Home Ministry warns against Zoom. Should you continue using it?

Zoom is undoubtedly a compelling option, and it’s free! But nothing is free. The Ministry of Home Affaris has issued an advisory against it because of the security and privacy issues involved, should you continue using Zoom? But if you must, how much can it cost you?

Why do people use Zoom?

The coronavirus pandemic has changed the way businesses, organisations, and institutions go about their work. Country-wide lockdowns around the world have meant that not a single person, except essential services workers, can set their feet outsides their homes. Many organisations have even been forced to adapt to the situation, in order to survive, and come up with products befitting the situation.

The most essential part to keep this entire process ongoing is coordination between workers, which is forcing workers to flock to video conferencing solutions like Zoom, Skype, Microsoft Teams, etc. Since there are no more integrated workplaces and all are working from home, it simply means the attack surface has decentralised for hackers. Therefore, they are also trying to mend their ways to loot benign internet users. Apart from that, there are people using Zoom for hosting parties, religious events, and even a UK cabinet meeting, increasing the number of users exponentially.

Zoom is undoubtedly a compelling option for the work from home brigade. There are many pros. Among a few worth mentioning here are- it’s free to use yet gets things done, is feature packed, and it’s one of the easiest to use out there. This is the reason Zoom cropped up into everyone’s mind once the need to do a video conference arose. It won’t be wrong to suggest that many companies, given the uncertain situation, would have configured Zoom on their employees’ laptops before the lockdown kicked in, to keep the workflow sustained. Zoom, at present, attracts three times more use than Microsoft Teams.

How Zoom grew during the coronavirus?

Soon after the lockdown restricted everyone to their living quarters, an influx of new users pushed Zoom’s market cap as high as $42 billion. The platform grew from 10 million [1 crore] in December, 2019, to 200 million [20 crores] in March, 2020. The daily visitors to its download page witnesses a 535% increase in March.

However, the bullish trend could not sustain for long after security and privacy concerns bogged it down and the stock price dropped nearly 14.5% as of 7^th April, 2020. Soon, New York City Department of Education, NASA, SpaceX, Google, among many other organisations, banned zoom. The FBI warned against its use after it received reports of harassment while using the platform from teachers. Taiwan became the first country to ban Zoom and stated that if the platform is used, it would contravene the rules set out under its Cyber Security Management Act, 2019. On 16^th April, the Ministry of Home Affairs issued an advisory, after the CERT-In flagged high risk threats, stating that Zoom is not a safe platform and also laid down guidelines to ensure user safety.

Is Zoom that bad?

Yes. It is. Admittedly, Zoom was never designed for such wide scaled use.

“We did no design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. …We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate.”- Eric Yuan, CEO, Zoom Videocommunications Inc.

Mass adoption of the platform brought greater scrutiny of the service and numerous flaws came to the fore. So as it turns out, we have been using Windows to prevent house breakings. (Unintended Pun!) There are a number of shortcomings in the platform which have been recognised by security researchers. A few notable ones are:

• Fake end-to-end encryption– though Zoom offer the option to enable E-2-E and provides a green padlock that claims “Zoom is using an end to end encrypted connection”, in reality it does not use end to end encryption. End-to-end refers to data encrypted between calls, blocking out third parties-which includes the service provider. As a result, the company can see and use the data for things like targeted ads.

• Zoom Bombings– Uninvited attendees can access Zoom meetings and may harass participants.

• Zero day vulnerabilities– Zero day vulnerabilities are undetected vulnerabilities in any software. Since they are undetected, no defence is available against their exploitation. Two zero-day vulnerabilities for Windows and MacOS are being sold, including an RCE (Remote Code Execution) flaw [ideal to be deployed in industrial espionage cases] that paves the way for full PC takeover. Hackers are marketing this particular vulnerability for $500,000.

• Deleted, but not deleted– If any person clicked on the record function of the application, zoom and the cloud storage provider do not password protect the video by default. Even if one deletes the video from zoom account, it is not deleted for several hours before disappearing. The scarier part is that these videos can be searched using file names that Zoom automatically assigns to the file.

• Selling personal data– Zoom collected and shared extensive user data like videos, transcripts, and shared notes for personal profit. On March, 29, Zoom tightened its privacy policy to state that it doesn’t use data from meetings for any advertising. But it does use the data when people visit its marketing websites, including its home pages zoom.us and zoom.com.

• Sharing data with Facebook– Zoom’s iOS app, like many other apps using Facebook SDK, was found sending analytics data to Facebook even if the user doesn’t have a linked Facebook account. This feature was recently removed.

• Attendee Tracking– Zoom came under the lens for its “attendee tracking feature which , when enabled, lets a host check if the participants are clicking away from the main Zoom window during a call. On April 2, zoom permanently removed the feature. Likewise, a host of a zoom meeting can read private text messages sent during the call if it’s recorded locally.

• Malware functionality– Zoom uses a technique to install its Mac app, without user interaction using the same tricks that are being used by macOS malware, thus allowing the app to be installed without users providing final content.

• Data mining– Zoom was found using an undisclosed data mining feature that automatically matched user’s names and email addresses to their LinkedIn profiles when they signed in- even if they were anonymous or using a pseudonym on their call.

• Email leak– One report revealed that Zoom is leaking thousands of users’ email addresses and photos and letting strangers try to initiate calls with each other.

• zWarDial– Searches for open Zoom meeting IDs are finding around 100 meetings per hour that are not protected by any password.

However, just looking at the allegations won’t suffice for an assessment of your security needs. It would be nothing but justified to also look at the conduct of Zoom, both prior and after the fiasco.

How did Zoom handle the situation?

By shooting itself in the foot. The company fixed many issues after they came to light, tightened its privacy rules, and enhanced security features. It went on to clarify that the company only collects user data to improve the service and never allows its employees to access specific content in meetings and doesn’t sell any kind of user data. The company CEO himself confessed that “we recognize that we have fallen short of the community’s- and our own- privacy and security expectations.” The company proactively addressed user concerns and issued updates. It also self -imposed a 90-day feature freeze to focus on the security issues.

But, then the company confirmed the suspicion that it was perhaps using deceptive techniques by a very weird, hard to digest, explanation.

“When we use the phrase ‘end to end’ in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point.”

So what does this mean for an average Zoom user? It means that the company built trust on free to use features with minimum focus on security and privacy, while touting its security as one of the best. No matter what and for whom the company design the software for, if it’s available to the public for free, it doesn’t take rocket science to anticipate that the public is going to use it. Had people known about the flawed security practices, the platform would not have become an option in the first place, let alone the business enabler in the times of corona.

MHA WARNS AGAINST USING ZOOM. SHOULD YOU USE IT?

If something’s for free, you are the price. Nothing is for free. No matter how much we blame Zoom for its security and privacy overlook, the buck stops with us. The first reason is that Zoom needs to survive as a company. So how does it do that if we don’t pay? It uses our data to generate revenue through ads (or even sell the data), the data that it collects when we use its application. The second reason is, are we ever concerned for security and privacy? We only take reactive measures, if and when something bad happens to us. But security is all about being proactive. Do we put a door in our houses after we are robbed, or before the tragedy strikes? Most of the issues can be resolved with tightened security rules from the application itself.

Nevertheless, since the application has recently been listed on the security watch, it is certain that many more RCEs and vulnerabilities would arise in the coming days. It poses a great threat to you and your meeting partners. So should you continue zooming?

It depends.

It depends on the purpose you are using the application for, and the extent of security that you require for trouble free operations. Security is contextual. You don’t buy an ultra-secure locker, costing in lakhs, for securing a few thousand rupees. Similarly, using or not using zoom depends upon your needs. The vulnerabilities, as mentioned above, may be a deal breaker for some, and may not be for others. So here is the context of some of the known vulnerabilities.

• Fake end-to-end encryption– If you are using Zoom for casual meetings, either one on one or with a few participants, there’s no need to worry. But for private and sensitive meetings, it’s a big NO.

• Zoom Bombings– It’s not as big a security threat as it may sound. But imagine someone conducting an online class or a webinar, and an unknown user starts sharing pornography from his computer. It will be embarrassing and awkward. Your meeting would most likely end then and there, along with your reputation.

• Zero day vulnerabilities– Zero days are the most threatening vulnerabilities. It provides the hacker an opportunity to be creative. Remember WannaCry? It was a zero-day vulnerability. In these kind of attacks, the hackers don’t target a particular victim. They use methods to spread the infections as much as possible and the attack surface becomes so large that there is always somebody who is not willing to lose all their data and ends up paying the demanded ransom.

• Deleted, but not deleted– This is outright scary. Although not much for webinars and lectures, but for businesses it is a nightmare. However, disabling the feature would be enough of it.

• Selling and sharing data- Zoom has clarified that it does not sell any user data and does not let any employee access any specific content in the meeting. However, not letting an employee access content in the meeting, and not having data pertaining to meetings, are two distinct things.

• Attendee Tracking– Zoom has removed this feature, so no need to worry about it anymore.

• Malware functionality– This is a serious vulnerability. Since the application already has escalated privilege, an attacker can use the application for further attacks. For a normal user, it’s just another malware which you do not care about. Although it can steal credentials, credit card information, sensitive personal content, etc. For a business or high value user, you will be risking any data you store about your business or your company and so much is not worth risking for a free software. So it would be highly advised to stay away from Zoom.

No software is free of security vulnerabilities. Similarly, several serious vulnerabilities plague Zoom, which they have done in the past as well. Dubbed ‘prying eye’, a flaw discovered in October 2019 allowed cyber criminals to snoop on videos conferences run on the Zoom and Cisco WebEx platforms. So, it would not be wrong to say that Zoom is a just a legitimate software full of security vulnerabilities. The lack of prior scrutiny has suddenly made it a targeted platform. Although the quick response of the company to the discovered security flaws restores some credibility, the deceptive strategy used previously, many undisclosed vulnerabilities, and weird explanations make Zoom a tough product to recommend.

If you must continue with Zoom, how to protect yourself?

Many security issues can be mitigated by getting the basics right. Some mitigating strategies are:

• Update: Updates are the first line of defence to any attack. So update as early as possible, as frequently as possible.

• Use ‘waiting room option’: Set up meetings so that participants can’t join until you open it up.

• Take control over screen sharing: By default, any participant using Zoom can share their video, screen and audio. Limiting the screen sharing feature to the host would stop any Zoom bombing.

• Use random meeting IDs and set meeting passwords: Hackers are selling known meeting IDs, previously stolen ones and newly leaked ones, and attackers can use them. So use random meeting IDs and set passwords.

• Do not use the same means to send web link and password: Use one mean to send web link (email) and other to send the password (e.g. SMS just before meeting starts)

• Lock settings: Whatever setting you set as per your requirement, lock the settings, otherwise users can disable the setting in their personal settings.

• Pick proper passwords: New users are using passwords that have already been cracked elsewhere. One report, Cyble claimed to have acquired 53,000 accounts and passwords from a Russian speaking hacker at $0.002 per account.

• Disable file transfer

• From setting and controls, ensure removed participants are unable to rejoin meetings

• Restrict/ disable the call record feature

Or even better. Just use some other platform that has better security out of the box!

A special thanks to Adv. Bhagyashree Swami for her vital inputs towards this article!

Do subscribe to our Telegram channel for more resources and discussions on tech-law. To receive weekly updates, and a massive monthly roundup, don’t forget to subscribe to our Newsletter.

You can also follow us on Instagram, Facebook, LinkedIn, and Twitter for frequent updates and news flashes about #technologylaw.

References:

1. CERT-In Advisory CIAS-2020-0010, ‘Secure usage of Zoom video conferencing application’. https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES02&VLCODE=CIAD-2020-0010
2. CERT-In Advisory CIAD-2020-0011, ‘Multiple Vulnerabilities in Zoom Video’ Conferencing Application. https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES02&VLCODE=CIAD-2020-0011
3. ‘Managing participants in a meeting’. https://support.zoom.us/hc/en-us/articles/115005759423
4. IT Pro, ;FBI warns of ‘Zoom-bombing’ hackers amid coronavirus usage spike’, https://www.itpro.co.uk/security/cyber-crime/355171/fbi-warns-of-zoom-bombing-hackers-amidst-coronavirus-usage-spike
5. The Hacker News, ‘Zoom caught in cybersecurity debate’. https://thehackernews.com/2020/04/zoom-cybersecurity-hacking.html
6. IT PRO, ‘Zoom admits meetings don’t use end-to-end encryption- IT PRO’. https://www.itpro.co.uk/software/video-conferencing/355180/zoom-does-not-use-end-to-end-encrypted
7. CNET, ‘Your Zoom videos could live on in the cloud even after you delete them’. https://www.cnet.com/news/your-zoom-videos-could-live-on-in-the-cloud-even-after-you-delete-them/
8. IT PRO, ‘Hackers advertise critical Zoom Windows bug for $500,000’. https://www.itpro.co.uk/security/vulnerability/355339/hackers-marketing-critical-zoom-windows-client-bug-for-500000
9. CNN Business, ‘Zoom CEO apologizes for having ‘fallen short’ on privacy and security’. https://edition.cnn.com/2020/04/02/tech/zoom-ceo-apology-privacy/index.html]
10. The Print, ‘MHA says Zoom app not safe, issues guidelines for those who still want to use it’. https://theprint.in/india/mha-says-zoom-app-not-safe-issues-guidelines-for-those-who-still-want-to-use-it/403051/]
11. IT PRO, ‘Zoom admits meetings don’t use end-to-end encryption’. https://www.itpro.co.uk/software/video-conferencing/355180/zoom-does-not-use-end-to-end-encrypted
12. IT PRO, ‘Zoom bombing” sends Zoom stock plummeting’, https://www.itpro.co.uk/marketing-comms/communications/355252/zoom-bombing-sends-zoom-stuck-plummeting
13. IT PRO, ‘Taiwan becomes first country to ban Zoom amid security concerns’. https://www.itpro.co.uk/software/video-conferencing/355257/taiwan-first-country-to-ban-zoom-amid-security-concerns?_mout=1&utm_campaign=i
14. DARK Reading, ‘WannaCry Detections At An All-Time High’. https://www.darkreading.com/endpoint/wannacry-detections-at-an-all-time-high/d/d-id/1335848