Video meeting platforms such as the one from Zoom Video Communications have become a staple of our current work-from-home circumstances. LBMC recently provided a list of best practices for configuring and using these virtual meeting solutions that can help users reduce the chance of uninvited eavesdroppers or trolls hijacking the meetings. However, Zoom’s rapid rise in popularity has also brought to light some underlying security and privacy concerns with the application itself, prompting Zoom’s founder and CEO Eric Yuan to declare, “I really messed up!” Below is a summary of the security issues that have been identified in the Zoom meeting platform so far.
Zoom Meetings Aren’t End-To-End Encrypted
Zoom represents that its meetings are protected by “end-to-end encryption.” The term end-to-end encryption is commonly interpreted to mean that communications are encrypted all the way from the originator of the message to the recipient. In properly implemented end-to-end encryption, the message cannot be intercepted or read by anyone along the way. However, Zoom meetings are only encrypted between the originating user’s computer and Zoom’s servers. This encryption approach would still protect against a traditional “Man in the Middle” attack on the Internet; however, meetings are susceptible to compromise once they reach Zoom’s servers. Once the information reaches Zoom’s servers, it is decrypted and travels unencrypted throughout Zoom’s environment. This approach allows Zoom to access unencrypted video and audio data from all Zoom meetings (presumably for analytical purposes), but it exposes the meetings to privacy concerns because there can be no assurance that confidential information disclosed in a meeting hosted via Zoom is not known by someone without a true “need to know.” It also means the information in Zoom meetings could be viewed by anyone who has obtained access to the Zoom infrastructure (such as a third-party contractor providing support or an attacker who has compromised the environment).
Zoom’s macOS Installer Improperly Uses Superuser Privileges
A security researcher recently published findings demonstrating that the Zoom MacOS installer application improperly uses macOS Administrator privileges. Typically, when a user installs a macOS application, the installer will run preinstallation scripts to check software compatibility. These scripts are run with elevated privileges needed to access certain secured portions of the MacOS itself. The preinstallation scripts will prompt for user permission before they’re allowed to run. These prompts state that the program will only “determine if the software can be installed.”
Zoom misuses the preinstallation script prompt to install the Zoom application itself. Unbeknownst to a user, allowing Zoom to “determine if the software can be installed” will start the installation process.
Under specific circumstances, Zoom might also prompt the user for approval to use root privileges. Root privileges on MacOS are akin to Local Administrator privileges on Windows systems. These root privilege prompts normally identify the application requesting permission, e.g. “Zoom needs your password to update the existing application.” Instead, Zoom actively changes the message displayed to “System needs your privilege to change (sic).” Most users will assume this prompt is from the macOS system rather than the Zoom application.
While the Zoom macOS application is not malicious, LBMC’s own penetration testers have used similar techniques to successfully compromise computers during simulated attacks.
Zoom’s Windows App Allows Attackers To Steal Windows Credentials
Zoom’s app for Windows automatically converts universal naming convention (UNC) strings into clickable links. While this probably seemed like a helpful convenience when the Zoom programmers were enabling the feature, nefarious attackers can use techniques described in our prior post to Zoom-bomb chat rooms to dupe unsuspecting Zoomers into clicking onto a specially crafted UNC link that will prompt Zoom’s Windows app to send the Windows username and corresponding NTLMv2 hash to the address contained in the link. Attackers could then obtain the user’s cleartext password from the hash. If an attacker has access to a company’s internal network, this information could also be used to access shared network resources and/or to conduct NTLM Relay and “pass the hash” attacks.
Zoom’s iOS App Previously Sent Analytics Data to Facebook
Zoom’s iOS app for Apple tablets and phones was discovered to also send data to Facebook. Data was transmitted from the Zoom iOS app even if the Zoom user did not have a Facebook account. Readers will no doubt remember the backlash that Facebook suffered when the Cambridge Analytica data sharing practices came to light. Zoom’s data sharing will no doubt raise more questions about data aggregation and privacy issues associated with the Facebook ecosystem.
Zoom’s Facebook telemetry was disabled in March 2020 after significant public criticism. However, this past behavior, in conjunction with Zoom’s access to unencrypted meeting data described earlier, raises privacy concerns for users of the platform and undermines the credibility of the company.
Zoom Publishes Private Individual Chat Sessions In Meeting Transcripts
During virtual meetings on the Zoom platform, users can send chat messages to individual users as well as the entire group of participants in the call. Of course, if a user is choosing to send a message to a single individual during a meeting, that user is expecting that the chat itself is private and can only be seen or accessed by the intended recipient. However, the meeting host can choose to download meeting transcripts to their local computer at the conclusion of the meeting (in the vein of capturing “meeting minutes”). If they do so, the contents of all individual messages sent and received between any individuals in the meeting are saved to the transcript, and are thereby visible to the meeting host, as well as any other user with access to the local Zoom meeting files. (Better not use the Zoom chat feature to make disparaging comments about the meeting host!)
Brace for Impact
Zoom’s virtual meeting platform has provided a helpful communications medium for many people who are desperately longing to interact with friends, loved ones, classmates, co-workers, and fellow church members. While the Zoom platform will continue to be a source of social interaction for people who are relegated to their homes during the pandemic, it could also be a means of compromise for malicious attackers and Internet trolls. Companies and individuals using the solution should be aware of the security concerns noted here and determine whether those issues merit the exclusion of Zoom from the solution options for virtual meetings.
It should be noted that as this post is being written, Zoom claims that the MacOS, Windows app, and iOS app issues noted here have been patched. In the meantime, on April 1, Zoom indicated it will suspend the development of any new features for its platform to completely focus on the security and privacy issues that have been identified with the platform. While this is an appropriate response, it’s frustrating that once again it has taken public backlash to prompt an organization to take cybersecurity seriously. While these security issues are the most recent to come to light, they are likely not the last ones we will see as the popularity of the Zoom meeting platform continues to grow, drawing additional attention from attackers as a new source of compromise.
Our team at LBMC can help you ensure that your remote workforce and your use of virtual meeting platforms is secure. Contact us for more information.
Cybersecurity Sense Podcast
Want more information about Zoom’s security? Listen to our Cybersecurity Sense podcast.