A semi technical explainer of all known Zoom issues

(or Zoom choices are what got them in trouble)

(opinions are mine and not DEV's)

A (mild) defense of Zoom Inc.'s troubles

Let me start by quoting Citizenlab's report:

For those using Zoom to keep in touch with friends, hold social events, or organize courses or lectures that they might otherwise hold in a public or semi-public venue, our findings should not necessarily be concerning.

For those who have no choice but to use Zoom, including in contexts where secrets may be shared, we speculate that the browser plugin may have some marginally better security properties, as data transmission occurs over TLS.

Unfortunately a few hours later, on the same day, the web client was put under maintenance and thus disabled for the time being, hopefully not for long. update: the web client has been restored, multiple sources confirmed. Please enable join from your browser as a default setting.

Zoom probably didn't anticipate going from 0 to 100 (actually + 1126% of increased usage according to some estimates) in the span of a few weeks and the fact that their network hasn't melted down and rendered all calls impossible to make is a testament to the quality of the underlying technology.

As we all can imagine there are challenges in scaling that big that fast, but most of the problems that have been identified up until now don't really have much to do with scalability or reliability per se, but with questionable software design choices and bad privacy or marketing decisions made by the company.

To be fair, sometimes shortcuts seem a great idea when you're in the heat of the moment and have a booming product, but the more people use it, the higher the likelihood that these shortcuts will come back to haunt it. Also, Zoom devs are humans and like all humans, sometimes they just make bad decisions without malice. What worries me is how the company management, also entirely human AFAIK 😃, decided to handle the response, more on that later.

Last but not least: the media piled up on them quite extensively and some security flaws (except maybe "zoombombing") aren't an inherent problem for those meetings that would otherwise be held in public if we weren't quarantined even though the extent of the problem with user generated content is that its severity differs case by case and here there would be millions of cases (each Zoom call) to analyze.

Zoom is used by everyone: individuals, institutions, therapists, teachers, doctors, religious and secular organizations, goverment officials and even heads of state.

Zoom, as of April 1st 2020, halted all feature development and vowed to fix privacy and security issues over the following 90 days.

What went wrong is also a cautionary tale about the importance of implementing secure practices and caring about users privacy from day one because at the scale they are now it's quite understandable they are trying to put out fires left and right.

What is or was wrong it with

TLDR; Zoom has numerous known security holes. Some of those have since been fixed, some haven't.

The company also made (and in some cases, still makes) questionable decisions related to privacy.

(I'm going to use the past tense where I reasonably verified the issue has been fixed)

1. Zoom has a security issue in its "waiting room" feature. The issue is currently unknown as the security researchers correctly disclosed it only to Zoom Inc. granting them time to get it fixed lest it gets in the hands of malicious actors. Security researchers are advising people to use passwords and not the waiting room feature.

2. Recordings are easily findable on the web: Zoom saves recordings with a guessable name pattern, thus it's quite trivial to find them if they are uploaded to the open web. Search engines are literally built to find public data on the web. Again, "security through obscurity" is not a good practice if the content is sensible, and it was: the Washington Post was able to watch other people's therapy sessions and elementary school online classes by scanning the web (!!!!!).

3. The ID of a meeting room is numeric, which means that people can guess it (manually or with scripts) and thus, being openness the default, people can hijack meetings, thus "zoombombing". The meeting ID has 9 to 11 digits, not even "obscured". Security researchers did actually find meetings and with scripts had up to 14% of a success rate guessing correct meetings URLs.

4. Recurring Zoom meetings links can be found: they also contain info of the meeting organizer and whatever info the organizers disclosed as topic or description. Security researchers found meetings of large banks, government contractors and other companies.

5. Screensharing by any participant is on by default, which means that people can stream whatever they want without oversight. Very handy for private and regulated meetings, not great if meetings rooms are open by default.

6. File transfer is on by default: don't think this needs explaining in an app where a meeting is public. You can literally send to dozens or hundreds of people malware hoping at least one of them will click on it.

7. The app has too many settings: I went through the configuration panel on both the app and the web version (before it was disabled) and I didn't understand half of the options and got bored after a few minutes (minutes!!!). As we all know as creators of sofware the default matters (most users don't even look at apps settings), and by default you should respect the user's privacy and be secure, otherwise hell can break loose when enough people come knocking with the receipts.

8. The company lied about being end to end encrypted, that's it. They said they use end to end encryption (e2e) but they don't. They also own decryption keys for what is encrypted on the wire, which is definitely not *end to end encryption. *FYI: true end to end encryption means that only the participants in a communication exchange can actually see the data in the clear. Not the company providing the service, not any goverment, not anyone except who's invited.

9. Zoom uses weakish encryption: even though the service is not e2e encrypted, calls don't travel in the clear on the transport network. They are encrypted using a central encrypting server which holds the keys. The issue is that they use a single AES 128 bit key in ECB mode which is definitely deprecated and has security holes. Security researchers were able to decrypt video and audio frames from "encrypted" calls.

10. Zoom encryption and security protocols are not independently audited, which means that they most certainly contain flaws. We all know how hard is to pull off encryption done correctly, I can't imagine how hard it is to do it with video, audio, text and generic media. "Roll your own encryption" is 99.99% of the time a bad idea, it's monumentally bad in this instance. As Bruce Scheiner wrote:

I'm okay with AES-128, but using ECB (electronic codebook) mode indicates that there is no one at the company who knows anything about cryptography.

1. Zoom encryption keys are occasionally on servers under the jurisdiction of the Chinese goverment: under Chinese law the goverment of China can require companies to disclose their encryption keys and tools for oversight. This has happened also if all participants were outside the country. Likely a data routing problem (Zoom tries to keep calls local to the participants) but not reassuring nonetheless. Also makes me thing of sci fi scenario in which governments or attackers decrypt all of these calls and use facial recognition to create mass surveillance tools. 👀

2. The company sent data to Facebook unbeknownst to users: this is probably quite common in apps that embed the Facebook SDK without tweaking it (and it only applied to the iOS app which might mean it was truly unintentional), but it's not great anyway. Facebook already knows a lot about users (both those using it and those who don't). It has been fixed since discovery.

3. Zoom's privacy policy was all encompassing. Basically it stated that all personal data (including recordings, chats and uploaded files) could be shared with third parties. It has been since amended.

4. Zoom allowed hosts to monitor participant's attention. This is 1984-the-book kind of stuff 😱. It was removed since discovery, on April 1st.

5. The app bypassed the usual installation process. This was probably done to be friendler to the user in the very common scenario in which a user gets a link, doesn't have the app on their computer and wants to be in the videocall as fast as possible. It's exactly what malware does. It has been fixed since the discovery.

6. Zoom shares your contact info to everyone within certain email domains. What happened was that thousands of users whose emails belonged to a Dutch email provider where pooled together and their personal info shared with each other.

7. The app let Windows users click on anything resembling a link. Basically you could automatically open a file on a shared drive sending your network credentials to an attacker. It has been fixed.

8. Zoom sent your contact data to Linkedin. In some situations, if they could match you to a Linkedin Profile somehow, they did, without telling you and sharing your Linkedin data to other people. This feature has since been removed on April 1st.

9. 0 day vulnerabilities leading to hardware take over were discovered. The likelihood of those happening was very low (the vulnerability window span the length of the installation process and just that). Fixed as well on April 1st.

10. Records of private messages with the host are available in the export. This is not a huge problem in theory as the export doesn't contain private messages between other participants than those with the host.

11. Zoom tracks lots of data about its users and has many third party trackers on its website. This to me feels like a very intentional choice. Part of those were amended when the new privacy policy was published the other day.

What has happened in the "aftermath"

So far:

1. Privacy and advocacy groups started to notice
2. Class actions are starting to mount
3. The US government and the FBI have started to notice 👀
4. NASA, SpaceX, Disney and other companies moved away from Zoom
5. New York City has banned Zoom from its schools

Conclusions

I'm sure you've noticed how this article doesn't talk at all about alternatives. The question of alternatives really depends on what the users requirements are and if the entire globe is your users, then it's hard to evaluate on the spot. It also takes a lot of time to evaluate all options and I think it'll take a few days before deeply researched articles about pros and cons of the alternatives start to appear. You also need a group of people distributed all over the world for thorough testing of each app.

Let's also not forget that we mostly felt okay with Zoom until tens of millions of people started using it overnight and it got on experts's radars. Alternatives might be just as flawed, simply less popular right now.

Trust in the company is important so I do understand why regular people are rushing to find alternatives.

I'm also not a tech columnist nor a security expert, so I can't claim "X is better than Zoom for everything and for everyone".

I'll see if I can find a reasonably well done comparison of alternatives in the next few days with what I think should be generic requirements: great video and audio call performance, secure by default with indipendently reviewed encryption and protocols, and absolutely no adtech on all of this sensible data (which wouldn't be possible anyway if they had e2e, though technically you can still sell metadata about users...).

Echoing other people's sentiments I read online: Apple is sitting on a gold mine if they open Facetime, get it audited and make sure their e2e encryption has no "backdoors".

I'm leaving last a long list of links, with some excerpts, which is what I've read to write this summary.

Media (and other sources) coverage (in chronological order)

Although there are past issues (like the "open web server" debacle from 2019), I've focused only on recent media coverage from March-April 2020.

1. 20200317 - (Techcrunch) - Beware of ‘ZoomBombing’: screensharing filth to video calls

2. 20200326 - (Motherboard, Vice) - Zoom iOS App Sends Data to Facebook Even if You Don’t Have a Facebook Account

3. 20200330 - (Doc Searls, digital privacy expert) - Zoom’s new privacy policy:

There will be no need for Zoom to disambiguate services and websites if neither is involved with adtech at all. And Zoom will be in a much better position to trumpet their commitment to privacy.

That said, this privacy policy rewrite is a big help. So thank you, Zoom, for listening.

1. 20200331 - (Motherboard, Vice) - Zoom Faces Class Action Lawsuit for Sharing Data with Facebook

2. 20200401 - (Motherboard, Vice) - Zoom is Leaking Peoples' Email Addresses and Photos to Strangers:

"I was shocked by this! I subscribed (with an alias, fortunately) and I saw 995 people unknown to me with their names, images and mail addresses."

"I just had a look at the free for private use version of Zoom and registered with my private email. I now got 1000 names, email addresses and even pictures of people in the company Directory. Is this intentional?"

1. 20200401 - (webrtcH4cKS, WebRTC technologists) - Does your video call have End-to-End Encryption? Probably not...:

So yes, Zoom does not have end-to-end encryption. Quite often, WebRTC doesn’t either – not yet at least. If you are using a WebRTC service check their terms of service and privacy policy and make sure that you understand what they are saying about this. Hopefully we will see this change soon as WebRTC Insertable Streams matures.

1. 20200402 - (Fight for the future, digital rights group) - New campaign calls for Zoom to (actually) implement end to end encryption to keep people safe:

Digital rights group Fight for the Future, known for organizing massive online protests for net neutrality and Internet privacy, has launched a new campaign calling for video conferencing service Zoom to implement default end-to-end encryption on all video, audio, and chat content.

1. 20200402 - (Steven Bellovin, security researcher and professor) - Zoom Security: The Good, the Bad, and the Business Model:

There is, though, a class of problems that worries me: security shortcuts in the name of convenience or usability. Consider the first widely known flaw in Zoom: a design decision that allowed “any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission.” Why did it work that way? It was intended as a feature

I'm optimistic that things are heading in the right direction. Still, it's the shortcuts that worry me the most. Those aren't just problems that they can fix, they make me fear for the attitudes of the development team towards security. I'm not convinced that they get it—and that's bad. Fixing that is going to require a CISO office with real power, as well as enough education to make sure that the CISO doesn't have to exercise that power very often. They also need a privacy officer, again with real power; many of their older design decisions seriously impact privacy.

1. 20200402 - (Krebs on Security, security expert) - ‘War Dialing’ Tool Exposes Zoom’s Password Problems:

according to data gathered by a new automated Zoom meeting discovery tool dubbed “zWarDial,” a crazy number of meetings at major corporations are not being protected by a password.

Lo said zWarDial evades Zoom’s attempts to block automated meeting scans by routing the searches through multiple proxies in Tor, a free and open-source software that lets users browse the Web anonymously.

“Having a password enabled on the meeting is the only thing that defeats it,” he said.

Lo shared the output of one day’s worth of zWarDial scanning, which revealed information about nearly 2,400 upcoming or recurring Zoom meetings. That information included the link needed to join each meeting; the date and time of the meeting; the name of the meeting organizer; and any information supplied by the meeting organizer about the topic of the meeting.

1. 20200402 - (Reuters) - Elon Musk's SpaceX bans Zoom over privacy concerns -memo:

In an email dated March 28, SpaceX told employees that all access to Zoom had been disabled with immediate effect.

1. 20200403 - (NYTimes) - ‘Zoombombing’ Becomes a Dangerous Organized Effort:

Zoom raiders often employ shocking imagery, racial epithets and profanity to derail video conferences.

Harassers have begun to leverage every feature of Zoom’s platform for abuse. They have used the app’s custom background feature to project a GIF of a person drinking to participants in an Alcoholics Anonymous meeting, and its annotation feature to write racist messages in a meeting of the American Jewish Committee in Paris.

The frequency and reach of the incidents on Zoom prompted the F.B.I. to issue a warning on Tuesday, singling out the app

1. 20200403 - (TidBITS) - Every Zoom Security and Privacy Flaw So Far, and What You Can Do to Protect Yourself:

As detailed as this article is, I fear that this list of problems and choices will be far from the last we hear about Zoom’s security and privacy troubles. In fact, while writing and editing this article over the last 48 hours, we had to add six additional exploits, design-choice errors, and privacy concerns.

Zoom has gone into what’s known as “technical debt.” The company’s developers made a lot of poor decisions in the past, which are likely difficult and costly to fix. The longer it takes Zoom to address the core problems, the harder and more costly future fixes will be, as additional code is built upon that weak foundation.

1. 20200403 - (Washington Post) - Thousands of Zoom video calls left exposed on open Web:

Videos viewed by The Washington Post included one-on-one therapy sessions; a training orientation for workers doing telehealth calls that included people’s names and phone numbers; small-business meetings that included private company financial statements; and elementary school classes, in which children’s faces, voices and personal details were exposed.

1. 20200403 - (Citizenlab) - Move Fast & Roll Your Own Crypto: A Quick Look at the Confidentiality of Zoom Meetings:

Until a few weeks ago, it would have been uncommon for high stakes business negotiations, high level diplomacy, political strategy conferences, and cabinet meetings to be conducted over platforms whose security properties are unknown.

Zoom has not publicly disclosed information such as statistics of requests for data by governments, and what Zoom has done in response to these requests. Zoom’s policies concerning notifications to users over breaches or the handing-over of data to governments are also unknown

During our analysis, we also identified a security issue with Zoom’s Waiting Room feature. Assessing that the issue presented a risk to users, we have initiated a responsible vulnerability disclosure process with Zoom. We are not currently providing public information about the issue to prevent it from being abused.

As a result of these troubling security issues, we discourage the use of Zoom at this time for use cases that require strong privacy and confidentiality

For those who have no choice but to use Zoom, including in contexts where secrets may be shared, we speculate that the browser plugin may have some marginally better security properties, as data transmission occurs over TLS.

In the meantime, we advise Zoom users who desire confidentiality to not use Zoom Waiting Rooms. Instead, we encourage users to use Zoom’s password feature, which appears to offer a higher level of confidentiality than waiting rooms

1. 20200403 - (Politico) - Multiple state AGs looking into Zoom’s privacy practices

2. 20200403 - (Bruce Scheiner, legendary security researcher) - Security and Privacy Implications of Zoom:

Privacy first: Zoom spies on its users for personal profit. It seems to have cleaned this up somewhat since everyone started paying attention, but it still does it.

I'm sure lots more of these bad security decisions, sloppy coding mistakes, and random software vulnerabilities are coming.

But it gets worse. Zoom's encryption is awful. First, the company claims that it offers end-to-end encryption, but it doesn't. It only provides link encryption, which means everything is unencrypted on the company's servers.

1. 20200404 - (Steven Bellovin, security researcher and professor) - Zoom Cryptography and Authentication Problems:

When companies roll their own crypto, I expect it to have flaws. I don't expect those flaws to be errors I'd find unacceptable in an introductory undergraduate class, but that's what happened here.

1. 20200404 - (Chalkbeat, organization related to American schools) - NYC forbids schools from using Zoom for remote learning due to privacy and security concerns:

Instead, the guidance says, schools should switch to Microsoft Teams “as soon as possible,” which the education department suggests has similar functionality and is more secure.

1. 20200404 - (Techcrunch) - Zoom admits some calls were routed through China by mistake:

Zoom said in February that “rapidly added capacity” to its Chinese regions to handle demand was also put on an international whitelist of backup data centers, which meant non-Chinese users were in some cases connected to Chinese servers when data centers in other regions were unavailable.

1. 20200410 - (The Verge) - Google bans its employees from using Zoom over security concerns:

“Recently, our security team informed employees using Zoom Desktop Client that it will no longer run on corporate computers as it does not meet our security standards for apps used by our employees. Employees who have been using Zoom to stay in touch with family and friends can continue to do so through a web browser or via mobile.”

1. 20200412 - (NY Times) - Bob Iger Thought He Was Leaving on Top. Now, He’s Fighting for Disney’s Life.:

After a few weeks of letting Mr. Chapek take charge, Mr. Iger smoothly reasserted control, BlueJeans video call by BlueJeans video call. (Disney does not use Zoom for its meetings for security reasons.)