A conversation about Zoom, security, and privacy in these times of social isolation.
(I should probably start by saying I wrote this of my own free will and the opinions are my own. Zoom did not ask me to write this and does not even know that I did.)
Over the past four weeks, our society has changed completely. We have moved from happy hours to social distancing, from long business meetings in stuffy conference rooms to digital discussions that look like the Brady Bunch introduction with virtual backgrounds. As a result, many products and services have been slammed front and center into the public eye, from Instacart and Amazon Fresh to Zoom Video Conferencing. It is this last product that I want to spend a few minutes discussing here as a result of countless questions from friends and family around security and privacy.
For those that know me, I am a security geek. I have been in computers and security for over 20 years. I have had the opportunity to run cybersecurity for the White House, supported massive cybersecurity programs for the Department of Homeland Security. I founded Dark Cubed, a cyber security-based startup over six years ago, a company that continues to help protect small and midsized companies in this time of increased cybersecurity threat.
I have worked with my team of expert employees to raise the alarm on the security of Internet of Things (IoT) devices that are commonly made in China and communicate sensitive data to unknown ends of the Earth. I have run and managed countless penetration tests, vulnerability assessments, and risk assessments for large and small companies looking at everything from audiovisual systems to sophisticated industrial controls systems.
I write all of this background to say this. I am a strong advocate of using Zoom today. I am frustrated that the fear, uncertainty, and doubt that the media is spreading about the security of this platform will increase social isolation and cause physical harm in our time of great need.
Before diving into a few points on the Zoom platform, in particular, let me say this first. Yes, there will be vulnerabilities with any software you install on your computer. Yes, Zoom has made mistakes on the oversight of its platform communications, encryption technologies, and security controls.
Yes, there are countless examples of horrible people jumping into unsuspecting gatherings on Zoom and spewing racial slurs or showing pornography. I am not trying to minimize the emotional and psychological impacts that such an experience might have on people, but this happens in the physical world just as it happens in the digital world. We should not let these horrible people win by not communicating with those that we love or want to just hang out with for a while to forget the trials we are all facing.
First, let me talk about the ZoomBombing issue that so many people are discussing in the press today.
Zoom provides a virtual conference room that is identified by a nine-digit number. At any given moment in time, there are likely hundreds of thousands of Zoom conferences going on with a unique number associated with them. There is even a chance that if you opened up Zoom and started guessing nine-digit combinations, you might find your way into a conference as an unwelcome visitor.
Using a great website, GRC’s Password Haystacks (https://www.grc.com/haystack.htm), we can see that a password made from only numbers up to nine-digits has 1,111,111,110 different combinations. A significant number, but not impossibly large. Any specific nine-digit number could likely be guessed in less than two weeks by a fast computer. A password consisting of nine digits could be cracked in under a second by a specially designed password cracking setup. This means if you are running a Zoom meeting and have not configured a password, you are running the risk of someone dropping in and surprising you.
If you are running a Zoom meeting and have not configured a password, you are running the risk of someone dropping in and surprising you.
Is that a problem? Well, many of us are using Zoom for meetings with folks that have not typically been heavy computer users. These last few weeks have been overwhelming for those people. Introducing a password maybe be an added complexity you do not want to take, and you are willing to accept the risk of an uninvited visitor.
If you aren’t willing to accept the risk, just set a password for the meeting, and you can check off one concern from your list.
The second way “ZoomBombing” can occur is if you share your meeting information on social media, a website, or just broadcast it out. In this case, bad actors can potentially find this information and target you specifically. I find this example more concerning than the first because the bad guy will likely be able to spend a few minutes researching you or your organization online and will make the attack feel more personal.
Unfortunately, it is hard to both publicly share an event for people to join AND protect that event with a password for security reasons, without also sharing that password. Argggh. To manage this risk, you can use a feature called a “Waiting Room,” which allows you to only let in the folks you want to join and kick out people you do not.
If you are willing to pay for Zoom, you can also use Webinars to manage security in a slightly more precise way. We do this for our church. We set up a large group meeting as a Webinar. When people join the webinar, they are unable to talk or share content, but they can listen. This format allows you to get your message out and share information without having to mute or manage people. If you want to have a more interactive session, you can then promote up to 100 people to be “Panelists” in the webinar where they can fully participate. You can also demote Panelists back to attendees. This extra control may be helpful for organizations that are more paranoid or want to be able to control the flow of a meeting more precisely.
The other thing to think about when it comes to unwelcome visitors is the age-old password problem. If you sign up for a Zoom account and use the same password you used for other accounts, then you are welcoming trouble. I am a big fan of telling people that if you are using an online service that does not allow you to implement two-factor authentication, then do not use it. Zoom has this capability, and you should use it. If you are part of an organization, you can use single sign-on (SSO) to increase security. The bottom line here is that if you are going to set up an account to host and manage Zoom meetings, turn on two-factor authentication.
The bottom line here is that if you are going to set up an account to host and manage Zoom meetings, turn on two-factor authentication.
For more information on ZoomBombing, just read the countless articles that are out there advising users on how to secure Zoom meetings. This press release from the FBI is a good start: https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic
Will My Computer Get Hacked?
Secondly, while the ZoomBombing stuff we discussed above may feel like hacking, it is not. These horrible people do not get access to your computer or your phone unless you explicitly give it to them. They can not read your email or steal your files; they are just there to scare you.
So, let’s discuss the dire warnings around “Zero Day Flaws,” hacking, and other security issues with the Zoom app. The security warnings related to Zoom are real. However, I pay attention to the amount of attention an application receives from security researchers and how the company responds. Think about the amount of attention that Microsoft Windows gets from security researchers, which is why we hear about so many vulnerabilities.
I cannot even imagine how many security researchers are pounding on the Zoom software and platform now that it has become so popular. Given my background, I am never surprised when software hacks are announced. Everything is hackable, there are always more vulnerabilities to find, and the impacts can often be severe. For Zoom, a great example of security research is the excellent work by Patrick Wardle published on March 30th, 2020, and amplified heavily in the press. You can read his posting here: https://objective-see.com/blog/blog_0x56.html
Patrick is a highly respected member of the security community and does fantastic work, as evidenced by his posting. In his posting, he writes, “So, what to do? Honestly, if you care about your security and/or privacy perhaps stop using Zoom.” I appreciate his point, and he is not wrong, but he is also not right. The issue here is that for non-technical readers, the first reaction is panic, when that may not be the full story.
It is critical to note that both of the techniques described by Wardle require a hacker to have access to your computer either through another piece of malware or via remote access. So, my point here is that the hacker must have already successfully attacked your computer before these issues become a problem. This fact does not trivialize the vulnerability, but it does change the risk calculus. The second part of this discussion was how Zoom reacted. They did not hide behind fancy press releases; they apologized and took action. A patch was released quickly and publicly, and a 90-day action plan was released to talk about how they would fix things going forward. The security community should continue to hold Zoom accountable for doing the right thing at all times, but this should happen in a way that does not scare people away from socializing.
The security community should continue to hold Zoom accountable for doing the right thing at all times, but this should happen in a way that does not scare people away from socializing.
Given this information, what should you do? Well, if Zoom tells you there is a software update, you should install it, that is the result of them fixing these security flaws. If you use Zoom, do not live in fear of your computer being erased or hacked, it is highly unlikely your use of Zoom will cause this. Countless pieces of real malware are out there in your email inbox right now that are more likely to hack you. You should be worried about malware, and here is a great article you should read: https://staysafeonline.org/blog/easy-ways-protect-yourself-from-malware/. My advice is to install antivirus software and make sure you back up any important files you do not want to lose on a portable drive now and then.
Are the Chinese Spying on Me?
Finally, there have been several news stories in the past week related to weak encryption, the use of encryption keys issued in China, or the routing of traffic through China, causing massive concern around the fact that China might be spying on us through Zoom. So, is China listening? The answer is probably. But I am more concerned about China’s deep penetration into the Internet of Things (IoT) market (https://darkcubed.com/iot-security), their efforts to gain control of telecommunication networks through companies like Huawei (https://www.nbcnews.com/politics/national-security/u-s-officials-using-huawei-tech-opens-door-chinese-spying-n1136956), or the potential that using TikTok (https://www.vox.com/open-sourced/2019/12/16/21013048/tiktok-china-national-security-investigation) could be compromising your security than I am about Zoom.
I would venture that any issues related to Zoom and China are a direct impact of trying to scale a global network quickly, while also trying to comply with a worldwide patchwork of requirements and regulations. I do not forgive them for the encryption issues; I just very strongly feel that this issue is overblown in the press. I never expect any voice or video platform to be private, including the cell phone network or Zoom or any non-national security system. If you are sharing state secrets, then you should not be using Zoom. If you are anxious about the Chinese spying on you, you should pay attention to the IoT space and the lack of oversight there, which is genuinely concerning. Read our report on this here: https://darkcubed.com/iot-security.
If you are anxious about the Chinese spying on you, you should pay attention to the IoT space and the lack of oversight there, which is genuinely concerning.
Should I Use Zoom?
As a technologist, I look at what Zoom has built from an infrastructure perspective and am amazed. In 2019, all of 2019, they added 1.99 million users, according to an article on CNBC (https://www.cnbc.com/2020/02/26/zoom-has-added-more-users-so-far-this-year-than-in-2019-bernstein.html). By February of 2020, Zoom added 2.22M more active users. According to Reuters Article on April 2nd (https://www.reuters.com/article/us-health-coronavirus-zoom/zoom-pulls-in-more-than-200-million-daily-video-users-during-worldwide-lockdowns-idUSKBN21K1C7), “Zoom’s daily users ballooned to more than 200 million in March from a previous maximum total of 10 million.” Zoom has experienced an insane amount of growth and to have a global network that can scale that quickly is nothing short of a miracle, even in today’s modern age. Another line from that same article states, “…Zoom usage has taken off over the last few weeks, with more than 90,000 schools across 20 countries, using its video conferencing services to conduct classes remotely.”
From personal experience, Zoom has brought together groups of family and friends during this time of crisis in ways that would be much harder on other platforms. My neighborhood held a happy hour last week, where neighbors were able to share a glass of wine virtually and chat about the weather.
I helped a local church conduct their Sunday worship service on Zoom just a few hours ago. My pastor holds his regular Old Testament and New Testament classes with groups of 30–40 people weekly. While the social distance is hard, things feel normal for a brief period during the invigorating group discussion. My daughter spends countless hours of video chatting with her friends and scheming new ways to get us to foster pets as if our two dogs, two guinea pigs, and the rabbit aren’t enough. My kids are spending time with their classmates and teachers on Zoom, while the teachers try to keep the kids from goofing off with virtual backgrounds or strange pets making surprise cameos. Our oldest child attends our church’s youth group on Zoom. My wife’s preschool has been reading to their kids daily on Zoom. All of these things are GOOD THINGS. This is community coming together in a time of crisis.
This is community coming together in a time of crisis.
To pile on, no other video conference platform I have used to date can match the simplicity and ease of use of Zoom. I am sure this will change as time moves forward, but for now, the friction associated with using other platforms will likely result in reduced social interaction, which is a bad thing.
So yes, I recommend that you keep socializing, keep connecting, keep Zooming. I will. I am confident that many other experts agree with me, take this posting as proof: https://medium.com/@0xamit/zoom-isnt-malware-ae01618e2046.
Might there be a chance that some neo-Nazi dressed as a chicken shows up and yells at everyone? Maybe, but in this crazy mixed-up world where toilet paper is worth its weight in gold, what else should we expect?
My advice? Follow the guidelines and recommendations on securing Zoom. Keep all of the software on your computer updated and patched, not just Zoom. Use strong passwords, use two-factor authentication everywhere, to include Zoom, Google, Facebook, Twitter, etc. It’s not like you don’t have the time to figure it out now that you are stuck at home!
If you have a hard time figuring out how to secure all of your accounts, then set up a Zoom with a neighborhood teenager, your granddaughter, or your niece or nephew, and they will show you how.
Most importantly, take every opportunity to connect with your friends, family members, neighbors, co-workers, and others in your community. It is clear that the human race is always stronger when we work together, we just need to re-envision what “together” looks like while we socially isolate to protect the most vulnerable in our society.