How Secure is Zoom Really?

by Jay Pasricha

In this time of lockdown and self-isolation, the ability to communicate with others is essential in order to stay informed and to ward off insanity. With this in mind, the sudden boom in popularity for video call services is unsurprising. The videoconferencing software Zoom has reported that it has brought in more new active users this year so far than it did throughout the entirety of 2019. With a monthly userbase of around 13 million, the security of Zoom has begun to come into question. How secure can a service like this really be?

One of the primary issues with Zoom is password protection. Anyone who has used Zoom will know that accessing a call involved entering a room code (which has a standard format) and sometimes entering a passcode. Passwords are currently enabled by default, but this has not always been the case. In January of this year, before passwords were enabled by default, a team of researchers at Check Point Research decided to create a program dubbed “zWarDial”. This was designed to generate Zoom room codes which fitted the basic standard format. The program was shown to find 110 meetings/hour and to have a 14% success rate. Whilst this isn’t 100%, that’s a worryingly high chance of finding a meeting which the outside world was not supposed to see. Don’t worry, the researchers reported their findings to Zoom and passwords are now enabled by default. However, they are still not mandatory, leaving room for malicious “zoom-bombing” to take place. This term refers to the unexpected or unauthorised accessing of a Zoom call by a user who was not invited. It is certainly concerning that any member of the public could attempt this. This is just one of the security issues hiding behind the free-to-all mask of Zoom.

Another shocking discovery made by a member of the public about Zoom is concerning their encryption. Until early April this year, the official Zoom documentation, the Zoom website and the Zoom application all stated that “end-to-end encryption” was used as a part of their service. Unfortunately, this was discovered to be false. I’ll come back to the lies in a moment. Zoom’s encryption and decryption use AES in ECB mode which is commonly known to be relatively ineffective. This is because this mode of encryption retains a “pattern” after encryption. This basically means that any video footage encrypted by Zoom can still be seen, just in a reduced form. As you can see from the image here, this is clearly insufficient encryption for a videoconferencing service. Now, back to the end-to-end controversy. When confronted with the fact that they lied about their use of end-to-end encryption, Zoom offered a rather disappointing response. Zoom officials stated that they were not using the "commonly accepted definition of end-to-end encryption". They have since apologised for this miscommunication and have removed the term "end-to-end encryption" from their whitepaper and their website. Yet again, seeds of doubt are being sown concerning the security of the conversation we have on Zoom. 

       

Many other concerning issues involving Zoom’s security have been highlighted in recent months. Some of these involve encryption keys being routed through China despite servers being located in America. Zoom’s excuse for this incident was that Chinese servers were “accidentally added to a list of servers for users outside of the China server area”. This mishap may have been easily solved, but it is undeniable that an app with easily identifiable security faults which stores its encryption keys in Chinese offshore servers presents a tempting opportunity for any well-resourced group to attempt an attack.

All of the points I have made above have, in fairness, been addressed and resolved fairly quickly by Zoom. However, many issues which have been discovered have not been addressed. For example, a researcher recently discovered thousands of Zoom subdomains which used very worrying terminology. Words such as “tracking”, “face”, and “reporting” were found in these subdomains which are enough to put anyone on edge. Another un-resolved security concern was reported by the Washington Post earlier this month. They reported that thousands of personal Zoom videos have been left viewable on the open web. This is because Zoom’s recording software uses extremely generic and standard file names meaning that a simple Google search will return a long stream of videos for anyone to download and watch. Zoom doesn’t record every call, but recording is an option that the host can select and this option results in the call being stored in a Zoom server. It should be noted that the most probable reasoning behind the fact that this is yet to be resolved is that Zoom have only recently been informed.

Whilst there is clearly a long string of privacy and security concerns surrounding this widely used service, I won’t lie and say I don’t use it. I have just been talking about how many issues there are but please do not let your takeaway from this be that you should stop using Zoom. Just keep in mind, whilst using it, that the security involved is not 100% secure. This is fine for the average, everyday conversation. To ensure maximum security in your call, always enable a password and avoid recording the call unless absolutely necessary. This article is not anti-Zoom propaganda, it is simply to inform you of the risks taken when using the service. Please continue to keep in touch with your family and friends, just make sure you stay safe whilst you do so.