[UPDATED 13/04]

We have recently been having many conversations about the raft of recent security and privacy issues that have been raised as Zoom comes under increased scrutiny due to the massive increase in how many people are using the service. Zoom has gone from 10 million active daily users to 200 million active daily users during the Covid-19 crisis.

A number of organisations have banned the use of Zoom, including governments, school districts and tech giants.

Here is a summary of the key issues as we see them. This list is not comprehensive, please do your own research or contact us for help assessing your setup.

Issue

What it is

Status

Source

ZoombombingA default setting in Zoom that allows anyone to guess meeting IDs and join meetings without being invited. Allows the uninvited guest to access potentially confidential data, or share content that can be abusive, racist, illegal etc.Can be remediated by ensuring you choose the correct security settingsCNET
Anyone can presentA default setting that allows anyone to present in a Zoom meeting, allowing attendees to share inapproriate content (see Zoombombing)Can be remediated by ensuring you choose the correct security settingsWired
Recordings found onlineA security researcher found thousands of Zoom meeting recordings onlineThis wasn’t really a Zoom issue – meeting hosts had stored their meeting recordings online without taking proper precautions. Zoom could use randomised filenames to make these harder to find.WP
Fake end-to-end encryptionZoom claimed end-to-end encryption in their marketing materials. Security researchers found this was not in fact the case.This is still an issue, and Zoom need to stop saying that they provide end-to-end encryption. They hold the decryption keys and can decrypt any content they choose to.The Intercept
Security flaw with waiting roomsResearchers found that uninvited attendees to a meeting could get the meeting’s encryption key from the waiting roomThis was fixed in a security patch.Citizen Lab
Mac webcam hijackingA security researcher found that Zoom software running on a Mac allowed any malicious website to forcibly join a Mac to a Zoom call, with the webcam activated, without the user’s consentThis was fixed in a security patch.Medium
iOS app shares data to FacebookResearchers found that the Zoom iOS app sent device data to Facebook, even if the user didn’t have a Facebook accountThis was fixed in a security patch.Vice
Encryption keys issued by Chinese serversCitizen Lab found several Zoom servers in China issuing keys to Zoom users even when all participants in a meeting were in the USA. Since Chinese authorities can compel operators of Chinese servers to hand over data, this means that the Chinese government might be able to see your Zoom meetings.This was fixed in a security patch.Citizen Lab
Meeting chats don’t stay privateif you’re in a Zoom meeting and use a private window in the meeting’s chat app to communicate privately with another person in the meeting, that conversation will be visible in the end-of-meeting transcript the host receives.Status unknown, so we treat this as current.Twitter
Personal data shared with advertisersZoom’s privacy policy  gave Zoom the right to use Zoom users’ personal data and to share it with third-party marketers.Status unknown, so we treat this as current.Consumer Reports
Leaked email addresses and photosZoom automatically puts everyone sharing the same email domain into a “company” folder where they can see each other’s information. Exceptions are made for people using large webmail clients such as Gmail, Yahoo, Hotmail or Outlook.com, but not apparently for smaller webmail providers that Zoom might not know about.Status unknown, so we treat this as current.Vice
War-dialling meetingsIt is possible to find open Zoom meetings by rapidly cycling through possible Zoom meeting IDs.Status unknown, so we treat this as current.Krebs
Using the wrong encryptionZoom says it use AES-256 encryption to encode video and audio data traveling between Zoom servers and Zoom clients but researchers at Citizen Lab found that Zoom actually uses the weaker AES-128 algorithm.Status unknown, so we treat this as current.Citizen Lab
Compromised accounts traded onlineCriminals are trading compromised Zoom accounts on the dark webThis isn’t a Zoom issue per se, there are literally billions of accounts being sold on the dark web. It’s a user security issue. Use complex passwords, don’t reuse them, and monitor the dark web for your credentials (ask us how).Yahoo | Intsights
Zoom software can be easily corruptedZoom’s anti-tampering mechanism can easily be disabled, or even replaced with a malicious version that hijacks the application. Malware already present on a computer could use Zoom’s own anti-tampering mechanism to tamper with Zoom. Criminals could also create fully working versions of Zoom that have been altered to perform malicious acts.Status unknown, so we treat this as current.Lloyd
Zoom installer bundled with malwareResearchers found that someone had created a version of the Zoom installer which also installed a cryptocurrency miner on the PC at the same time.Not really a Zoom issue. Users should ensure they only install software from official websites and run good anti-malware endpoint and DNS protectionTrend Micro

 

The CEO of Zoom recently wrote this post about their security issues and what they are doing to address them. Zoom issued a statement that they have temporarily stopped working on new features and are focusing their efforts on implementing significant security improvements.

What should you do? Well, as with most things, we think a risk-based approach to cybersecurity is the right one, so there isn’t a universally valid ‘right’ or ‘wrong’ response here. Regulators encourage us to take reasonable measures to ensure the confidentiality, integrity and availability of data. What constitutes reasonable measures will differ greatly from one organisation to another.

In some cases it may be proportionate to immediately stop using Zoom until all the issues are resolved, and opt for an alternative such as Microsoft Teams instead. We implemented Teams internally early last year, moving from Slack for chat and Zoom for video. We use Teams all day, every day for chat, voice, video and much more and have found it to be a fantastic platform for remote teams to work collaboratively.

In other cases you may find that adopting stronger security settings and ensuring you are fully up to date with the latest patches may be enough to provide a reasonable level of security.

We encourage you to review your enviornment, evaluate your risks and act accordingly. As always, get in touch with us if we can help.

 

[UPDATE] As of  18 April 2020 Zoom will offer paying customers a choice of datacentres and we recommend you ensure you select these in your environments.