Why I Still Trust Zoom

I've been getting some questions at the office regarding Zoom's recent "Security and Privacy issues". I decided to put my thoughts on these issues down in writing here.

As of now we have not seen any issues with Zoom that would justify looking at other options. Zoom has responsibly reported issues, corrected them very quickly, and been open and transparent. We have configured our Zoom accounts to appropriately apply security settings so that our meetings are private and secure, we’ve also produced training documents for Staff on how to best use Zoom to ensure we are able to use it in a HIPAA compliant method.

One of the questions I received was about the article (https://www.cbsnews.com/news/zoom-app-personal-data-selling-facebook-lawsuit-alleges/) is relating to Zoom’s use of a Software Development Kit(SDK) from Facebook, this isn’t software that was developed by Zoom but was linked to Zoom’s application on Apple iOS devices (iPhones and iPads) that allowed users to sign in using their Facebook accounts, because of the way Facebook engineered this SDK it allowed personal information to be sent back to Facebook. Zoom has since modified the way they handle logins to their systems when using Facebook to prevent this. Unfortunately, this same SDK is in use on many other iOS applications that have not been corrected, as well as hundreds of thousands of websites.

Many other Video Conferencing solutions have had similar issues recently, however since Zoom is the market leader in that area, they have been getting most of the press coverage. Many of issues reported recently, have been poorly reported or exaggerated by the media. Most of these reports are around consumers using Zoom for private/personal meetings, as Zoom was designed as business software. All the security issues that have been reported recently have been corrected, by Zoom, often in as little as a day. Several others were a result of issues with other company’s technology.


UNC Links in chat could expose users' windows credentials

Link: https://www.forbes.com/sites/kateoflahertyuk/2020/04/01/zoom-user-warning-this-issue-could-allow-attackers-to-steal-windows-users-passwords/#6d48b45561fd

Fix: April 2, 2020 Version Windows 4.6.9 (19253.0401) Zoom Updated chat settings to not make UNC Links clickable.

Who is at fault: Microsoft - Lazy/Uninformed SysAdmins who have not prevented this from being possible in corporate networks.

My Notes: This is a critical issue, in Windows. Microsoft should have patched this years ago! For corporations this can be fixed at the Domain Level by applying a group policy. 

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers. Set to "Deny All"


Zoom's use of the Facebook SDK allowed device metadata to leak back to Facebook

Link: https://threatpost.com/zoom-kills-ios-apps-data-sharing-facebook/154275/

Fix: March 27, 2020 version iOS 4.6.9 (19213.0327) Zoom changes the way they handle the Facebook Login integration to prevent this.

Who is at fault: Facebook

My Notes: This is a Facebook Issue, should we be surprised that Facebook's SDK would send data back to Facebook? The number of Privacy issues coming from Facebook, yet people still willing fill that site with their most personal information...


User Uploaded Meeting Recordings Stored without Access Controls (Publicly)

Linkhttps://www.washingtonpost.com/technology/2020/04/03/thousands-zoom-video-calls-left-exposed-open-web/

Fix: User Education

Who is at fault: End Users/Meeting Hosts

My Notes: Zoom's only fault in this is that they are using a consistent naming structure for meeting records. As an IT Manager who has hundreds of recorded meetings in our repository I value this consistent naming structure as it makes it very easy to search and sort previous meetings.


TITLE

Linkhttps://www.nytimes.com/2020/04/03/technology/zoom-harassment-abuse-racism-fbi-warning.html

Fix:

Who is at fault:

My Notes:


TITLE

Linkhttps://www.vice.com/en_us/article/k7e95m/zoom-leaking-email-addresses-photos

Fix:

Who is at fault:

My Notes:


TITLE

Linkhttps://krebsonsecurity.com/2020/04/war-dialing-tool-exposes-zooms-password-problems/

Fix:

Who is at fault:

My Notes:


Zoom Advertising Meetings as End to End Encrypted

Linkhttps://theintercept.com/2020/03/31/zoom-meeting-encryption/

Fix:

Who is at fault: Zoom

My Notes: Zoom Meetings are fully encrypted while they transit the internet. However are technically decrypted and then re-encrypted at Zoom's servers so that the connections between the central point (Zoom) and the End Users are all encrypted. While this is not "End to End Encryption" it is encrypted between each end point. Services like Zoom become much more complicated and able to offer less services (like Cloud Recordings, and telephone connections) when a truly End to End Encryption is used.

Unfortunately the way this is reported, would lead an uninformed consumer to believe this means that Zoom is somehow now totally unencrypted and public; this could not be further from the truth. This is just as encrypted as the majority of other Video Conferencing solutions and the vast majority of other internet based services that most people use on a daily basis.


MacOS installer uses non-standard method to allow easier install for end users

Linkhttps://appleinsider.com/articles/20/04/01/two-more-macos-zoom-flaws-surface-as-lawsuit-government-probe-loomhttps://www.vmray.com/cyber-security-blog/zoom-macos-installer-analysis-good-apps-behaving-badly/

Fix:

Who is at fault: Apple

My Notes: Fixed 2 days later, isn't malicious, just is using a non-standard install method (that is fully allowed by Apple). The original article that posted this discovery was titled "Good Apps behaving badly", which is so very accurate. Zoom isn't doing anything wrong per-se here, and certainly isn't doing anything that other MacOS apps are not also doing. The real issue is that Apple's install process isn't easy or end user friendly, and that they haven't done anything to prevent this method.


TITLE

Linkhttps://ca.news.yahoo.com/video-zoom-taking-security-seriously-165741701.html

Fix:

Who is at fault:

My Notes: