Zoom has made headlines recently based on a combination of security and privacy concerns, including weak encryption practices. Below, we’ve provided our recommendations on best security practices to help you decide if Zoom is right for your organization.
Make sure your Zoom client software is regularly updated. If a user closes a meeting and an update pops up, you must update. There’s a large number of vulnerabilities – some that were just released recently – that can put you at risk if you do not update. Due to increased usage, Zoom will be targeted heavily for new zero days and attacks, and due to the way their client hooks to links, it adds an increased threat surface to your environment. If you’re using Group Policy Objects (GPOs) to push out Zoom clients, we recommend flagging auto-updating to avoid this issue. Here’s more details on Group Policy options for Windows Desktop client and Zoom rooms.
Zoombombing and similar intrusive activities occur when meeting links are posted to a semi-public or public area and people join them to annoy people/steal data. There is some potential for iterating through potential Meeting IDs, but this is by no means fast as they tend to be 8-12 digits in length. This is generally fixed by just using passwords on your Zoom meetings and/or allowing Zoom to generate your meeting ID. That is to say, the url shouldn’t display your ‘personal id’ like “https://zoom.us/j/yournamemeeting” and should instead be something like “https://zoom.us/j/85690 (string of numbers)”. If you use passwords and distribute the password through a different method, e.g., email/text, you can still post the actual link in a more accessible location if desired. Here’s some details and instructions on setting Zoom meeting passwords.
The other big news headline is that Zoom isn’t encrypted end-to-end. This doesn’t mean that anyone can see what’s happening in your Zoom meeting; it means that Zoom’s infrastructure can technically see what you’re doing as it passes from your computer, into their servers, and out to the other user’s computer. This is no different than using a banking website in regard to encryption. This does mean it’s not as secure as some methods of video calling, but this isn’t a major security concern unless you require end-to-end encryption.
There are also security issues associated with what’s said in Zoom chat and the videos themselves, however, these are no different than most cloud services. Data is technically retrievable by Zoom employees, so don’t use their software to share credit card numbers, personally identifiable information (PII), etc. The data is likely encrypted at rest and in transit, but it isn’t encrypted with your key, but rather the Zoom key. This is essentially the same issue as end-to-end encryption and realistically not a major concern if cloud services are already accepted in your risk assessment processes.
Zoom reportedly uses an AES-128 key in ECB (Electronic Codebook) mode to encrypt and decrypt meetings, according to CitizenLab. This is concerning for a few reasons. One, it represents a discrepancy between their advertised encryption practice (AES 256-bit) and the reality of what they’re doing. Second, ECB mode is no longer the recommended standard for encrypted media streaming due to undesired input pattern residue. Lastly, the infrastructure serving up the aforementioned keys reside in China, which raises privacy concerns and increases the software’s risk profile overall.
Blumira considers Zoom to be an acceptable risk for casual business meetings. The risk to your organization is largely mitigated if the following conditions are met:
- Keep your client up to date
- Use antivirus (AV)
- Use unique Zoom meeting names and IDs
- Ideally, use passwords to protect access to Zoom meetings
- Don’t share private personal information in your Zoom chat or video meeting
Stay safe out there and reach out with any questions on Twitter @blumirasec or email us at [email protected].