Zoom, the well known Video-Conferencing App has been in the news for some time now. The Ministry of Home Affairs, Government of India has also given an advisory to stay away from the services. The Government of India has also announced rewards for development of an alternative to techies in India.
Zoom Video Communications, was founded by Eric Yuan the CEO in the year 2011. It became a billion dollar company by 2017. But it wasn’t until the company was listed in American Stock Exchange in March 2019 that it caught widespread attention, quickly reaching a valuation in excess of $15 billion. So it is not a new company, the popular teleconferencing service Zoom has been in business since over a decade now. This rapid growth in the overall valuation of the company occurred as much of the rest of the stock market experienced percentage declines. Even with the decline over regulatory attention it is observed that Zoom had a valuation of about $35 billion in the beginning of March 2020; very impressive for what is essentially a one-product company.
Reasons for Zoom to Doom
At least a dozen bugs, design flaws, and other issues were exposed over just the last week of March 2020. Zoom faced increased scrutiny from security researchers and privacy advocates, not to mention an ever-increasing gimlet eye from regulators and cyber security evangelists, this then caused the decline in its popularity.
- Security researchers across the globe have reported that the Zoom application had compromised Mac computers, giving hackers essentially root level control of the machine and the ability to turn ‘off’ and ‘on’ the webcam and microphone at will. Zoom acted quickly to patch this issue but an embarrassment for the company.
- In another concern over the Zoom iOS app, it is said that the app was sending user data to Facebook, even for users without a Facebook account. For which legal action that has been initiated by some consumers is also pending.
- The Zoom app has been “Zoom bombing”; in this the legitimate users are subjected to hijacking of an ensuing teleconference, where-in the perpetrator unleashes offensive, as also xenophobic and racist, images and language on participants, while a conference is in progress.
- Zoom’s current encryption architecture is not as per desired standards. It may be argued here that in most users the chat or conference is of leisure and does not have confidential matters, thus making the link at low risk. The company claims that it uses end-to-end (E2E) encryption to protect meetings, but a report from Citizen Lab, reporting by The Intercept, said that the “Zoom’s response on its blog make it clear that the system doesn’t meet a well-accepted definition of E2E. Zoom’s system creates an encryption key on a Zoom server, which is then distributed securely to participants in a meeting. And this is not an ideal E2E method: Handing out keys just makes things easier for those you don’t want to help, this then can be a weakness exploited by hackers when a confidential communication is on. (Enterprise Zoom users have the option to use hardware and software that generates meeting keys within their network.)”
- Transport encryption in different from E2E encryption system, in which the system uses a Transport Layer Security (TLS) protocol, that secures the connection between the user and the server, one is connected to. That’s the same encryption used in a secure connection between user and any website with HTTPS protocol. The key difference between transport encryption and end-to-end encryption is that Zoom (or the server one is connected to) will be able to see your data. The key generation is also a problem, for the very fact that this service is being done in a country that is least trusted. Citizen Lab found some sessions that involved no Chinese participants had keys generated by servers located in China, which were also involved in managing some video sessions. As Citizen Lab noted in its report, “Zoom may be legally obligated to disclose these keys to authorities in China.” Zoom said immediately after
this use of Chinese servers was an error due to scaling its systems to balance load globally and that it’s fixed the problem. Though Zoom claims that all the issues have been resolved, but what happens to the 233 million participants in meetings that were routed through China, and the data and credentials are still in possession at China.
- Zoom is reported to be spying on its users for personal profit. It seems to have cleaned this up somewhat since everyone started paying attention, but there are reports that it is still being done. The company is said to have collected a plethora of data about the users, including user name, physical address, email address, phone number, job information, Facebook profile information, computer or phone specs, IP address, and any other information create or upload. And it is reported that this data of users is being used as data for profit.
- Zoom documentation claims that the app uses “AES-256” encryption for meetings where possible. However, it is found by ‘Citizen Lab’ that in each Zoom meeting, a single AES-128 key is used in (Electronic Code Book) ECB mode by all participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption.
- Reports of vulnerabilities in which hackers are able to steal passwords through Zoom’s Windows client, has also been published by few research based media houses.
- Last year, a security researcher Jonathan Leitschuh, on Zoom, publicly disclosed details of how an attacker could set up a malicious call, trick users into clicking a link to join it, and instantly add their video feed, letting them look into a victim’s room, office, or wherever their webcam is pointing. In addition, Leitschuh found that attackers could also launch a denial of service attack against Macs by using the same mechanism to overwhelm them with join requests. (which probably has been patched.)
- Certain research experts have reported that Zoom is able to gain access to deeper parts of the operating systems and their web browsers of the installed users/web users. This code error, has provided the feature where-in any user can just joint the sessions on a simple single step click. Inturn also making Privacy a threat.
Can a user use Zoom while protecting your privacy?
Ever since the announcement by governments, for a lockdown and employees have started ‘working from home’ in the coronavirus pandemic; many of us have taken to Zoom, the videoconferencing app. The company had used over 700 engineers to design the app since its inception in 2017. This app has been circulated for free and is extremely easy to use. The ease of move of frame and its smooth streaming being flaw-less, had made users to use the app extensively. Even people with zero technical know-how can join a Zoom meeting just by clicking a link. Over 200 million users have been using the app in the month of March 2020 alone. There have been instances where Enterprises and Schools have been insisting on use of Zoom app during the pandemic outbreak. The Medical profession has also been extensively dependent on this app for sharing of information, etc.
Consumer Reports experts advise that while on a videoconference on Zoom, to keep the camera and mic turned off unless one is actually speaking. If the user feel that there is a need to have the camera turned on, it is advised to use a background image so the host can’t see other details of the environment from where the app is used.
If a user is concerned of privacy losses, it is advised that the user should use a unique email address specifically for Zoom. Clearing cookies and blocking trackers after every call should be done by the user. Avoid opting for ‘secondary data uses’ where possible.
And if Zoom is not the right app, based on the confidentiality level of the chat due to threat related to Privacy and Security concerns; it is advised to select a different app over the Zoom. However, we at Cyber Secure India, warn all users that each of the free app in the web world is not a ‘Free Lunch’, and it does come with one or the other privacy and security concerns.