Zoom’s Security and Privacy Issues
[UPDATED 13/04]
We have recently been having many conversations about the raft of recent security and privacy issues that have been raised as Zoom comes under increased scrutiny due to the massive increase in how many people are using the service. Zoom has gone from 10 million active daily users to 200 million active daily users during the Covid-19 crisis.
A number of organisations have banned the use of Zoom, including governments, school districts and tech giants.
Here is a summary of the key issues as we see them. This list is not comprehensive, please do your own research or contact us for help assessing your setup.
Issue |
What it is |
Status |
Source |
| Zoombombing | A default setting in Zoom that allows anyone to guess meeting IDs and join meetings without being invited. Allows the uninvited guest to access potentially confidential data, or share content that can be abusive, racist, illegal etc. | Can be remediated by ensuring you choose the correct security settings | CNET |
| Anyone can present | A default setting that allows anyone to present in a Zoom meeting, allowing attendees to share inapproriate content (see Zoombombing) | Can be remediated by ensuring you choose the correct security settings | Wired |
| Recordings found online | A security researcher found thousands of Zoom meeting recordings online | This wasn’t really a Zoom issue – meeting hosts had stored their meeting recordings online without taking proper precautions. Zoom could use randomised filenames to make these harder to find. | WP |
| Fake end-to-end encryption | Zoom claimed end-to-end encryption in their marketing materials. Security researchers found this was not in fact the case. | This is still an issue, and Zoom need to stop saying that they provide end-to-end encryption. They hold the decryption keys and can decrypt any content they choose to. | The Intercept |
| Security flaw with waiting rooms | Researchers found that uninvited attendees to a meeting could get the meeting’s encryption key from the waiting room | This was fixed in a security patch. | Citizen Lab |
| Mac webcam hijacking | A security researcher found that Zoom software running on a Mac allowed any malicious website to forcibly join a Mac to a Zoom call, with the webcam activated, without the user’s consent | This was fixed in a security patch. | Medium |
| iOS app shares data to Facebook | Researchers found that the Zoom iOS app sent device data to Facebook, even if the user didn’t have a Facebook account | This was fixed in a security patch. | Vice |
| Encryption keys issued by Chinese servers | Citizen Lab found several Zoom servers in China issuing keys to Zoom users even when all participants in a meeting were in the USA. Since Chinese authorities can compel operators of Chinese servers to hand over data, this means that the Chinese government might be able to see your Zoom meetings. | This was fixed in a security patch. | Citizen Lab |
| Meeting chats don’t stay private | if you’re in a Zoom meeting and use a private window in the meeting’s chat app to communicate privately with another person in the meeting, that conversation will be visible in the end-of-meeting transcript the host receives. | Status unknown, so we treat this as current. | |
| Personal data shared with advertisers | Zoom’s privacy policy gave Zoom the right to use Zoom users’ personal data and to share it with third-party marketers. | Status unknown, so we treat this as current. | Consumer Reports |
| Leaked email addresses and photos | Zoom automatically puts everyone sharing the same email domain into a “company” folder where they can see each other’s information. Exceptions are made for people using large webmail clients such as Gmail, Yahoo, Hotmail or Outlook.com, but not apparently for smaller webmail providers that Zoom might not know about. | Status unknown, so we treat this as current. | Vice |
| War-dialling meetings | It is possible to find open Zoom meetings by rapidly cycling through possible Zoom meeting IDs. | Status unknown, so we treat this as current. | Krebs |
| Using the wrong encryption | Zoom says it use AES-256 encryption to encode video and audio data traveling between Zoom servers and Zoom clients but researchers at Citizen Lab found that Zoom actually uses the weaker AES-128 algorithm. | Status unknown, so we treat this as current. | Citizen Lab |
| Compromised accounts traded online | Criminals are trading compromised Zoom accounts on the dark web | This isn’t a Zoom issue per se, there are literally billions of accounts being sold on the dark web. It’s a user security issue. Use complex passwords, don’t reuse them, and monitor the dark web for your credentials (ask us how). | Yahoo | Intsights |
| Zoom software can be easily corrupted | Zoom’s anti-tampering mechanism can easily be disabled, or even replaced with a malicious version that hijacks the application. Malware already present on a computer could use Zoom’s own anti-tampering mechanism to tamper with Zoom. Criminals could also create fully working versions of Zoom that have been altered to perform malicious acts. | Status unknown, so we treat this as current. | Lloyd |
| Zoom installer bundled with malware | Researchers found that someone had created a version of the Zoom installer which also installed a cryptocurrency miner on the PC at the same time. | Not really a Zoom issue. Users should ensure they only install software from official websites and run good anti-malware endpoint and DNS protection | Trend Micro |
The CEO of Zoom recently wrote this post about their security issues and what they are doing to address them. Zoom issued a statement that they have temporarily stopped working on new features and are focusing their efforts on implementing significant security improvements.
What should you do? Well, as with most things, we think a risk-based approach to cybersecurity is the right one, so there isn’t a universally valid ‘right’ or ‘wrong’ response here. Regulators encourage us to take reasonable measures to ensure the confidentiality, integrity and availability of data. What constitutes reasonable measures will differ greatly from one organisation to another.
In some cases it may be proportionate to immediately stop using Zoom until all the issues are resolved, and opt for an alternative such as Microsoft Teams instead. We implemented Teams internally early last year, moving from Slack for chat and Zoom for video. We use Teams all day, every day for chat, voice, video and much more and have found it to be a fantastic platform for remote teams to work collaboratively.
In other cases you may find that adopting stronger security settings and ensuring you are fully up to date with the latest patches may be enough to provide a reasonable level of security.
We encourage you to review your enviornment, evaluate your risks and act accordingly. As always, get in touch with us if we can help.
[UPDATE] As of 18 April 2020 Zoom will offer paying customers a choice of datacentres and we recommend you ensure you select these in your environments.