Following lockdowns and work from home protocols across the world, there’s one software that’s seen a boom in the past month. After all, it was hard to avoid people posting screenshots of their Zoom conversations all over social media. Zoom’s daily video conferencing numbers have grown from 10 million by December 2019, to over 200 million. As such, it should also come as no surprise that it’s raising some serious security questions.
More users translate to vital security infrastructure
Shortly after the video conferencing software started getting traction, so did its scrutiny on security. Currently, it appears Zoom poses some significant security concerns, so much so that “Zoombombing” is an actual term. According to The Telegraph, a vulnerability in the software could potentially allow hackers to gain access to users’ email account passwords. Particularly the Windows version of the Zoom software.
This vulnerability could be exploited by simply clicking a link sent over webchat. For example, if you send a Universal Naming Convention (UNC) path on the chat, Zoom will convert it to an actionable link. If this link is clicked, Windows will attempt to connect to a remote host via the Server Message Block network file-sharing protocol. With this, your sign-in name and NT Lan Manager credential hash are sent. The credential hash could be used to decode the username and password details.
How you can work around the security flaw
The Local Group Policy Editor fix
One way to circumvent the vulnerability is to use the ‘Local Group Policy Editor’ on Windows. Here’s how,
- Open Start
- Search and select gpedit.msc
- Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
- Double-click Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
- Select Deny All
- Click Apply
- Click Ok
- Click Yes to confirm
The above will prevent your system from sending your Windows 10 sign-in NLTM credentials to a remote host. However, it should be noted that this method works for Windows 10 Pro or Windows 10 Enterprise. Furthermore, this only works as a temporary measure. If you make this configuration to a Windows 10 device that’s connected to a domain or a file-sharing server, you’ll have problems accessing files on the remote device.
Fixing via Registry
Alternatively, if you’re running Windows 10 Home, this vulnerability could be circumvented via the Registry. Although, do note that editing the registry could have serious repercussions if not done properly. Thereby, remember to take a full backup of your computer should you choose to pursue this method.
- Open Start
- Search for regedit and select top result
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
- Right-click MSV1_0, select New, click DWORD (32-bit) Value
- Name it RestrictSendingNTLMTraffic and press Enter
- Double-click it and set value to 2
- Click Ok
Of course, as with the previous method this is only a temporary measure.
Is Zoom leaking personal data?
According to a report by Motherboard, Zoom may be leaking personal information. As a result, strangers would have the ability to start a video call with random users. The issue stems from its “Company Directory” setting. This setting automatically adds people to a user’s contact list if they share the same domain. However, users allege that it had pooled them together with other users thinking they all worked for the same company. This is despite these users signing up on personal emails.
Following the Motherboard report, Zoom claimed that the company maintained a blacklist of domains. They went on to state that the company has blacklisted the specific domains highlighted on the Motherboard article.
The LinkedIn Sales Navigator problem
Thanks to a service called LinkedIn Sales Navigator, Zoom has been secretly displaying people’s LinkedIn data to other participants. Zoom users that signed up for LinkedIn Sales Navigator were able to access LinkedIn profile data about other users during meetings. Furthermore, this had happened without prior permission from users or notification when other participants were viewing their LinkedIn data.
According to The New York Times, when users sign up for a meeting, Zoom automatically sends names and email addresses to a company system. This company system matches the data with relevant LinkedIn profiles.
Enabling the Linked Sales Navigator meant that users were able to access LinkedIn-specific data such as employer names, locations, job titles, etc. The New York Times further states that users were able to access this LinkedIn data even when signing up invisibly for meetings.
As of 2nd of April, Zoom has permanently removed the LinkedIn Sales Navigator app. The company stated that this was done “after identifying unnecessary data disclosure by the feature”.
Privacy concerns
Additionally, Zoom also raises privacy concerns for users. Recently, it was found that its iOS app sends analytical data to Facebook, or specifically Facebook Graph API. This is regardless of users having Facebook accounts. The primary issue lies with the fact that Zoom users may not be aware of this at all. Users might be signing up for one service, but they may end up providing data to 2 services inadvertently.
The transferred data included OS type and version, iOS Advertiser ID, IP address, device time zone and language, device model, carrier, disk space and screen size. According to Zoom, this data didn’t include meeting-related information.
By the 27th of March, Zoom patched an update on its iOS app addressing the above issue. The update removed the Facebook SDK that was used to implement the “Login with Facebook” feature. This is the feature that sent device data to the Facebook Graph API.
Unfortunately, iOS problems don’t end there. On the 31st of March, there were also concerns raised regarding how Zoom’s iOS installer works around Apple’s OS restrictions. Fortunately, this was fixed, 3 days after the issue was raised.
This isn’t the first time for Zoom
However, this isn’t the first time Zoom had a serious vulnerability in its systems. Back in August 2019, a vulnerability allowed hackers to eavesdrop on private business meetings. The vulnerability was discovered by researchers at Check Point, a cybersecurity company.
The vulnerability was exploited via automated tools to generate random meeting room IDs. These automated tools could be used to generate genuine Zoom links to meetings without the need for passwords. “The additional member would be visible by others in the meeting if they look at the ‘participants’ window in Zoom. But in many cases, Zoom conferences can have 10 or more participants, so the hacker may not be noticed in a large list,” noted Alexander Chailytko, cybersecurity research and innovation manager at Check Point.
Thankfully, this vulnerability was patched back in January 2020.
It’s not end-to-end encryption
Adding to the list of problems for Zoom is how its encryption works. The Intercept reported that Zoom doesn’t use end-to-end encryption, despite company claims. According to the report, the encryption on Zoom communications isn’t end-to-end, rather TLS. This is what’s used to secure HTTPS websites. This is called transport encryption. Essentially, your Zoom meeting video/audio content will likely be safe from hackers. But it won’t stop the company from accessing your content. Usually, end-to-end encryption would prevent this from happening.
Right now, only its in-meeting chat feature seems to have end-to-end encryption. As mentioned in the security white paper, “Zoom uses public and private key to encrypt the chat session with Advanced Encryption Standard (AES-256). Session keys are generated with a device-unique hardware ID to avoid data being read from other devices.”
What is Zoom doing about this?
Following the many questions raised, Zoom CEO Eric S. Yuan addressed the concerns in a company blog post. In it, he states that the company will be freezing all feature updates. Instead, Zoom’s engineering team will focus on upgrading its security over the next 90 days. This includes conducting a series of white box penetration tests and enhancing the current bug bounty program.
As per the blog post, Zoom will also look to being more transparent. Eric goes on to mention that his company is “committed to being transparent throughout this process. We want to do what it takes to maintain your trust.” Notably, the company will be releasing a transparency report that highlights data, records and content matters. Furthermore, Eric will be hosting a weekly webinar to provide privacy and security updates.
“Transparency has always been a core part of our culture. I am committed to being open and honest with you about areas where we are strengthening our platform and areas where users can take steps of their own to best use and protect themselves on the platform.”
– Eric S. Yuan, CEO of Zoom
So far, Zoom has already taken steps to patch existing vulnerabilities. The company removed the Facebook SDK from its iOS client, updated its privacy policy, patched the UNC link issue to name a few. Zoom had also published a blog post addressing the encryption matter.
Should we use Zoom?
Authorities are already questioning the viability of using Zoom. The UK is debating whether its government should use Zoom for its communications. Elon Musk already banned it for SpaceX meetings. Nasa also prevents its employees from using the software for work.
By now, you’re probably asking yourself if you should even use the software. Yes, the software does have several security concerns. But on the bright side, the company appears to be proactively looking to fix its list of security vulnerabilities and privacy concerns. Obviously, this won’t be something that can be fixed with updates over a few days. Until such time, it would probably be wise to utilize alternatives. Apps like Skype’s ‘Meet Now’, Cisco Webex, Slack, Microsoft Teams, and even Google Hangouts may be better options for the time being.
Regardless, hopefully the company will iron out its security lapses soon. Time will tell whether the company’s efforts will come to fruition.