encryption, better known as TLS. It is the same technique that HTTPS websites use to secure their web servers.
This implies that the connection between the app on your device and Zoom’s servers is encrypted…but accessible to Zoom if it wanted to.
Whether Zoom does access this information is still up to date but as of yet, Zoom is simply asking users to take their word for it…a proposition that doesn’t end well in most cases.
Zoom Putting Your Passwords at Risk
The rise in Zoom’s use has attracted all kinds of users. This includes the kind that benefits from the minutest vulnerabilities in the app’s security.
It turns out that such vulnerability has been found in Zoom’s Windows client that allows hackers to steal user login information.
This ties back to the chat function that I spoke about earlier. When users send a URL through this chat function, the app automatically converts this into a hyperlink making it easier for users to instantaneously access the content.
However, Zoom also converts the Windows networking Universal Naming Convention (UNC) into a clickable link.
What does this mean? Well, when a user clicks on such a path link, Windows will try and connect to this remote site through the SMB file-sharing protocol attempting to open the hyperlink.
Simultaneously, Windows will also send the user’s login name and NTML password hash. For a hacker, cracking any user’s password through this is equivalent to having to climb an extra set of stairs to unlock a door with a key they already have.
Zoom has yet to fix this issue on its end but users don’t need to wait for Zoom to do so. They can follow the steps mentioned below and eliminate being exploited via this vulnerability.
Go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers.
Apple Services Not Safe Either
While Apple’s iOS and Mac platforms may claim greater security, Zoom’s client for the platforms is the opposite. Several bugs have come to light that can be exploited to gain access to the users’ machines and install malware and spyware.
It turns out that the reason why Mac users aren’t asked for permission to install the service is that the services exploit the preinstallation scripts, manually unpacking the app via the bundle 7Zip and installing it automatically if the user has admin rights.
That might seem like the standard protocol but a potential hacker could easily inject the software with malicious code and obtain “root” privileges as a result.
This would mean access to all files on a users’ device and the continuation of that access for an extended period without the user even noticing.
Similarly, another Mac-specific vulnerability gives hackers access to the webcam and the mic. Using almost the same exploitation, a hacker could inject Zoom to gain access to the users’ webcam and mic.
What makes this problem even worse is that apparently, Zoom cannot identify when malicious code is being injected.
Zoom Still Vulnerable…To Trolls
There’s a small but loud section of the internet that takes pleasure in bringing dark humor into everything, including serious corporate meetings.
That’s a problem that so many meetings have started facing over Zoom as online trolls raid a Zoom group meeting and share pornographic material.
While it may seem comedic at first, it raises several concerns about the app’s overall safety. But how do these trolls get access to Zoom meetings at all?
Well, it turns out if you just search for “Zoomus” on Twitter, you’ll easily find links to hundreds of links for meetings happening across the world. Since this link is all Zoom requires, theoretically anyone with this link can join easily.
This practice of mass raids through an online medium is known as “bombing”. A group of random people horde into a meeting and quickly take it over leaving little other choices for the host and serious users than to either leave the meeting or end the session altogether.
So far, Zoom has offered no updates on how it’s planning to fight back against this practice other than offering tips on how to avoid “Zoom-bombing” with suggestions like avoid meeting in private meeting rooms for public meetings or don’t share the meeting link online.
Zoom has been immeasurably useful during these strange times. There’s no denying the fact that it has helped cater to a unique problem that the entire corporate industry around the world face.
However, this should not be a reason why Zoon should get a pass on its lax and quite frankly, negligent security practices. All the issues I’ve described above came to light within the last month but in reality, they’ve existed for a far longer period.
If that wasn’t bad enough, Zoom has shown neither urgency nor proactiveness in addressing these concerns. Keeping that in mind, I can only say that use Zoom only when you have to and if possible, go for more secure alternatives such as Signal or Jitsi.
In case, all participants have access to an Apple device, they should opt to communicate via Facetime instead.