Coronavirus Made Zoom Popular But Uncovered Its Security Flaws

The global epidemic of COVID-19 has worsened since March. Not only have more and more major businesses sending their staff home to work remotely, but many schools have begun online classes during the lockdown. Video meeting applications like Zoom have gained popularity. While Zoom was designed for enterprises from various industries, more and more people began to use Zoom for different purposes, and even many teachers turned to it for online lessons. Zoom’s average active users increased from 10 million in December 2019 to 200 million.

It will be an ideal opportunity to boost Zoom’s user base. But it’s a double-edged knife. Zoom faced a multi-party backlash brought by growingly revealed security flaws. Zoom can not retain popularity throughout the epidemic.

In response to a series of incidents involving unidentified people breaking into the school’s online classes, the FBI’s Boston office released an alert about Zoom. It also warned users not to hold public Zoom meetings or post Zoom Meeting IDs online. SpaceX told workers to stop using Zoom immediately in an email. Meanwhile, NASA has banned its employees from using Zoom, according to spokeswoman Stephanie Schierholz.

1. Zoom bombing

Due to Zoom’s default settings, anybody can join and interrupt a video conference without being invited. Many strangers interrupt Zoom meetings and force them to stop. That is  “Zoom bombing.”

2. Send user information to Facebook

On March 26, Motherboard revealed that the Facebook SDK embedded in the app shares user information with Facebook, including user phone models, time zones, ISPs and advertisement IDs when a user installs and opens the iOS app. Zoom’s iOS version exposes user data to Facebook, even though the user has no Facebook account, without mentioning it in the privacy policy.

3. Expose the Windows credentials of users

On March 31, Motherboard discovered another security flaw in Zoom’s settings.

Windows Zoom client is vulnerable to UNC path injection attacks. Zoom’s “Company Directory” group users with the same email domain, making it easier for you to find your colleagues.  But users registered with personal addresses can also be associated with strangers using the same email domain. Then, your name, images, and email address will be visible to strangers.   Attackers will use this to steal users ‘Windows login credentials.

Researchers revealed that the vulnerability could offer fundamental access to local, non-privileged attackers and allow them to access the victim’s microphone and camera. Aside from stealing Windows login credentials, attackers can also exploit UNC injection to initiate programs such as CMD command prompts on the local computer.

4. Video meetings don’t support end-to-end encryption

Zoom claims to encrypt end-to-end videos, commonly regarded as the most private form of Internet communication. End-to-end encryption efficiently protects data from third-party applications and Zoom.

Nevertheless, according to The Intercept, Zoom only uses end-to-end encryption for text content and part of audio content. Zoom video meetings aren’t actually end-to-end encrypted.

5. Route non-china users’ calls through China

Zoom was later exposed to sometimes route data containing encryption keys through Chinese servers, even though the user is in North America.

6. More security concerns

Some users also found that Zoom meeting managers had access to a lot of regulatory information, including whether the Zoom window was active, if other pages were opened in a short time, their IP addresses, device details, location, etc. This caused further concern among Zoom users.

How did Zoom respond to these security issues?

Met with security vulnerabilities, Zoom CEO Yuan Zheng (Eric Yuan) made public apologies on April 1. Zoom was determined to stop all new feature creation for the next 90 days and use all its technical resources to solve existing issues.

It also took measures to address issues found by users and researchers as soon as possible.

Over the next 90 days, we are committed to dedicating the resources needed to better identify, address, and fix issues proactively. We are also committed to being transparent throughout this process. We want to do what it takes to maintain your trust.”

How to avoid falling victim to Zoom’s security vulnerability?

Due to the security vulnerabilities revealed by users and researchers, many people may want to leave Zoom and find the best alternatives to Zoom. Yet some people still choose to use Zoom. To use Zoom securely while maintaining social distance, make use of the following security tips from security researchers:

  • Beware of emails and files from unknown sources. Avoid clicking on suspicious links or attachments received via email. Pay attention to common domain names, misspelled addresses, and unidentified email senders.
  • Don’t use your social media account to sign up for Zoom. Although saving your time, it’s not safe and gives Zoom access to more of your personal data. You can also set a strong password for your Zoom account, allowing two-factor authentication.
  • Start password-protected meetings and don’t make meeting links public.
  • Using another device to check email or chat with other participants during Zoom video meetings.
  • Last but not least, take advantage of a VPN service. It’s the most basic and fundamental safety tip. A VPN will hide your IP address and encrypt your Internet traffic.

Leave a Reply

Your email address will not be published. Required fields are marked *