Zero-day exploits are big business. As with the sale of guns, drugs, and hacking, not all sales or use of zero-day exploits are malign, although many may be. Security organisations will, for example, buy a zero-day exploit from the discoverer.
The more commonly used the program, the more the zero-day exploit is worth. Zero-day exploits found for common Microsoft programs have a typical value of £25,000 or more.
Many zero-day exploits are, however, not sold but placed into the public domain by their discovers, who are often security consultants. The “benefit” to the discoverer is positive publicity. But software that is used less doesn’t attract much attention. The more popular the software, the more researchers turn their attention to that software.
So it has proved with Zoom, which historically was used less and therefore wasn’t a focus for researchers. A report came out in 2019 that Zoom had used a known flaw in their drivers for Mac computers. This was reported to Zoom confidentially on 26 March 2019, although it took the company nearly three months to fix the bug.
This flaw allowed for the remote control of cameras on Apple Mac computers by a third party. It also made those Apple Mac computers prone to a denial of service attack. In this context, a denial of service attack was possible by allowing a malicious actor to make the computer unavailable by repeatedly attempting to join a user to an invalid Zoom call.
Other than that, little was heard of the insecurity of Zoom until its almost ubiquitous use since the coronavirus lockdown. According to the company, the use of Zoom has increased more than twenty-fold in recent weeks. It is even used by the UK Cabinet Office and individual cabinet ministers.
The higher the profile of the software, the more it was bound to attract the attention of researchers – and what a bonanza they have had with Zoom.
Among the flaws discovered in recent weeks, some though not all of which have now been fixed, include:
- A lack of end to end encryption, despite the company publicly stating the opposite. A law case has already been brought against the company because of this alleged misstatement. The end-to-end encryption only runs fully if all the participants are using a Zoom plug-in app, not a web browser.
- As Zoom developers are based in China, many if not most Zoom calls were routed through China, or may have passwords generated by servers based in China.
- Insecure options were enabled by default, such as not having the Zoom meeting protected by a password and allowing users to join the meeting without any action needing to be taken by the chair. Zoom has since changed some default security settings.
- Not allowing the user to uninstall Zoom. Worse still, when Zoom is uninstalled, it can be surreptitiously reinstalled without the user’s knowledge. This issue has now been fixed except for some users of older Apple Mac devices.
Other flaws, that have been fixed included sending user data to Facebook without the user’s knowledge. When Zoom were asked to respond to these security flaws at the beginning of April 2020, its response was that “Zoom takes its users’ privacy, security, and trust extremely seriously”.
The government’s new security classification for Zoom
Nevertheless, you might take the view that if it is safe enough to use Zoom in UK Cabinet Office meetings, it is safe enough for you to use.
Use by the Cabinet Office became clear when Boris Johnson tweeted a picture of himself and the Cabinet Office in a Zoom meeting, including the meeting password. When these security issues were pointed out, a government spokesperson said that Zoom was not used for “anything highly classified”.
Given that the official g classifications of information are “official”, “secret” and “top secret” (most Cabinet Office minutes falling into the latter two categories), the government seems to have created a new security classification just for Zoom.
The ability of people to appear in Zoom conferences on an uninvited basis has been widely reported. From a meeting of the councillors of a local authority in Lafayette, US, to anti-semitic trolls gate-crashing a talk by a Holocaust survivor hosted by the Israeli ambassador to Germany to a school in Singapore.
The latter prompted the Singapore government to suspend all use of Zoom by schools. The use of Zoom in schools has now restarted in Singapore, with the teacher’s control of the security settings in Zoom taken over by the Singapore Ministry of Education.
On 14 April it was reported that 530,000 Zoom passwords together with user email addresses, personal meeting URLs and host keys were for sale on the dark web.
Zoom did not explain how the personal data was leaked, and it is unknown whether it has reported the data loss to the relevant English and European data protection authorities.
Who is spying on whom ?
Next we come to the vexed question of the effect of governments’ spying on the users of Zoom. If the security flaws of a software product such as Zoom are by definition opaque, the same is true for government spying on individuals.
As has been the case since the dawn of the internet, governments can only control of the internet through the assets in their country. Zoom has its company headquarters in the US, and has a team of more than 700 software developers (and some of its primary servers) in China. Therefore, the countries that can control Zoom are the US and China.
As was held by the Irish High Court in the case of Schrems versus Data Protection Commissioner  IEHC 310 (18 June 2014), “personal data of data subjects is routinely accessed on a mass and undifferentiated basis by the US security authorities” (see paragraph 76 of that judgment).
The US security authorities can obtain as much information about any cabinet member they want, although ironically not about Boris Johnson – or at least not until 2016.
Why was Boris Johnson exempt from US mass surveillance? He held dual UK and US citizenship, until 2016 when he renounced the latter. Until then, he could claim the benefit of the US constitution, which protects US – but not foreign – citizens from being spied on in a “mass and undifferentiated” manner.
The situation in China is more worrying. The new Chinese Cryptography law (in particular Article 31), which came into force on 1 January 2020, allows the State Cryptography Administration complete access and control to encrypted content stored or transmitted in China. This includes handing over any encryption key you are using.
Given the authoritarian nature of the current mainland Chinese regime, any organisation such as Zoom operating in China is highly likely to have been required to do so, or is at least liable to do so.
So, in summary, your data is not secure from third parties, not secure from the Americans and not secure from the Chinese. Should the average (non-cabinet minister) user be worried?
After all, while it is possible to ensure you have opted for the highest possible security settings for Zoom, most of us don’t have the hands-on advice of the Singapore Ministry of Education to fall back on.
Should we be using Zoom?
Should we use Zoom? The answer is yes, at least for uses where security is not an issue. As a lawyer and a security geek, I still Zoom a lot, but not for anything where I am advising a client about something confidential.
Talking about a client’s terms and conditions using Zoom is fine, talking about a situation where they are in dispute with a third party is not.
I always remember the story of a group of lawyers from one firm in Leeds travelling together to London as the legal team in a litigation case. Naturally, they spent the whole time on the journey discussing the case.
Unfortunately for them, the non-descript individual in the aisle opposite was involved on the other side of the case. You never know how that insecure communication might be used, so if the information you exchange on Zoom could be embarrassing in certain circumstances, you should assume the worst.
Consider whether your employer would be embarrassed if the content of your conversation wasn’t kept confidential. If in doubt, use the phone. Some employers, such as Standard Chartered Bank, Siemens and Grundfos have gone as far as banning the use of Zoom altogether.
But many uses of Zoom are banal and can safely proceed. Should we really be worried if someone is listening in to a friends’ quiz night, networking meeting, religious discussion, standards committee discussion or book group? Not really, or at least not unless the book is banned in China, such as with Winnie the Pooh.
If I was a cabinet minister, who we are told are using Zoom widely to keep in touch with their offices, that ought to be a different matter. ‘Security’ is, after all, a relative term – what is ‘secure’ for one purpose is ‘insecure’ for another. So, think before you Zoom.