Your Zoom meeting is not secure

How would you feel if you knew that your conference call with your colleagues or the important quarterly finance meeting is being held with hackers who can hear every word you speak and observe every gesture? Scary right? The folks at Check  Point Research (CPR) decided to test Zoom’s preparedness for preventing outsiders from joining private open meetings.

Every Zoom meeting has a meeting ID that’s 9 to 11 digits in length. This is too small a relative to the number of meetings conducted. Zoom’s usage of the 9 digits allows the algorithm to generate 900 million possible IDs. Using 11 digits gave a possibility of generating 90 million probable IDs. Since Zoom creates multi-million IDs on a daily basis, hackers could run algorithms that generate similar IDs. The matter of concern was brought to light when CPR generated a string of random numbers and found 4% of the numbers matched actual meeting IDs. Zoom tackled the issue by making password authentication mandatory for free accounts, and passwords are almost always important if users wish to join a meeting.

Attention tracking

Zoom allows the host of a meeting to identify the meeting participants, whose attention seems to waver for more than 30 seconds. If you switched over to another app, Zoom lets the host know that you are browsing something else, thus severely intruding upon your privacy. Although this could be argued by teachers as a blessing for disciplining students, the overall ‘Big Brother’ vibe remains when using the app.

Zoom-bombing

In the recent past, there have been cases where random strangers or hackers joined existing ongoing Zoom meetings and disrupted them either by shouting profanities or have broadcast obscene pornographic content during meetings often that are being attended by a large number of participants. The problem grew and was brought to the FBI’s notice when such incidents, called Zoombombings, started to disrupt school and university lectures. Security analysts have warned that Zoombombings give opportunities to hackers to steal private information from the video chats between coworkers. This is due to the fact that Zoom doesn’t allow the host to share screen share access for other participants. This can be resolved by disabling it in the settings. If you are sharing links online on public platforms, you must change the screen sharing option to ‘host only,’ without fail.

What can be done?

TechCrunch gives the following tips to avoid getting zoom-bombed.

  • Disable ‘Join Before Host’ so people can’t cause trouble before you arrive.
  • Enable ‘Co-Host’ so you can assign others to help moderate.
  • Disable ‘File Transfer’ so there’s no digital virus sharing.
  • Disable ‘Allow Removed Participants to Rejoin’ so attendees who have been thrown out can’t come back in.

The encryption conundrum

Zoom claims to have End-to-end encryption (E2EE). This is one of the most powerful ways to protect one’s privacy. E2EE encryption secures data at each and every endpoint, which could be a device or a piece of software. The endpoints have encryption keys that are generated locally. Zoom claims to offer end-to-end encryption, but what it does is provide link encryption, which means everything is unencrypted on the company’s servers. This leaves the system prone to a hacker attack, or if the government wants, Zoom can go ahead and provide the minutes of the meeting on a platter. Well, your privacy issues then be damned.

What’s worse, a Zoom spokesperson told the Intercept shortly after its report that it was not possible for the company to enable E2EE (End-to-end encryption) for Zoom video conferences. The company brazened it out, saying, in Zoom’s literature, end-to-end stood for the connection being encrypted from Zoom end point to Zoom end point.

Another apologetic blog followed from Zoom explaining the end-to-end system it practiced. Zoom, it seems, provides end-to-end encryption between participants using Zoom native and web apps. Data is transferred without getting decrypted. However, if a VC (Video Conferencing) participant used a regular phone to join the meeting, the session was decrypted. Zoom addressed the issue in its blog, saying, ‘Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes, nor do we have means to insert our employees or others into meetings without being reflected in the participant list.’

In Part-3 of this blog, we tell you the risk posed by Zoom users as their data gets encrypted in China, posing a huge challenge for organizations involved in strategy planning, defense, and governance.