Zoom Seriously Needs To Up Their Security Game And Do So Quickly And Publicly

Zoom is the app de jour. Companies, individuals, and even the UK Government are using it to keep in touch, conduct meetings, and conduct business. However as Zoom’s profile has increased, so has the scrutiny of the app. And that scrutiny has revealed some troubling flaws within the app:

  • The Windows client has a flaw that has the potential to leak domain credentials if you put UNC paths (\\Server\folder for example) in a Zoom chat window. We would ask you not to use UNC paths in Zoom chats to ensure that domain credentials do not get leaked. You can find out more details here.
  • The Mac client has two issues: 
    • By taking advantage of the installation process, which is done without user interaction, a user or piece of malware with low-level privileges can gain root access to a computer — the highest level of privilege.
    • The second issue allows a local user or piece of malware to piggyback on Zoom’s camera and microphone permissions. An attacker can inject malicious code into Zoom’s process space and “inherit” camera and microphone permissions, allowing them to hijack them without a user’s knowledge.

The Mac related issues can only be exploited if you lose physical access to the Mac. So your best mitigation strategy is to maintain physical control of your Mac and lock the Mac so that nobody can access it. More details can be found here. It is a bit nerdy. Thus for a less nerdy explanation, click here.

Then there’s the fact that Zoom advertises itself as being “end to end encrypted.” Except that it isn’t according to security researchers, which in this day and age is really bad. And what’s worse is that Zoom continues to pedal what I consider to be “fake news” insisting that it is end to end encrypted.

And finally, all of that is on top of a phenomena called “Zoom Bombing” which can be best described as this. An uninvited guest join your meeting and then starts displaying offensive content. It’s become a bit of an unfortunate trend as Zoom has become more popular. You can find out more about this here. But my recommendation is that you enable the Zoom waiting room functionality. It can be best described as this via this document that Zoom has on the topic:

Attendees cannot join a meeting until a host admits them individually from the waiting room. If Waiting room is enabled, the option for attendees to join the meeting before the host arrives is automatically disabled.

All of these issues have the same root cause. Zoom is a company that has more marketing sense than security sense. This is the same company that got caught with a serious flaw that enabled video calls with zero interaction on the Mac, which they sort of fixed. But it wasn’t good enough for Apple as the lack of a fix that they liked forced them to get involved to take action against Zoom in a manner that was and still is unprecedented. Thus it’s hardly surprising that Zoom finds itself in a situation where their shoddy security practices are on full display.

Zoom can fix this, but they need to take decisive action immediately. Here’s what I would look for

  1. Zoom needs to come clean about end to end encryption and commit to making their service end to end encryption. In 2020 this is not optional. Thus Zoom needs to address this.
  2. Zoom needs to fix all the issues outlined by pushing out software updates that address these issues fully and completely.
  3. Zoom needs to open itself up to third party security auditing. Because Zoom has had a lot of chances to get this right. And they have failed miserably to get it right. Thus they need a third party to come in and set them straight.
  4. Everything Zoom does going forward needs to be done in public.

I will be interested if Zoom does all of the above. Because if they don’t, I can easily see a scenario where Zoom’s success may be very short lived.

2 Responses to “Zoom Seriously Needs To Up Their Security Game And Do So Quickly And Publicly”

  1. […] I wrote a story about Zoom’s security issues and what they needed to do to fix them. In the last few hours a lot have happened. For starters, a memo from Elon Musk of Tesla and […]

  2. […] a few emails over the last 48 hours asking for a concise guide on how to secure their Zoom sessions seeing as Zoom’s app security is dodgy at best. Though to be fair to Zoom, they are trying to address this. So here are my top tips to secure your […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: