27 April 2020

The Zoom videoconferences application, between accessibility and vulnerability

Liviu Ioniţă

The social and physical distance measures have asked for the remote work to be adopted. The emails and the use of virtual private networks (VPN) did not prove to be enough, as it was necessary to identify also a series of solutions to organize the virtual meetings and conferences: Microsoft Teams (a successor of Skype for Business), BlueJeans Meetings, GoToMeeting, ZohoMeeting, Cisco WebEx and others. For quite some time, Zoom Video Communications took the lead on online meetings for businesses, school, but also sports and other ways of spending time in the virtual company of others. The explosive increase of Zoom’s popularity has generated also some security breaches. Currently, in the US and other states as well, there are interdictions in terms of using the application, and media from the other side of the Atlantic says that “foreign spies are relying on America’s trust in the Zoom videoconference software”.

Image source: Hepta

Bombing against the Zoom application

The videoconference’s software for the communication technology company, Zoom Video Communications (Zoom), based in California, listed on the stock in 2019, has met an increasing use after the lockdown measures provoked by the pandemic.

The company consolidate its videoconferences’ leader status, therefore, in February 2020, Zoom recorded 12, 92 million monthly active users, 21% higher than the end of 2019.

According to the application analysis company SensorTower, the first-use installations of the mobile app of this videoconference company has increased with 1.126 %, in March, which represents 76 millions, comparing to 6.2 millions recorded in February.

The Zoom software allows simple or group chat sessions, video meetings with more than 1.000 participants and up to 49 HD videos, simultaneously displayed on the screen. However, since 2019, a researcher was claiming that there was a serious security breach in Zoom, a zero day vulnerability, a bug, which was dwelling even if the software was uninstalled. Then, there were discovered other breaches as well, like sending, for example, through the app, personal data to Facebook, or user names and e-mail addresses to Linkedin.

The thing that drew the attention the most was a phenomenon called the zoombombing, which also draw FBI’s attention, which happens when an unwanted participant joins an online meeting to provoke disruptions.

Initially started as a prank, this new type of trolling extended and tens of participants in videoconferences, online kids’ classes, anonymous alcoholics’ meetings, churches’ services and business meetings were interrupted by pornographic images or messages containing racist or homophobe messages.

A New York Times analysis found 153 Instagram accounts, tens of Twitter accounts and private chats and many active messages on Reddit and 4Chan, where thousands of users gathered to organize harassment campaigns on Zoom, sharing passwords and chaos plans for the private and public meetings.

On Instagram, an accounts network like Zoomraid and Zoomattack gathered 30 000 followers in one week only, their owners posting Zoom meetings codes for others to be able to start zoom-raids during the password protected videoconferences, using shocking images, racial epithets and obscenities.

They even got to improve the zoombombing procedures, as an engineer from Samsung, for example, attacked his colleague on Zoom with an Elon Musk version, generated by artificial intelligence.

Zoombombing became that popular that FBI issued, at the end of March, a national warning regarding what was already a phenomenon, warning the users to be aware of the weak points in Zoom video calls’ security, and the hackers on the legal consequences they are facing for developing Zoombombings.

Also, the New York general attorney, Letiti James, asked Zoom Video Communication some explanations on the security measures the company took to manage with the increased traffic and to detect hackers.

In the same period, an investigation made by The Intercept revealed that Zoom does no grant the end-to-end encryption, despite the failing marketing suggesting doing so, offering, in return, the transport encryption (Transport Layer Security cryptographic protocol).

The Intercept was underlining that, without the end-to-end encryption, Zoom has “the technical capacity to spy video meetings and it would be forced to give the meetings recordings to governments or force orders, as response to legal demands”. Meanwhile other companies, such as Google, Facebook and Microsoft are publishing transparency reports describing how many governmental users’ data request they receive, from what countries and how many of them are processed, Zoom does no publish such a report.

Another analysis, talking about many other Zoom security issues, was elaborated, in April 2020, by CitizenLab, an interdisciplinary analysis organization of the Toronto University.

According to this analysis, the fact that Zoom is easily used, along with the pandemic measures and the attractive marketing language of the company on encryption and security have determined the quick growth of the users and “attracted many sensitive conversations”. Therefore, the increased popularity “places the product in intelligence agencies’ attention and the cyber criminals”.

For those seeking privacy, says the report, the implementation of Zoom calls’ security may not be as great as its exceptional use. The analysis established that Zoom uses “non-standards cryptographic techniques, with many weak points”, and many keys for the encryption and decryption of the meetings were sent to servers in Beijing, China.

CitizenLab draws the attention on the fact that if a company is publicly listed or it is a major name in the field that does not the application has the best security practices. After the found security issues, the organization does not advice the Zoom’s use by: “governments concerned with espionage”, the businesses concerned with intelligence crimes and industrial espionage, medical services’ providers, managing sensitive information on patients, activists, lawyers and journalists working on sensitive topics.

As a response to that, Zoom CEO, Eric Yuan, an American business man with Chinese origins, apologized to its users and insisted, repeatedly, that he will modify the program to prevent any abuses. As for the accusation on China servers’ involvement, he added that this country has subjected to the geofencing procedure, a virtual regional restriction, and the communication sessions were encrypted.

Restrictions on the use of Zoom

However, gradually, starting with April, due to security reasons, Zoom was subjected to some interdictions and restrictions by many companies, schools and governmental entities. The New York Education Department has prohibited schools to conduct online classes through Zoom.  

Members of the US Senate were also warned on the use of the application, due to its huge security issues. Zoom was not prohibited, but the parliamentarians were advised to use other alternatives, such as Skype for Business. The Senate Rules Committee has “trained” offices to use “only technologies supported by the Senate”, and Zoom is not one of them.

In return,  Google prohibited the installation on its employees’ devices of Zoom, the competition of its own application, Meet Google, asking, in return, the use of e-mails or phones as... communication alternatives.

NASA established that Zoom is nor licensed or authorized to be used by Agency’s contractors or employees and, therefore, they do not allow its installation on IT NASA devices, meanwhile for Elon Musk there is...no room for Zoom, and the SpaceX personnel is not allowed to use it.

The list of interdictions for the Zoom application went beyond US’s borders, including restrictions imposed by governments in Taiwan, Singapore, India, Australia and Germany.

According to the German newspaper Handelsblatt, the Ministry of Foreign Affairs in Germany asked its employees to stop using the application for security and data privacy reasons.

The same reasons were invoked by the government in Taiwan, as they were asked to not use Zoom, the Cyber Security Department in Taiwan advising them to use “international alternative products: Google and Microsoft”.

Singapore suspended the use of Zoom by teachers, after “very serious incidents”, which involved the screening of obscene images in schools having online classes.

After the cyber security agency in India warned, at the beginning of the year about application’s vulnerabilities, Zoom was prohibited within the government, after the Defence Minister, Rajnath Singh, posted on Twitter a picture which was showing him conducting a Zoom videoconference with ministers and military officials.

Due to concerns that “foreign hostile actors” may exploit the security breaches, the personnel of the Australian Defence Ministry was prohibited to use Zoom, shortly after an online Air Forces meeting was attacked by the comedy actor Hamish Blake.

Although the Great Britain’s Defence Government had an anti-Zoom stance, warning the governmental departments on the use of the application, it seems that the message was ignored, because prime-minister Boris Johnson was recently claimed, on Twitter, that his cabinet members used Zoom for meetings.

In exchange, the US Defence Department asked its employees to not use Zoom, due to concerns that foreign actors may use its software to collect information.

Recently, a Time article emphasised the concerns even more: the videoconferences explosion offered “playground” not only to cyber criminals, but also to spies.

 The publication quotes three intelligence officials, under anonymity: the counter espionage agencies from the US have observed the Russia, Iran and North Korea’s espionage services, trying to spy on US video chats.

But the “cyber spies who moved more quickly and aggressively during the pandemic” were the ones from China. The attractive target: Zoom.

The shareholding component and the Chinese labour force dependency would make “Zoom to answer to the Chinese authorities’ pressure”.

The connection with China – a permanent threat

Time reminds of the CitizenLab analysis, according to which, meanwhile Zoom is based in US and listed on NASDAQ, the main application of Zoom seems to be developed by three companies in China, all under the name “Software Ruanshi”. Two of the three companies are held by Zoom, meanwhile one of them belongs to an entity called “American Cloud Video Software Technology Co, Ltd”.

The most recent recording of the US Securities and Exchange Commission – SEC) shows that Zoom (through its Chinese branches) has at least 700 employees in China, who work in “research and development”.

Meanwhile the main Zoom application (zoom.us) was blocked in China, in November 2019, there are many Chinese third companies which sell the application in China (zoom.cn, zoomvip.cn, zoomcloud.cn).

However, the intelligence officials quoted by Time underline that there are no proofs that Zoom cooperates with China or that it was compromised, but the security measures have some shortcomings, which makes the application be less safe than others. Given that “spies are using many applications to seek governmental, corporative and academic conservations”, federal experts warned that the government and the private agents should not use video conferences applications to “discuss or exchange sensitive information”.

But the “Zoom connections with China, regardless of that its CEO promises, creates a persistent threat”, states for Time, the former chief of the National Security Agency and the Intelligence Central Agency, Michael Hayden.

Many US parliamentarians and governmental officials asked the verification of the security measures adopted by Zoom, meanwhile attorneys from many American states – including Connecticut, New York and Florida – are investigating the privacy and security practices of the Silicon Valley company.

At the same time, new Zoom vulnerabilities related to privacy came to light. Phil Guimond, a researcher in cyber security, discovered a way to access and download videos of a company previously registered in the cloud through an unsafe link. Also, the researcher discovered that videos of users previously registered are archived even after being deleted by the user.

And over 500.000 Zoom accounts, personal information, including e-mail addresses, passwords and web addresses for Zoom meetings are already sold to ridiculous prices or sold for free on the dark web.

English version by Andreea Soare