UPDATE: This article has been updated.
Video conferencing, whether for business or personal use, has seen a massive increase in popularity since the outbreak of the Coronavirus. Organisations across the world have requested their employees work from home and their meetings are to be held remotely using one of the many popular conferencing Apps.
However, a recent report has shone a light on the privacy and security risks these Apps pose to businesses. The latest, Zoom, has hit the headlines due to their lack of security and privacy protocols resulting in the potential of thousands of data breaches from companies and individuals alike.
So what is the problem with Zoom? Unfortunately, there is more than one issue:
Data to Facebook
Firstly, it was discovered, then reported by Motherboard, that Zoom was sending data to Facebook. Not only was the data being sent if the user was not logged in to Facebook itself, unbelievably, it was being sent even if the Zoom user did not have a Facebook account at all.
Top this with not being able to opt out of the data transmission and their actions not being listed in their Privacy Terms, it shows that Zoom was a potentially hazardous App to use.
Although Zoom has now, thankfully, stopped this data breach with Facebook, this is not the only issue.
It’s well known in the mobile security and privacy arena that end to end encryption is one of the most secure methods of preventing data leaks and thwarting hackers. A recent report into Zoom shows that they do not use the end to end encryption that most experts would recognise.
They use a “transport” method of encryption that operates between the mobile device being used and the server. This means, in theory, that there is the potential to monitor a video call being made and then decrypt its content.
Although Zoom have released a statement saying that, even if theoretically it is possible, they have not created the means by which it could be achieved. However, the company have pledged to develop their system further to include the end to end encryption.
Despite this pledge, some are sceptical it can be easily achieved, especially within a 90-day turnover that Zoom have committed to. This is due to the thought that systems will require a major redesign rather than a simple patch.
Some experts, for example Professor Alan Woodward of the University of Surry, have gone as far as saying they would not use Zoom if they were speaking about information that was either sensitive or secret.
The Citizen’s Lab report into the security and privacy risks that are posed by Zoom, also mentions China’s involvement as being a potential problem, especially for large businesses and governments.
It has been discovered that the communication traffic has been routed through China, despite the fact that all of the people in the video meetings are outside of China at the time.
The report additionally stated that there was also evidence that, during these calls from North America, that the encryption and decrypting keys were transmitted to the servers located in Beijing.
Although Zoom’s HQ is situated in North America, the company still maintained a significant presence in China, of approximately 700 employees, mainly dealing with the App development.
The report went on to say that, given these potential threats to security and privacy of the communication, Zoom may not be suitable for use by:
- Health Care Organisations
- Businesses concerned about Intellectual Property Espionage
User Grouping Leaking Data and More
In addition to the Facebook issue published by Motherboard, further data privacy issues for Zoom subscribers were also reported. It was discovered that Zoom have created a “Company Directory” setting.
This setting automatically adds other users to your Company Directory list that are using the same domain. It is supposed to make life easier for people working in the same business group that do not want to spend the time manually adding users to their contacts list.
The App is supposed to ignore public domains such as Gmail and Yahoo for example.
However, reports have been raised that users have been grouped together with thousands of other users that are not known to them. What’s worse, is that they list the stranger’s name, email address and profile image, that were uploaded, and then allows calls and video time between complete strangers.
Zoom do state that there is an opt out option from this setting, however the problem appears to be that not many are aware of this.
Who else is there?
It appears that Zoom are not the only communication App that has privacy problems. According to an article published in New Zealand, the video chat App Houseparty also has issues.
It has been alleged that Houseparty App collects data from it’s users that will allow it to track various aspects of the use. These include:
- User location
- Who is being contacted
- Frequency of contact
These are claims that are disputed vigorously by Houseparty and is offering a reward to anyone who can provide evidence to prove their theory that these are rumours being spread to cause them damage.
So now what?
With the need to work from home becoming a more important factor in every organisation, it seems that, currently, it will be safer to not use these video conferencing software Apps if they wish to protect their sensitive information.
Stick to end to end encrypted communication only, using trusted and verified networks.
Zoom – Data Breach Update
The earlier reports about the significant data breach from Zoom appears to be as a result of previous hacks elsewhere, which have then been used to exploit the popularity of Zoom. The App now does not appear to be the original source of the data.
It has been discovered that the hackers have attempted what is known as “credential stuffing attack” by which the hacker tries logging in to Zoom using information obtained from previous data breaches.
All successful login details are then collated into manageable data file listings which are sold on via the Dark Web or Hacker Forums. There are instances where the information is provided to others for free in order to enhance the hacker’s reputation amongst their peers.
The account details that have been collated and sold on these lists include:
- The HostKeys
- Individual’s meeting URL
- Email Address
What Mobile Privacy and Security lessons can be learnt?
It is clear that again lessons can be learnt to help improve people’s online security and privacy. The lesson from this case is that everyone should only use one password per application. This means that, if one data source has been compromised by hackers, then other applications are much less likely to be affected.