Zoom and its security shortcomings

Zoom was a successful and well-known company even before the pandemic but today it has become a household name. The workplace has moved to digital and businesses and educational institutions are looking to ensure business continuity through digital channels. This business continuity can only be ensured if businesses maintain their communication channels and teams coordinate through those channels. Before the pandemic, the demand for such communication solutions were steady but after the pandemic started and people started working remotely, this demand exploded. Thanks to its easy to use platform, Zoom was able to capitalize on the demand and swiftly established itself as a market leader. The numbers are staggering. Over the past month, the user base of Zoom increased from a daily 10 million users to 300 million users.

However, with its swift rise, Zoom is also becoming a very visible target for hackers and trolls; users have started reporting frequent disruptions and cases of breaches are climbing every day. People are having grave concerns over the security measures applied by Zoom and big names like Elon Musk and even Nasa have put a ban on Zoom for their employees.

Like every software platform, Zoom uses personal/professional credentials of its user base to operate and a platform cannot allow identities of its users to be compromised. Few years back, hackers used a forged cookie to breach 32 million Yahoo accounts and it severely tarnished Yahoo's reputation and resulted in several financial implications.

On some accounts, the concerns with Zoom are greater than just identity thefts; it has servers in China and as per regulations, it is obliged to share data with the Chinese governments. Users, companies and even governments are concerned not just with the privacy aspect but also with Zoom’s ethical practices.

Let us explore some of these concerns one by one.

1) Zoom leaks your personal information to Facebook.

Zoom uses Facebook software development kit (SDK) on Apple platforms and critics are concerned that Zoom's iOS apps send your personal data to Facebook. This is also true for iOS users who don't even have a Facebook account!

Ever since this news broke out, Zoom acted earnestly by pulling the Facebook SDK from its iOS app for Apple platforms and removed "Login with Facebook" feature.

2) Zoom's calls and conferencing are prone to eavesdropping

Tech reporters for The Intercept magazine reported that in spite of its claims, Zoom's meetings are not End-to-End encrypted. After further investigations, it became clear that Zoom does not actually enforce End-to-End encryption in video conferences. The same goes for cryptography shielding which is almost nonexistent in Zoom. This makes Zoom conferences quite vulnerable to external attacks.

The encryption which Zoom offers is comparable to E2E but it isn't real E2E. The standard feature of E2E is that nobody except the concerned parties of the conference would be able to reveal the conference contents. The same isn't true with the type of security which Zoom provides. Nevertheless, Zoom's security isn't substandard. For example, your ISP is not be visible to people in your local network and you get as much security as a HTTPS interaction. This is more than satisfactory but considering the scale, scope and sensitivity regarding privacy and security, Zoom should introduce tough End-to-End encryption methods for its Video conferencing feature.

3) Zoom can expose your Windows passwords.

Zoom has clear UNC (Universal naming convention) path rendering issues. It was reported that Zoom chats turn UNC paths into clickable links on Windows clients. If a gullible user clicks that link then their Windows credentials (including NTLM credential hash, which is nothing but a crackable version of a password) is sent to a site provided by the hacker. This way, the attackers can steal your Windows user name and password.

4) Zoom tricks users into installing it.

It is reported that Zoom manipulates Apple's macOS preinstalled scripts in OSX flat pkg files and tricks users to install the Zoom app. Zoom's CEO, Eric Yuan acknowledged the flaw on Twitter and addressed that Zoom is working on a fix.

5) Zoom can be used by attackers to install malware

The attackers can take advantage of Zoom's software architecture by exploiting two local privileges. The first is the malware pre-installer technique which the attacker attacks as root; while the other uses Zoom's local library validation to override library functions and gain mic and webcam permissions without even gaining the user permission.

Zoom has acted on the issue and released an update that has seemingly resolved the issue.

6) Zoom's encryption and Chinese access to Zoom's data.

Zoom's encryption capability has been under a lot of scrutiny. It is reported that Zoom uses Advanced Encryption standard or AES in Electronic codebook mode. This is not an advisable encryption for video conferencing and as a result, the encryption is easier to guess.

However, the biggest concern with Zoom is the fact that its servers are located in China and China can impose surveillance and enforce Zoom to share personal data of its users. This is the reason, governments around the world are enforcing a ban on Zoom for their employees and advising citizens to stay away from the app.

Zoom's biggest rivals are coming for the kill.

Zoom has been in news for both its successes and nightmares. This has prompted tech giants to capitalize on this massive opportunity and they are investing heavily in this space. Let us explore the major ones below:

1) Facebook

Facebook recently expanded its Videoconferencing features for its various apps. This include Facebook messenger which now allows as many as 50 people on video group calls, WhatsApp video calls for up to 8 people and Facebook dating which can now support up to 8 people on video calls. This clearly shows a strong intent on Facebook's part to capitalize on the lucrative Video conferencing market.

2) Google

Google has now made its video chat app, Meet available on Gmail. This is clearly to expand its video conferencing users by tapping into its enormous Gmail user base.

3) Cisco

Cisco is busy promoting its Webex teleconferencing service as a superior and secure alternative to Zoom. Cisco understands that security is one thing which its USP and smart marketing can lure many of Zoom's customers to its platform.

4) Verizon

Verizon who also owns Yahoo recently bought BlueJeans Network, a video conferencing service. It isn't far-fetched to think about Verizon offering an integration between Yahoo and BlueJeans.

Earlier in the blog, we reported that Zoom has seen a 740 percent increase in its user base over just 1 month. Facebook, Google and others want a piece of that success and they are refining their offerings to gain greater market share.

The verdict

In spite of its flaws, Zoom isn't the worst of apps and it has been humble enough to accept its shortcomings and release appropriate fixes to those numerous issues. However, as users, we have every right to demand better transparency, encryption and security from Zoom. In the coming days, we can expect Zoom to evolve and offer its large user base better services and features. If it doesn't evolve then it will soon be annihilated by its rivals.