Cyber criminals are targeting users of popular video conferencing application Zoom as millions of office workers turn to collaboration tools to keep in touch with each other during the COVID-19 coronavirus pandemic.
A team at The Citizen Lab found that Zoom was using a non-standard type of encryption, and transmitting information through China– even when all the people in a Zoom meeting are outside of China. Along with sending user data to Facebook.
Ex-NSA (National Security Agency) hacker Patrick Wardle identified a series of issues, including a flaw which left Mac users vulnerable to having webcams and microphones hijacked.
“Zoom has made the classic mistake of designing and implementing their own encryption scheme, rather than using one of the existing standards for encrypting voice and video content,” said Bill Marczak, a Research Fellow at The Citizen Lab. The Citizen Lab has shown compelling evidence here that it is possible to collect all the data of a video meeting and then partially unscramble it to find out, roughly, what was said and what was seen.
In some places, it tells users that it uses “end-to-end” encryption – the gold standard for secure messaging, which makes it impossible for the service, or any other middlemen, to access data. In its documentation, Zoom has said it uses a type of encryption called AES-256. But the researchers said this is not true.
Instead, Zoom has “rolled their own” encryption – using a variant of something called AES-128 which uses a 128-bit key length to encrypt and decrypt a block of messages. As an example, since Office 2013, Microsoft has continuously increased the strength of encryption (the documents are still backward compatible with earlier versions of Microsoft Office). Microsoft Office now supports encryption method AES-256.
– Governments and businesses worried about espionage
– Healthcare providers handling sensitive patient information
– Activists, lawyers and journalists working on sensitive topics
But for people using Zoom for contacting friends, holding social events or organising courses or lectures, the findings should not necessarily be concerning.
Taking into account that 90% of cyber attacks start with a phishing campaign, much of this guidance boils down to adhering to basic security hygiene. This includes being cautious with emails and files from unknown senders, never opening unknown attachments or links claiming to be Zoom links in emails, keeping an eye out for spelling errors in URLs and emails that are usually a giveaway, and being suspicious of everything unexpected.
However, it would take a huge amount of time and effort for a hacker to achieve this – and it simply wouldn’t be worth the effort for an average work huddle or friendly pub quiz held on the service. It’s the high-level talks at company board level, or in government, that will be targeted.
“I don’t believe this is something that Zoom can just add to their list of jobs to do in the next 90 days. It’s possible, but this requires a re-engineering of the way they encrypt their calls, so it’s a major undertaking.” Prof Woodward added: “I would not use Zoom for any sensitive or secret discussions.”
Zoom is to pause the development of any new features to concentrate on safety and privacy issues, in the wake of criticism from users of the app. Eric Yuan Zoom’s founder admitted that despite “working around the clock” to support the influx of new users, the service had “fallen short of the community’s – and our own – privacy and security expectations”.
The huge uptake of Zoom has created the new phenomenon of ‘zoombombing’ which sees uninvited guests join video conferences, usually to shout abuse, share pornography or make racist remarks. The mischief-makers find out the details of the meetings either via links that have been shared publicly on social media platforms or websites or, in some cases, by simply guessing the nine digit ID code. It is reasonably easy to prevent attacks by password protecting meetings and not allowing anyone other than the host to screen-share.
Looking for help with remote working?