Breaking Down Zoom Security and Privacy Issues

I’ve been getting asked a lot about Zoom security and privacy issues, so I thought it might be worthwhile to try to break down what the hubbub is about and provide some thoughts on how worried people should be and what they can do about their concerns.

When I first started drafting this missive, I was making the argument that the controversy was overblown. Overall, I still think that’s true for most users, but as I went down the rathole and found out about some of Zoom’s encryption problems, it did raise some deeper concerns for me.

First, TLDR: my quick take for different sets of users:

For vendors of collaboration products (including Zoom): Buckle up. There’s a wave of attacks and disclosures on the way. I’ve seen this time and again, once a researcher proves that there are vulnerabilities in a class of software, it’s like sharks swarming to blood in the water.

For casual users: It’s probably okay to keep using Zoom with a few guidelines and caveats

• Don’t use it for highly sensitive things — and you have to be the judge of what highly sensitive means. I’ve seen reports about “highly intimate” conversations in a number of places (here’s one). I’m sure that’s code for well, whatever. Maybe use Facetime for those videos and don’t record them.
• Follow the common sense rule I think most people should already be using for email: don’t put something in a Zoom meeting that you’d be embarrassed about coming to light in a breach.
• Follow Zoom’s guidance on how to prevent unwanted attendees and their disruptions.

For higher trust / confidentiality users: Look for another solution. I’m not really in a position to give detailed recommendations, but I know that Wickr is doing some interesting things in this area. I’ve also seen some talk of Signal having good hygiene as well. If you’re a consumer and want better confidentiality, I think FaceTime from Apple is pretty good.

For enterprise IT orgs: Evaluate where you fit on the confidentiality curve. If you need robust stuff like end-to-end encryption, look for another solution. Even if you don’t, I’d recommend having a back up system in the case you need to migrate (again) under duress to another system.

Okay, so if you want to follow me into the weeds, here are my more detailed views in order of my view on severity…

1. Lack of real end-to-end encryption and other weaknesses in the encryption stack. Many of my security industry contacts are *pissed* about this. I’m okay with Zoom making the choice not to do that, because there’s a legit trade-off between usability and security — and their core selling proposition is usability. What I’m *not* okay with is that Zoom has been claiming they provide end-to-end encryption while not doing it. That’s an integrity or competency issue, both of which are pretty concerning. I’ve read the CEO mea culpa and I think Zoom will be more circumspect going forward. I don’t think they will move to end-to-end, so if you need that level of assurance, find another platform.
2. Use of Chinese servers for encryption key generation. Not good from a variety of angles, but my read on it was that this was a mistake that came about due to the pressures of scaling so fast (10M to 200M daily user sessions from December to March!). I think this is fixed and I’m willing to let it slide.
3. Exposure of recorded sessions online. Rookie mistake. It’s actually quite common for data breaches to occur because of bad configuration of storage etc. This doesn’t make it good, but it is common. Mainly, I think anyone should think two or three times before recording a session. Follow the email rule about not putting something in an email (or recorded Zoom session) that you’d be unhappy about coming to light in a data breach scenario. This is true, BTW, no matter what you think of Zoom’s issues. You can be hacked directly. Don’t forget that.
4. Exploits released that can hijack Zoom and get credentials, etc. I don’t feel there’s that much unique from other exploits of other platforms (like the pretty severe Windows flaws that seem to be a regular thing these last few months). Any platform with wide use will get this kind of attention from researchers and attackers. In some ways Zoom is a really ideal new target because of the sudden massive increase in users (i.e. lots of opportunities to get into user install flows). The solution here is for endpoint security products to detect and prevent, and for Zoom to fix the underlying issues, which they seem to be serious about doing. As a side note, there seem to have been some disagreements with researchers about priorities and timelines and disclosures resulting in some of these issues being brought to light as zero days. My experience of this is that one’s view is colored by one’s role in these conversations: researchers always seem to feel that vendors should move faster, while vendors always seem to feel like the researchers should have more patience and respect for the constraints of product release cycles. I don’t think this tension will ever fully resolve. Now that I’m not a vendor anymore, I have the luxury of not having to take a side.
5. Zoombombing. This is essentially the Zoom equivalent of social media trolling / harassment. What happens is someone decides to disrupt a Zoom session by logging in and being disruptive in a number of ways (which, like social media harassment, can range from annoying to really kind of disturbing).
   Whether this is of real concern to you really depends on what you’re doing on Zoom and how sensitive you are about the nature of the disturbance. I think a lot of the concern is about educators with children on the line having disturbing content forced into the session.
   Generally the way to prevent this is not to reuse Zoom links, require passwords and to configure the session to disallow things like screen sharing by anyone but the host (though sometimes you need to let people screen share). You can also use a waiting room for joining so that the host approves each joiner. Zoom has created a good guide here
   All of the above is a good example of trade-offs in usability vs. security. For example, making it so only the host can screen share can hamper collaboration between team members — sometimes you need to have someone else share. One thing I’d recommend to people hosting Zoom sessions is to do a dry run of muting people and kicking people off your Zoom so you don’t have to learn that on the fly.
6. Privacy stuff related to Facebook. This may be heretical for someone who’s invested in privacy companies, but I think this issue is overhyped. Yes, Zoom, like a bunch of other iPhone apps, used the Facebook API. And, yes, Facebook is a train wreck on privacy. But a lot of Zoom users are free users, and if you’re getting a free product, you are not the customer, you are the product. Besides, they’ve removed it. And they might get a fine from one of the various regulators, if that comforts you.

My parting thought is that it’s worth remembering that Zoom has provided a lot of people free access to a critical product in a time of great need. They have made some mistakes, but they seem to be genuinely working to correct them. Maybe we can cut them a little slack.