The rapid rise to prominence of videoconferencing and collaboration application Zoom during the Covid-19 coronavirus pandemic is highlighting more and more cyber security problems with the service, which has been downloaded millions of times to personal and enterprise devices across the globe.
Earlier this week Check Point threat researchers reported on a surge in fraudulent Zoom domains being used to lure in unsuspecting users and steal their personal information. Now, more threat researchers have piled in with disclosures of their own, and some go so far as to recommend people stop using Zoom altogether. Among them is Patrick Wardle, a former NSA cyber security operative and now principle security researcher at Jamf, who highlighted two dangerous zero day exploits on his blog.
Both these vulnerabilities, which have now been patched, affected the Apple macOS version of Zoom and are easily exploited by an attacker who with physical control of the target machine. One enabled hackers to gain privileged root access to install malware or spyware, the other allowed them to inject malicious code into Zoom to fool it into giving them access to the target’s webcam and microphone.
“Zoom, ‘the leader in modern enterprise video communications’ is well on its way to becoming a household verb, and as a result, its stock price has soared,” said Wardle. “However, if you value either your cyber security or privacy, you may want to think twice about using the macOS version of the app.”
Another vulnerability affecting Microsoft Windows was disclosed by researchers through Bleeping Computer. This particular problem, which has also now been patched, centred on the Zoom Windows client, which is vulnerable to Universal Naming Convention (UNC) path injection in its chat interface, which would let hackers steal the Windows credential of anybody who clicked on a malicious link.
Tal Zamir, co-founder and CTO at Hysolate said: “Enterprises must keep in mind that user devices use a variety of apps that go beyond just email and internet. Zoom is one of the most popular non-browser apps these days and has new vulnerabilities enterprises should care about.
“This includes the recently discovered Zoom Client vulnerability that allows a remote attacker on a Zoom call to receive a user’s Windows credentials. Unfortunately, we’ll see an increase of such attacks on collaboration tools such as Zoom, Teams, and Slack, as they all have a wide attack surface.”
Not worth the risk
For Douglas Jones, co-founder and managing partner at JAG Insurance Group, its recent issues strongly suggest that using Zoom is not worth the risk.
“I always lean on the side of precaution. Zoom has blown up and that means it’s under more scrutiny. That will no doubt lead to an overhaul on its practices, much like what happened with Facebook and Uber once they were under the magnifying glass. In the present it’s still a cyber security hazard. I would recommend seeking alternatives,” he said.
“Zoom, I’m sure is very attractive for any business that has had its practices turned upside down and wants some semblance of normalcy. However, it isn’t worth the risk of having your business or client’s information compromised. Once you lose a client’s trust, it’s very difficult to get back,” he said.
But Paul Bischoff, privacy advocate at Comparitech, thinks the high-profile controversy could be good for Zoom.
“Zoom is under a microscope right now due to its explosion in popularity. That inevitably results in more vulnerabilities being found. If Zoom responds appropriately, however, it will come out the other end more secure as a result,” he said.
Best practice for security teams
So is it all over for Zoom? Should CISOs and security teams rush to lock it down and remove it from their IT estates?
The answer is no, not necessarily. However, as with any other application, you absolutely need to be paying attention to both how Zoom works and in particular its security settings, and to general cyber security best practice.
Aleksandr Yampolskiy, CEO of SecurityScorecard, said: “All third party risks should be taken very seriously, including Zoom. Having continuous monitoring in place is critical to minimise security risks, particularly in times like today when companies are turning to new vendors for tools to enable productive remote work like Zoom without always vetting them thoroughly.”
“The Zoom platform offers a myriad of benefits to those who have to work from home during this period of time. As with any tool, it is important to be aware of the possible risks and use the functions available to you on the platform to communicate safely,” agrees Check Point’s Omri Herscovici.
Yampolskiy lays out a number of steps that IT teams should be taking to secure Zoom: “When using Zoom, avoid using your personal meeting ID to host public events. This is basically a continuous meeting and anyone can interrupt your personal virtual space at any time. Select ‘one-time meeting ID’ or ‘generate automatically’ in your settings,” he said.
“Prevent participants from screen-sharing during a call using the host controls at the bottom. Click the arrow next to screen share and then advanced sharing options. Under ‘who can share?’ select ‘only host’.
“Make sure to select ‘only authenticated users can join’ in your meeting settings. Choosing this option is useful if you want to control your guest list and invite only those you want in your meeting. It prevents someone from joining a meeting from an email that they weren’t invited through.
“Selecting ‘enable waiting room’ in your settings allows you to screen who’s trying to access your meeting and keep unwanted guests out. It’s a virtual queue and as a host you can admit people one by one, remove them, or admit the next person in any order,” said Yampolskiy.
Zamir at Hysolate said: “To really protect against endpoint threats in a comprehensive way, enterprises should adopt OS isolation techniques that move sensitive enterprise apps, data, and credentials into a separate OS that is isolated from riskier external-facing apps.”
Javvad Malik, security awareness advocate at Knowbe4, said: “Zoom is not too dissimilar to many other videoconferencing tools out there in the market. Most have similar privacy challenges – so organisations need to be wary of the risks that present themselves. These kinds of steps will mitigate most threats that could materialise for the majority of employees,” said Malik.
“For more sensitive conversations – alternatives can be considered and more stringent measures put in place. Which may not work for large groups, but could keep smaller meetings more secure,” he said.
On this note, when it comes to larger groups and use cases that require additional security, such as in regulated industries, Yampolskiy said Zoom has historically been quite open to creating specialised contracts for those that want more intensive privacy policies.
“I urge any business dealing with sensitive data to pursue that,” he said. “For general business collaboration, Zoom is sufficient, but when dealing with proprietary data or PII [personally identifiable information] consider sharing that data over a more secure and private means such as PGP encrypted emails, Signal, or Wickr.
“The DoD [US Department of Defence] and their vendors have invested large amounts in end to end encrypted VTC technologies and those solutions may be applicable for other industries,” he said.
Boris Johnson: Problem exists between keyboard and chair
Zoom is also vulnerable to simple human error, as exemplified by UK prime minister Boris Johnson, who is currently recovering from coronavirus himself and working while sequestered in his Downing Street flat.
On 31 March Johnson shared a screengrab of a cabinet meeting being conducted via Zoom, in which he disclosed not only the Zoom screen names of his colleagues – Dominic Raab uses “Dom Raab” and Michael Gove “michaelgove739”, which is potentially useful information to help plan a credential stuffing attack – but crucially the Zoom meeting ID. This means that any cyber criminal with that particular ID could easily join a confidential UK government cabinet meeting.
It should go without saying that security teams must take pains to educate their users that it is never acceptable to share screenshots of their remote working desk set-up or on-screen applications under any circumstances.
William MacDonald, CTO of StarLeaf, said: “It is critical that users are diligent with personally identifiable and sensitive information that they share on the internet. With videoconferencing tools, users have to be aware of both what is around, as well as any on-screen information. Just like with telephone conferences, the video meeting ID is a sensitive piece of information which would allow users to gain access to the meeting.
“Video conferencing services that offer the possibility to lock a meeting have an advantage here as it allows the meeting host to stop any unwanted participants from joining,” said MacDonald. “Remote working is a novel experience for many businesses and we are seeing many employees publicising their experiences across social media channels. While we would not discourage organisations from championing their experiences, we do encourage firms to be responsible in what they share.”
“Displaying a user’s ID could easily compromise an organisation. It’s important when using a video meeting system users are fully aware of all its capabilities including the display and security measures in place.”
SecurityScorecard’s Yampolskiy said: “When possible, encourage employees to use a company-issued computer that has been patched properly, utilise 2FA, make use of the latest endpoint protection solutions to prevent malware and other client side attacks, and promote continuous awareness training for staff to help them understand how to avoid being the ‘low hanging fruit’ of such attacks.”
What’s Zoom’s take?
In an update published shortly before this article went to press, Zoom CEO Eric Yuan said he was aware of the immense responsibility Zoom now has since use of its service has ballooned. He pointed out that at the end of December 2019, Zoom saw approximately 10 million daily meeting participants on both its free and paid for versions, and by the end of March 2020 this had reached 200 million.
“For the past several weeks, supporting this influx of users has been a tremendous undertaking and our sole focus. We have strived to provide you with uninterrupted service and the same user-friendly experience that has made Zoom the videoconferencing platform of choice for enterprises around the world, while also ensuring platform safety, privacy, and security.
“However, we recognise that we have fallen short of the community’s – and our own – privacy and security expectations. For that, I am deeply sorry, and I want to share what we are doing about it,” he said.
Yuan pointed out that the platform was built primarily for enterprise customers with full IT support and established security policies, not with the view that it would suddenly be being relied by a much broader group of users who are using it in a “myriad of unexpected ways”.
“These new, mostly consumer use cases have helped us uncover unforeseen issues with our platform. Dedicated journalists and security researchers have also helped to identify pre-existing ones. We appreciate the scrutiny and questions we have been getting – about how the service works, about our infrastructure and capacity, and about our privacy and security policies. These are the questions that will make Zoom better, both as a company and for all its users,” said Yuan.
Training and support
Already, Zoom has ramped up its provision of training and support for users, adding free daily demonstrations and live webinars, it has added more resource to minimise support wait times, and has taken action to help users address incidents of harassment, or zoombombing.
In the past 24 hours it has moved to clarify its approach to encryption, acknowledging that it had at times implied data was encrypted end-to-end – it usually is but on some devices that do not inherently use its communications policy this is not always the case, and removed a feature that ‘tracked’ attendees’ attention to the screen.
It has also released fixes for the Mac and Windows vulnerabilities and removed the LinkedIn Sales Navigator after identifying unnecessary data disclosure by the feature.
“Over the next 90 days, we are committed to dedicating the resources needed to better identify, address, and fix issues proactively. We are also committed to being transparent throughout this process. We want to do what it takes to maintain your trust,” said Yuan.
Going forward, Zoom will enact a freeze on all new features and redeploy its engineering staff to focus exclusively on privacy and security; review its third-party experts and users to understand and enhance security of new use cases; prepare a new transparency report detailing requests for data, records or content; enhance its bug bounty scheme; launch a CISO council to work with the industry; take part in white box penetration tests to identify further vulnerabilities.
“Transparency has always been a core part of our culture. I am committed to being open and honest with you about areas where we are strengthening our platform and areas where users can take steps of their own to best use and protect themselves on the platform,” said Yuan. “We welcome your continued questions and encourage you to provide us with feedback – our chief concern, now and always, is making users happy and ensuring that the safety, privacy, and security of our platform is worthy of the trust you all have put in us.”