There has been a plethora of articles in the media recently about security issues in the Zoom platform, which have seemingly led to numerous organizations, and governments banning its use. Is Zoom’s security really a car crash of epic proportions, and should you be banning it too, or might something else be going on here?
Around mid-March, much of the world went into lockdown, and as tough as this has been for all of us, spare a thought for the poor journalists out there. Not only are they trying to file stories while working from home, but a world in lockdown there is a lot less happening. COVID-19 has had a monopoly over the news cycle, and we are all yearning to read about something else; as a result, news editors across the globe have been desperate for anything that is not directly coronavirus related that can grab public interest.
Enter stage left, Zoom.us the enfant terrible of the video conferencing world.
I was zooming, you were zooming, our kids were zooming, celebrities were zooming, even Boris Johnson the UK PM was zooming. This was down to the fact that Zoom has a secret sauce that has eluded many of its competitors: it’s cheap, it’s easy to use, and most remarkably it works, even in the post COVID-19 lockdown world.
Most impressive was Zoom’s remarkable achievement of managing to engineer itself clear of a meteoric jump from 10 to 220 million users within 3 months.
Zoom has historically been no stranger to security issues, for example in July last year a security issue affecting the Apple Mac version was identified which potentially allowed an attacker to force a victim to join a call with the camera enabled, even after the application had been uninstalled. Whilst Zoom did eventually address this, there were further issues, with calls being mistakenly routed through China, and the fact that the company’s claim about end-to-end encryption were not accurate.
But thanks to COVID-19, Zoom is not just another video conferencing app. In a few short weeks it evolved into our children’s classroom, the new venue for our water cooler chats, our after work drinks, our GP’s consulting room, a Yoga studio, Martial Arts Dojo, it’s even a place of worship and so much more; so of course any suggestion that it is insecure or a risk to our privacy is not only newsworthy, but a sure fire click generation machine.
First came the stories of ‘Zoombombing’: the world’s kids and trolls had found a great cure to the boredom of lockdown and were setting up Discord channels and the like to share details of upcoming meetings that were subsequently gate-crashed. There were an array of outcomes, ranging from the hilarious, to the downright offensive. Zoom countered with an array of protections, from passwords to virtual lobbies, reducing the problem to one of user education.
With the added scrutiny that a multi-million user base uptick brings, a number of other issues came to the fore. For example the Windows 10 version was vulnerable to a UNC path injection attack, where a user clicking on a link in the chat window could have their Windows credentials exposed. At the same time, we started to read about privacy issues, such as the discovery that the iOS version of the app was funneling data off to Facebook – an issue that Zoom corrected.
With the taste of blood in the water, stories blasting Zoom’s terrible security practices became a new obsession, and then came a flood of stories about the number of organizations that were banning it, or at the very least strongly discouraging its use over the reported security issues.
SpaceX banned Zoom due to “significant privacy and security concerns”. Google sent an email to employees who were Zoom users, warning them that Zoom would cease to work for them citing “security vulnerabilities”. Next were the governments banning its use for official business: Taiwan, Singapore, US, Germany, India. Even the Australian Defense Force banned it, after they were hilariously joined in an official meeting by a well-known Australian comedian.
Many organizations have a very simplistic view of security, and it’s easy to imagine that blocking unsanctioned tools will encourage the use of the tools you have sanctioned. By preventing a user connecting to one tool, they will simply switch to another. The reality is that the key to Zoom’s success is that it actually worked, while many of its competitors were struggling to scale-up or dealing with impaired-by-bandwidth contention issues. Many of the alternatives were simply not effective whereas Zoom demonstrated its strength in calls with large numbers of dispersed external users; generally, the higher the number of people you are inviting to a call, the lower the number of available options there are likely to be.
As our interest in Zoom’s insecurities seemed to wane, we saw a surge of more questionable content; mostly click bait, pitched as yet more Zoom failings, for example stories about 1000s of Zoom video’s being exposed, or 1000s of Zoom user accounts appearing on the dark web. The former turned out to be a revelation that searching unsecured S3 buckets using the naming format of Zoom videos yielded results. The latter appeared to be the result of a credential stuffing attack with previously exposed credentials that happen to be a match for Zoom accounts, both arguably not failings on Zoom’s part, in fact failings that apply to almost any large-scale platform use.
For its part, Zoom is working hard to try and counter these stories, with the positive result that it actually appears to have matured its security posture in an extraordinarily short time frame, for example:
- Updating their Privacy Policy
- Issuing numerous software updates to address issues
- Publishing a guide to help prevent Zoomboming
- Unveiling a 90-day plan to bolster key privacy and security initiatives
- Hiring Alex Stamos as an advisor
- Engaging with Luta Security to run a bug bounty
So if you are a CISO, and you want to know if you should also be banning Zoom, then we have the following considerations.
First, consider that Zoom and platforms of its ilk, in a COVID-19 lockdown world, are not simply work collaboration and conferencing tools, they may be the underlying fabric that is holding your people’s lives together.
Your users are not simply using these apps to talk to each other during work hours, they are using them to talk to their families and friends in the evening, they are using them to keep fit, both mentally and physically, and in the coming months they may well be invited to attend christenings, weddings and funerals via these applications.
They are also communicating with your customers, so by banning Zoom outright, you may think that you are reducing your security and privacy risks, but at what cost if you are further isolating people at a time when they are at their most vulnerable? You could make the argument that this isn’t a valid issue if you’ve provided an alternative but then the question remains… if you have provided an alternative platform, why is your team still using Zoom?
So rather than banning Zoom outright, consider:
- Making your employees aware of the risks through good security awareness training;
- Make sure your employees understand how to make use of Zoom’s security features, and employ good general security hygiene;
- Encourage users to make use of your sanctioned platforms for sensitive meetings; and
- Have a clear policy about not discussing highly sensitive topics during Zoom meetings.
If you got this far, and are still considering banning Zoom, or any other specific collaboration tool then before you proceed, ensure that you:
- Fully understand why people were using that tool rather than others.
- Wherever possible, provided an alternative solution that is as functional and reliable, and does not preclude other parties from connecting, i.e., only accessible by internal users, or users on certain platforms.
- Really consider whether this is a major risk for you. And try to be clear on the risk you’re really worried about. Is it that someone is in your meetings without you detecting them? (Pretty unlikely); That someone finds a recording of your meeting? (Don’t record it); That a foreign state agent intercepts your video streams and watches them to gain market intelligence (Seriously? Imagine this scenario when you’re in your next 2 hour long management meeting and you’ll realize how little value there is for external agents in most of your discussions).
With a breadth of experience, Trustwave can help you create a security awareness program to help you meet the unique challenges of the COVID-19 pandemic. Learn more about how Trustwave can help here.
Eric Pinkerton is Director, Consulting & Professional Services (Pacific)