Zoom Users Face Unexpected Security Risks

Image Source: Wikipedia

As remote workers and students flock to Zoom and online classroom portals they need to be taking all possible security protections. That, according to an FBI press release last week. In that release two cases of “Zoom-bombing” were reported by separate Boston area schools. The first school reported that an unidentified individual(s) dialed into the classroom, shouted profanity and disrupted the session. The second school reported that their session was disrupted by an unidentified individual displaying swastika tattoos on camera.

Schools Ditching Zoom

Fast forward to this week and school districts in New York, Washington DC and Las Vegas have announced that they are discontinuing their use of Zoom for “security, privacy, harassment and other concerns” as reported by NPR.

Zoom’s Response

In response to complaints of “Zoom-bombing” and harassment Zoom has provided best practice security guidelines for schools using Zoom for virtual classroom activities.

Zoom Back Pedals on Encryption

While Zoom originally claimed its platform used end-to-end encryption, in an April 1, 2020 post on their blog, the company provided this clarification:

“We want to start by apologizing for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption. Zoom has always strived to use encryption to protect content in as many scenarios as possible, and in that spirit, we used the term end-to-end encryption. While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it. “ – Zoom

So, just how secure is Zoom in light of the fact that their definition of end-to-end encryption seems to differ from the commonly accepted definition? The good folks at Citizen Lab in Toronto have shed some light in their April 3 post titled “Move Fast and Roll Your Own Crypto.”

What Citizen Lab found is that Zoom uses its own home-grown encryption scheme that, for a variety of reasons, is not as secure as its users believe it or want it to be. For example, Zoom’s encryption and decryption use AES in ECB mode, a “well-understood bad idea” as the image above from Wikipedia shows. Clearly the ECB encrypted image is still a penguin, so unless your goal is to keep your exact color palette a mystery, ECB is probably not going to be as secure as you had hoped.

From China with Love

Zoom is a Silicon Valley company and listed on the Nasdaq but Citizen Lab found that Zoom owns 3 companies in China and employees at least 700 people located there. While this may simply be a way to get affordable talent, the platform, which is primarily focused on serving the North American market has some interesting arrangements when it comes to session security keys as shown below.

Image Source: Citizen Lab

In a call that originated and ended in North America the encryption key appears to have been generated from a key server located in China. Potentially troubling for sure given China’s laws surrounding encryption and government access.

Waiting Room Issue

The researchers at Citizen Lab also found an apparently glaring and dangerous vulnerability in the Zoom waiting room that presented such a risk to users that they are not providing public information about the vulnerability until Zoom gets it fixed.

Other More Secure Alternatives

If you are having second thoughts about Zoom you are not alone. For a list of other more secure alternatives head over to Computer World and look at what they believe to be 12 more secure options including these:

Konsultek Knows Security

Whether it is help securing your now remote workforce or more traditional network security solutions Konsultek and their team of partner-providers has you covered. To learn more about how your organization can enjoy a more secure future please give us a call.

© Copyright 2018 Konsultek