Zoom: Security and privacy became collateral damage — and this probably won’t change
Recent research shows the sloppy security architecture of Zoom. After a former NSA employee has uncovered massive security holes and researchers from the Canadian CitizenLab found problems with Zoom’s encryption, a German security researcher has detected additional potential vulnerabilities. Our computers with Zoom on them may not be as private and secure as we think.
The first thing that sparked suspicion in Thorsten Schröder was Zoom’s FAQs on data protection. The answer to the question “Does Zoom sell my data?” started with “Depends what you mean by sell.” (Zoom has changed the wording now — but I kept a screenshot as a souvenir). As he read on, Schröder realized: “Zoom, of course, gives away your data.” The second thing was that Zoom did not work with the security tools that Schröder had installed on his computer. These expert tools help him to detect malware or other problems in software. The third thing that made him nervous was a quick look into the code.
Friends had invited Schröder for an after-work beer via Zoom, just like everybody is doing these days. But as an IT security researcher, Schröder has seen too much to simply use an app he was unfamiliar with without at least a rudimentary check. “If this app also wants to install software on my computer, I’ll look closely.” Unfortunately, this close look did not exactly calm Schröder down. According to him, Zoom probably has serious security holes on top of the ones that the company closed after other security researchers had made them public.
When Schröder sees something he thinks is insecure, he starts to hack in, to see just how bad it is. Normally he would carry out the attack to the end — exploiting security holes as if he were a hacker with bad intentions — before he goes public. That’s the reason for the word “probably” in the paragraph above: An attack takes time, and because these potential security holes are very dangerous, we agreed that I would write down the state of affairs here after our interview instead of waiting, until Schröder — who does not get paid for this work — finds time to finish the attack.
Zoom is the new normal: CEO Eric Yuan said the company saw a huge spike in users: up to 200 million people per day in March, from about 10 million in December. Half the world is using zoom right now — and of course this is the point where weaknesses become visible to a big audience. A few weeks ago nobody had heard about a phenomenon called “Zoom bombing”, where strangers conquer Zoom meetings they are not invited to and show (for example) pornographic images via the screen sharing tool. Now people are familiar with Zoom bombing, which can be offensive and disruptive — but there are way more dangerous potential things out there.
“In my opinion, politicians and journalists should not use zoom,” said Thorsten Schröder after his first short dive into the depths of the software. But they do. Some even publicly announce their zoom meetings with the meeting ID, virtually inviting the bad guys to take advantage of this and interfere or eavesdrop on future video conferences. British Prime Minister Boris Johnson, for example, carelessly sent a screenshot of a Zoom cabinet meeting via Twitter recently, which included the meeting ID. We don’t want to speculate here about who might be interested to listen to the British government. Zoom quickly removed the ID from the screen with the following update.
Schröder is not alone in his warnings. “Though Zoom is incredibly popular it has a rather dismal security and privacy track record” wrote former NSA (US National Security Agency) employee Patrick Wardle a few days ago in his blog, where he published two new worrying security holes in Zoom, which he had found and which Zoom claims to have now closed.
These were so-called “Zero-Day Vulnerabilities”, which means that for these bugs in a computer program there is no so-called “patch” yet, no “repair”, no update, which closes the security hole. This means that anyone who was using Zoom at the time — in this case with the Mac app — was de facto vulnerable. And not only in a way in that attackers can eavesdrop on and record zoom meetings unnoticed, they could also gain access to the computer itself, read out Windows passwords and obtain administrator rights for the computer system. Among other things, such attackers could switch on the camera and microphone at any time and spy on the affected person.
However, even the official way the data travel is not as secure as Zoom claims. Security researcher Micah Lee and journalist Yael Grauer from “The intercept” recently found out that video chats are not end-to-end encrypted — what Zoom had claimed. This would mean that the data is encrypted from one participant to another in the video conference — so that Zoom itself, for example, cannot access the data. According to the Intercept, this isn’t what’s happening: Instead Zoom offers what is usually called transport encryption, which means that random listeners on the way between the conference participants and Zoom servers only see encrypted material, whereas Zoom itself can access the unencrypted video and audio content of Zoom meetings. End-to-end encryption would mean that really only the participants of a video call are able to unencrypt their data (in reality of course the software does that for them) This practice of only transport-encryption instead of end-to-end-encryption leads to further problems: For example, if the FBI demanded access, Zoom would have to hand over this data under American law. If they were encrypted, this would not be possible (or the FBI would not be able to make sense of the encrypted data).
In a blog post Zoom apologized for the misleading use of the term end-to-end encryption: “We recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.” (https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/) A few days later researchers from the Citizen Lab, a research group within the University of Toronto, found out that Zoom does not use the industry encryption standard for this case, but used a weaker version: Using this mode “is well-understood to be a bad idea, because this mode of encryption preserves patterns in the input”, said the researchers. In addition they observed that keys for encrypting and decrypting meetings were transmitted to servers in China — where by Chinese law Zoom might be legally obligated to disclose these keys to authorities in China.
“An app with easily-identifiable limitations in cryptography, security issues, and offshore servers located in China which handle meeting keys presents a clear target to reasonably well-resourced nation state attackers, including the People’s Republic of China”
“An app with easily-identifiable limitations in cryptography, security issues, and offshore servers located in China which handle meeting keys presents a clear target to reasonably well-resourced nation state attackers, including the People’s Republic of China”, conclude the Citizen Lab researchers. As a result, the government of Taiwan, Google, SpaceX and New York City Schools among others banned Zoom. (Google, of course, has its own solution, NYC schools will be using Microsoft Teams. Others decide to use FaceTime, which is end-to-end encrypted. But it is hard to tell how secure other solutions are. What most experts recommended in my research is Jitsi.)
Zoom again apologized for this “oversight” and promised to work on the problem. The apology was similar to Zoom’s reaction to a critique a few days earlier, where researchers had found out that Zoom passed data to Facebook without communicating this to users, as Motherboard magazine reported. As a result, Zoom deleted this feature from the code. But again only after someone else had found out about it.
This data will no longer be passed on to Facebook — but what should be more worrying is Zoom’s reaction to the recent problems. Words like “oversight” and “was brought to our attention” dominate the blog posts after every new reported security problem. After all, it means that Zoom itself doesn’t really know what its program does. In the case of data going to Facebook it’s not so much an intentional data trade as sloppy handling of its own and other people’s code. Privacy becomes collateral damage.
Privacy becomes collateral damage due to Zoom’s sloppy security architecture
And this sloppiness possibly runs through the entire code of the application and forms the basis for massive security holes. At least, this is what Thorsten Schröder’s findings indicate. Together with other security researchers from the German Chaos Computer Club (CCC), he had previously uncovered a Trojan (malware) used by the Bavarian state and discovered weaknesses in the election software for the 2017 federal elections in Germany. Schröder, who has been working in the field of IT security for 20 years, says: “I have a gut feeling where to look when it comes to confidentiality.”
This feeling led him, among other things, to a freely available software library in Zoom’s code that Zoom uses to encrypt connections. In itself, using preexisting free software is a good thing, but Zoom has not updated this toolkit called OpenSSL for years. “Zoom delivers its current software with a completely outdated version of SSL that contains known security holes.” This old version of SSL is no longer updated to close security holes, which means that this vulnerable SSL toolkit is on Zoom — and thus on each person’s computer. And this in times when Zoom is predestined for attack. “Das wird vielen Leuten den Nacken brechen”, he said, using an idiom in German that translates roughly to “it will hurt a lot of people’s bottom line.”
Schröder has found another possible vulnerability in the use of another library called SQLite. “When using an SQL database you can do a lot of things wrong — and Zoom uses techniques that are predestined to introduce exploitable security holes.” These are among the first things hackers look into, because companies often make these mistakes when using SQL databases. They can, for example, read out user data of all kinds. I accompanied hackers a few years ago while they did this as their first step to overtake a big European company — and it only took them a few minutes to capture thousands of names, addresses and passwords thanks to an incorrect SQL database use. (German article here)
“But you can also execute malicious code via SQL,” explained Schröder, such as Trojans or ransomware. Attackers can therefore possibly exploit the installed Zoom app to delete, steal or encrypt data on the user’s computer, and then demand large sums of money so that the user can access it again. (This is what happened to many people and companies with “Wannacry” in May 2017) Zoom does not mention these possible vulnerabilities in the current blog posts — so these holes are probably not closed.
It is a question of time when malicious actors such as criminals and nation-state hackers will act faster than serious security researchers
Presumably, all of this is not Zoom’s intention, it’s rather sloppiness and a clear sign that security has been sacrificed for quick market success. This happens often when it comes to software: Whoever is first on the market in these areas can secure large market shares and is well positioned. But this leads to software in general becoming increasingly insecure on average. The fact that Zoom is currently lagging behind and only ever solves those problems that users or security researchers uncover does not speak well of the company.
Almost certainly there are other security problems lurking beneath the surface due to the sloppy security architecture. So it is a question of time when malicious actors such as criminals and hackers will act faster than serious security researchers — and that could be dangerous. One can already observe the first corresponding activities: there is a program that automatically searches for zoom sessions that are not password protected. According to its makers, zWarDial can find on average 110 meetings per hour without passwords — all of them are vulnerable to “Zoom-Bombing.” And there are already more than 100,000 Zoom accounts, passwords and personal meeting IDs are for sale on the dark web. This happens because people reuse their passwords from other accounts — and because hackers think Zoom is an interesting target. And this is why Zoom should be extra secure instead of less secure. But unfortunately it isn’t.
In my research I heard many experts complaining that software is now hardly ever tested before it is released on the market. Security is complex and expensive, that’s what researchers have told me time and again, for example the German security researcher Christian Rossow for a story about attacks on critical infrastructures (German article here): “There are two competing motives: making software secure and bringing it to market as quickly and cheaply as possible.” Schröder also observed the same effect: “It is one of the bad habits of the last ten years that start-up companies publish their tools in an unfinished state and turn customers into testers.”
“It is no longer only the question of whether a video chat is being eavesdropped. The point is that individuals can become targets of attacks, independent of the video chat.” (Thorsten Schröder)
Schröder emphasizes that, in contrast to the ex-NSA hacker Wardle, he did not investigate these potential security holes to the end. It is theoretically possible that hackers will encounter other obstacles when they do. But what he has seen indicates a unprofessional approach to security — and that produces the potential for devastating attacks.
“It is no longer only the question of whether a video chat is being eavesdropped,” Schröder emphasizes. “The point is that individuals can become targets of attacks, independent of the video chat.” What particularly annoys him: these days you can’t get around Zoom anymore. Companies use Zoom, universities, even Schröder’s friends use it for the aforementioned after-work beer. “The group decides for the individual” — who may then have to bear the consequences that malware causes on their computer. Schröder has found his own workaround: For Zoom he uses a computer that he does not use otherwise and on which no important and personal data is stored. “I don’t install Zoom on my normal computer, which I also use for other things.”
There have been many examples in the past, where hackers spend a lot of time and money to gain access to the systems of others and to disrupt them. Nation-state hackers, among others, invest a lot in order to either spy on other states, undermine them by means of hacker attacks, influence elections or steal ideas. For these hackers — as well as for “normal” criminals — golden times have come when politicians, journalists and companies now use Zoom on a grand scale. “So, what to do?”, Ex-NSA hacker Werdle concludes his blog post: “Honestly, if you care about your security and/or privacy, perhaps stop using Zoom.”
Update 04/16: Because more and more people were asking for details, Thorsten Schröder provided his findings in detail here.