Apps and Security

Zoom has suffered from sloppy coding and shortcuts in the interest of making it easier to install the software and join meetings. This included bypassing a protection Apple put in place to make it harder for webpages to launch applications directly. While the company fixed it in mid-2019, it did so with ill grace and made excuses.

In March and April 2020, other app problems emerged with iOS (leaking information to Facebook through bad programming), macOS (shortcuts in the installer that bypassed user interaction), and Windows (links in chat that could open programs and execute commands).

This time around, Zoom’s CEO apologized, and within hours to a couple of days the company pushed out revised software versions that removed the Facebook connection, updated the macOS installer, and disabled links in chat temporarily. They froze adding new features for 90 days as of April 1, 2020, to focus on software and other improvements.

After several weeks, they re-enabled clickable links in chat sessions, once they had ensure they could not be used maliciously.

Account Security

So far, Zoom has done a seemingly effective job with account security. The service hasn’t suffered attacks that extracted information in bulk about users, and avoids being at least routinely susceptible to other common techniques used to gain access to user accounts.

That may in part be because Zoom allows participation without registering an account, as do an increasing number of other videoconferencing systems. Skype just added a simplified similar option in March. Without an account, there’s nothing to protect!

Zoom made two changes in early April 2020 designed to improve security and reduce unwanted intrusions into sessions for harassment and trolling, a behavior led to a new word: zoombombing, described in Protecting Meeting Privacy, below. Hosts of any account tier can restrict participants from joining with a web app unless they register an account with Zoom and log in.

Meeting Security

Every videoconference session you schedule or start as an instant meeting from an app has an associated 9 to 11 digit ID. In 2019 and in March 2020, researchers find ways to exploit that to sift through IDs to find meetings that lacked passcodes, allowing anyone to join.

To block that possibility and to fix other problems related to public meetings as described, Zoom began requiring passcodes on May 9, 2020, for all meetings already scheduled and created fresh by free accounts and upgraded education accounts. (Paid accounts begin to have requirements on September 27, 2020.)

Zoom also stopped displaying the meeting ID in the title bar of their apps, after people unintentionally shared screen captures of zoom windows that included them (Figure 5).

Encryption

Zoom claimed in their marketing materials and in their documentation that they employed end-to-end strong encryption for videoconferencing sessions. However, news site The Intercept, in an article on March 31, 2020, and privacy group Citizen Lab, in a report on April 3, 2020, revealed that Zoom had made misleading statements.

The encryption system used was weaker than the version stated and implemented in a way that’s relatively easy to crack in the scheme of modern encryption systems.

Zoom also stretched the definition of end-to-end encryption (E2EE). Security standards and experts almost always use E2EE to mean that every endpoint in a conversation or data exchange—whether that’s a device or an app—generates its own encryption key and keeps that key stored locally. It’s never shared.

Within an E2EE system, a session starts via a clever process of exchanging encryption details unavailable to the company or organization operating the system. This is how Apple iMessage, Signal, and some other systems work.

Zoom’s approach isn’t really E2EE, because it doesn’t reserve private keys to the endpoints. The service instead generates a shared session key on a server and transmits it over a secure link to each participant. Zoom says they don’t store or have direct access to that key, but they employ the key to make cloud-based recordings and to patch in dial-up callers to meetings.

This design makes it possible for Zoom to intercept and decrypt calls in the right circumstances, and for hackers or government agents to do the same if they broke into Zoom’s servers.

A national security agency might also compel Zoom to open up its servers or have the assets to intercept a Zoom video session and obtain the encryption key, allowing them to break the encryption later.

The company made several promises, some of which were underway within days of their announcement:

• Zoom hired security experts and assembled an advisory team on their policies from companies and privacy organizations.

• They created a roadmap for future improvements, and hold regular webinars (over Zoom!) to discuss milestones.

• In May 2020, they acquired Keybase, a firm that has spent years providing highly secure person-to-person and group communications. Keybase also has a unique strategy for validating people’s identities associated with public keys.

• Zoom released a draft of a true end-to-end encryption proposal available in late May 2020 for public review on the path towards implementing it in their service.

• Zoom released version 5 of their software across all platforms in late April 2020, which incorporates significant security improvements, and required its use as of June 1, 2020. Users running older versions of the software can’t participate in Zoom sessions.

As part of Zoom’s commitment to add E2EE, the company plans at some point after I wrote this version of the book (in August 2020) to provide beta access to some users. (That plan was originally stated July 2020.) With E2EE enabled, dial-in calling is unavailable to paid tiers in which it’s normally an option. Cloud recording also cannot be used.

Revising Their Privacy Policy

Zoom had a bad privacy policy. It was written from the standpoint that Zoom was a marketing company and that anything they collected from you or handled for you, they could potentially use for their own purposes or give or sell to third parties.

Fortunately, a privacy outcry in late March 2020 led to a quick, substantive overhaul of their policies, which they said were retroactive. Despite the language in the previous disclosure, the company said they had never engaged in using customer information in those ways.

Leaking Account Information

When you’re using the Zoom service, you should expect that Zoom (the company) keeps private everything about you except anything you explicitly allow the company to use. That’s not very much since they updated their privacy policy as noted just above.

Security researchers and reporters found recently that Zoom had three significant privacy issues:

• The iOS app passed information to Facebook even for users not relying on a Facebook login to Zoom.

• Users with the same domain in their email address were assumed to all work together, even if the domain was one used by an ISP—such as Dutch provider dds.nl. Only a few major companies’ products were excluded (like Gmail). That allowed a user at an affected domain access to other users’ directory information without any other contact with them.

• Subscribers to a premium LinkedIn service could hover over any participant in a meeting and Zoom connected that participant’s email address and name to LinkedIn to display an information card about the participant, even if they weren’t exposing that information in the meeting.

Zoom said all three behaviors were in error, and they removed all of them. Only paid business users can link in their business domain for matching directory entries.

Protecting Meeting Privacy

Zoom says until the explosion of usage in early 2020 that they had focused most of their efforts on business users, and expected companies would largely circulate meeting invitations and use the service for their internal purposes or with clients. While anyone could use Zoom, consumer alternatives abounded, including some built by operating system makers and bundled.

The company spent their effort making sure Zoom apps across many platforms and browsers could handle massive simultaneously streaming sessions of video, including in low-bandwidth conditions and on mobile.

This left them—they say—uniquely unprepared for the onslaught of general internet bad behavior, the company argues, including what quickly became known as zoombombing.

The firm took a few weeks of scrambling to handle the vastly increased load on their systems and get their hands around the evolving exchange of information among intentionally malicious and abusive people to coordinate and spread attacks.

The company then released a host of changes that should ultimately make it less appealing and far harder to attack unwary hosts and participants.

While I cover these controls for hosts in depth in Protect a Zoom Meeting, I want to highlight just a few here:

• Centralized security: Zoom’s apps now have a Security button that reveals a number of one-click settings to control access and participation.

• Mandatory passcode: Zoom made passcodes mandatory for meetings on certain tiers: free and upgraded education users. (See Choose a Tier for more on these levels of service.) The passcode can be changed and may be embedded in a URL.

• Default Waiting Room: All accounts were reset to require a Waiting Room, which puts participants in a queue to join that a host can review. This can be disabled for individual meetings or for an entire account, however.

• Lock meeting: An option added in early April 2020 lets a host close the door after everyone is in. This can be toggled on and off, but it’s a key tool in preventing zoombombing in the middle of sessions.

• Easy blocking of user actions: Hosts can now easily restrict participants’ ability to stream video, share a screen, share audio, or engage in other behavior as a meeting preference or during it.

• Reporting abusive users: In late April 2020, Zoom rolled out their first abuse-reporting option for hosts. With it enabled, hosts can report a user directly to Zoom as abusive, allowing the company to take action or issue warnings against their account, IP address, organization, or other associations.