This article details the issues that have been identified, and Zoom’s solutions and solutions for those issues.
What are Zoom’s security and privacy issues and what can they do?
Due to the spread of the new coronavirus, which is prevalent all over the world, an emergency situation was announced, and many companies and stores were closed or waiting for their home.
In such a situation, the demand for Web conferencing/meeting tool Zoom has rapidly increased.
It is said that communication and meetings can be easily done from home, and many companies and companies introduced it, and as of December last year, a total of 10 million users were attending the meeting per day, but in April it was in April. The total number of people has grown to 300 million per day, which is 30 times faster than usual.
With such a Zoom, however, from March to April 2020, a number of issues around the world were being pointed out one after another for app vulnerabilities, security concerns, and privacy issues.
Zoom CEO Eric S. Yuan apologizes for this security concern and promises to be fully committed to protecting the security and privacy of Zoom customers.
We announced that the contents were frozen for 90 days yesterday, and were supposed to devote all resources such as new feature development to solve this security and privacy concern.
As a result, Zoom made four version upgrades in April and announced the version upgrade to “Zoom 5.0” on the 27th of the same month.
Today, Zoom’s security and privacy concerns are said to be largely resolved, and criticisms are quickly settled.
[Improved] There are five issues regarding security and privacy that have been pointed out.
Security and privacy issues that are currently being rapidly resolved by upgrading to “Zoom 5.0”.
What were the security and privacy concerns?
The following are the five major problems.
- Analytics for users of the iOS version of the Zoom app were being sent to Facebook
- Zoom app web conferencing isn’t strictly end-to-end encrypted
- An issue where Windows users’ network credentials could be stolen
- An issue where you can track if a participant is in the main window using the “Participant Tracking” feature when sharing screens
- The occurrence of vandalism or conference jacking called “Zoom bomb”
Analytics for users of OS versions of Zoom apps were being sent to Facebook
This problem is that when the user opened the iOS application, the analysis data (not personal information) of Zoom usage habits was sent to Facebook.
Zoom implements a “login with Facebook” function when logging in, but this function was collecting unnecessary user information.
It is said that the contents of the main usage habits data are the name of the device in use and the name of the communication company.
Apparently it didn’t include meeting-related information or activities such as attendees, names, or notes.
What was particularly problematic was that it was sent regardless of whether the user did not have a Facebook account.
Currently, such problems do not occur.
Zoom app is not strictly end-to-end encrypted
Zoom has previously announced that user security is protected by end-to-end encryption, but although encryption is actually done between terminals, the encryption key is on the server-side of Zoom. We were criticized that it could not be called strictly end-to-end encryption because it was a retained specification.
There is a concern that if the encryption key is stored on Zoom’s server, Zoom may be able to decrypt the information and obtain the information.
An issue where Windows user credentials could be stolen
The problem here is that there is a security vulnerability when Windows users use the old Zoom app until early March.
A path called UNC path injection is implemented in the chat function, and if it is cracked (hacked) using this, user authentication information (password etc.) may be leaked.
However, the success of this hack was successful only if a person using a Windows terminal in which malware was pre-loaded in advance participated in the same conference as the attacker and clicked the crafted path on the chat. However, it is said that the possibility of actual damage is very low.
This has also been resolved by a version upgrade in late March.
An issue where you can track if a participant is in the main window using the “Participant Tracking” feature when sharing screens
This was a feature that allowed a host of a web conference to see if participants were “looking” at the screen when sharing it, but we removed this feature due to criticism.
The main content is to alert the host if the main window or mobile application screen is left for more than 30 seconds.
It seems that this feature unnecessarily monitors the participants and that it is difficult for participants to understand this feature.
The occurrence of vandalism or conference jacking called “Zoom bomb”
The fifth and last point is the frequent occurrence of vandalism by a third party called “Zoom Bombing”, which has become a part of various web news.
Repeatedly inappropriate comments on the trolls, pasted pornographic images, shared screens and painted in red, etc.
The cause that such “vandalism” had happened is mischief.
When Zoom held a meeting, Zoom sent a URL to participants so that they could enter the meeting room, and the participants could click on it to enter the room and join the meeting.
However, some people have appeared to perform “mischief” by posting this URL on a third party, a bulletin board, or SNS to inform the general public.
The motivation is “because it is interesting” and “I wanted to embarrass schools and companies.”
However, such an attack could actually be prevented by proper use of Zoom’s original settings and functions.
- Use the waiting room function
- Set a password for the meeting
- Lock meeting room
- Participation restriction by mail domain
The waiting room is to prevent unspecified human invasion by holding the participants in a place called the waiting room.
A mechanism whereby the host can start a meeting by allowing participants in the waiting room to enter the room.
Also, if you use a password instead of just using the URL, the security will be greatly improved.
In Zoom 5.0, the default is to lock the meeting.
It is also possible to lock the lock during the conference to prevent future participants from entering the conference. It looks like a real meeting room.
If you want to restrict more strongly, there is also a function to specify the domain name of the email address that the user uses to log in to the application.
With Zoom 5.0, we are working to solve these problems further by making it possible to operate these security settings with a single “security” icon so that they can be easily set during a meeting.
Zoom 5.0 update summary
Although it overlaps with the solution to the above concerns and countermeasures, let’s introduce the contents of the latest version upgrade “Zoom 5.0”.
5 maximum change points.
|AES 256-bit GCM encryption adopted||The latest GCM encryption is adopted, enabling more secure meetings|
|Unauthorized user reporting function||Report unauthorized users to Zoom|
|Show new encryption icon||A new encryption shield icon will be displayed to show that the meeting is encrypted and safe|
|Strengthening data center information protection||Selectable data center for meeting and webinar communications|
|Improved actions when ending/leaving a meeting||The actions when exiting and leaving the meeting have been improved to make it easier to understand who left. In addition, you can easily take over the host.|
Greater user security control
The following functions have been integrated in one place to solve security problems
- Enable or disable screen sharing by host
- Enable or disable chat by host
- Enable/disable participant renaming
- Able to set presence/absence of waiting room while web conference is in progress
- You can lock the conference room with all participants to prevent unauthorized participation.
- Report and block unauthorized participants
Changes to protect meetings
- Waiting room before joining a meeting is enabled by default
- Meeting ID changed to 11 digits
- Password complexity (change to a minimum of 6 characters)
- Encrypted by a password when recording and saving in cloud
- When recording a meeting, you can record which user is recording
- Pre-registration of emails and names of meeting participants
- Other fine adjustments
The above is a summary of the issues regarding security and privacy policies pointed out by Zoom, as well as information on how to address and resolve them.
It can be said that these problems have been fairly solved by the Zoom 5.0 version upgrade on April 27th.
Users should always upgrade Zoom to 5.0.
In fact, Zoom’s swift resolution and overcoming of these issues set it apart from other web conferencing tools and systems, making it the world’s commanding tool.
Zoom’s ease of use and convenience set it apart from other web conferencing tools.
Security measures that users should take
- Be sure to upgrade to Zoom 5.0
- Set password for web conference
- Allow participants to enter after confirming participants in the waiting room
- Put restrictions on the host side when unnecessary such as screen sharing and chat
- Do not publish the invitation URL or meeting ID on SNS