Zoom Security Vulnerability — All you need to know

Overview

Ever since the CoronaVirus a.k.a outbreak started in India, companies, organizations, schools and various institutes started asking employees, students to work and study from home. Various applications and platforms were used by the students, employee to work from home. One such application “Zoom” came into the light in Lockdown.

Since then , Zoom has become a popular app for meetings, online classes in India. The usage of the application became so much that it became an easy target for the attackers.

On 16th April 2020, MHA issued an advisory “MHA issues Advisory on Secure use of ZOOM Meeting Platform“ (https://pib.gov.in/PressReleseDetail.aspx?PRID=1615008) CyCord also issued the detailed “Advisory on Secure use of Zoom meeting platform by private individuals (not for use by government offices/officials for official purpose)”

Following are the concerns which were raised

Zoom leaking data to Facebook

“It was said that Zoom App is leaking the data to Facebook. It came to light because if you haven’t installed facebook application , still Zoom will leak data to facebook.”

What Happened ?

Such sort of data transfer is not uncommon for social media platforms such as facebook. There are 100 applications that use Facebook’s Software Development Kit (SDK) to implement various ease of use features in the application. As per the facebook SDK policy , it collects the data from the application who uses its SDK. Now the thing is that Zoom users may not be aware that it’s happening, nor understand that when they use one product, they may be providing data to another service altogether.

It was not found that Zoom was transmitting this information on purpose (for selling it) and the information which was leaked was just basic diagnostic information about the phone & tablets, for e.g screen size, storage space, orientation etc. There was nothing like usernames, passwords, phone numbers or other sensitive information being transmitted.

What Zoom did ?

Zoom has pulled the Facebook SDK from its iOS app for Apple platforms by removing the “Login with Facebook” feature.

Zoom and end-to-end encryption

“In a petition filed in Supreme Court, It was said that Zoom doesn’t support end-to end encryption which leads to eavesdropping”

What Happened ?

Zoom claimed to implement end-to-end encryption, widely understood as the most private form of internet communication, protecting conversations from all outside parties. Zoom on his website mentioned that it provides Secure meetings with end-to-end encryption but Zoom does not actually implement end-to-end encryption in meetings . On asking a Zoom spokesperson wrote, “Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.”

The encryption that Zoom uses to protect meetings is TLS, the same technology that web servers use to secure HTTPS websites. Above mechanism is also known as transport encryption, which is different from end-to-end encryption. It means that Zoom itself can access the unencrypted video and audio content of any Zoom meetings but no one else can do it.

What Zoom did ?

Zoom provided the following statement to The Intercept: “Zoom takes its users’ privacy extremely seriously. Zoom only collects data from individuals using the Zoom platform as needed to provide the service and ensure it is delivered as effectively as possible. Zoom must collect basic technical information like users’ IP address, OS details and device details in order for the service to function properly. Zoom has layered safeguards in place to protect our users’ privacy, which includes preventing anyone, including Zoom employees, from directly accessing any data that users share during meetings, including — but not limited to — the video, audio and chat content of those meetings. Importantly, Zoom does not mine user data or sell user data of any kind to anyone.”

Zoom and UNC paths

“A outrage came into notice that Zoom can hack your windows credentials”

What Happened ?

A tweet from @_g0dmode from March 23,came into notice which claimed that “#Zoom chat allows you to post links such as \\x.x.x.x\xyz to attempt to capture Net-NTLM hashes if clicked by other users”. It means that if any user in the meeting clicks on the link, their windows username and NTLM credential hash might be sent across the internet.

What Zoom did ?

On 1st April 2020, Zoom announced a fix for the UNC path rendering issue. Even though addressing this bug was the right thing to do, it’s actually a security vulnerability in the way we normally think about security vulnerabilities. In a closed meeting like that, it is a little bit difficult to force a user to click on such a link by saying “Click here for free money”.

Also to get such NTLM password hash, the attacker must join the zoom meeting first and it is nearly impossible for an attacker to join a secure meeting with a waiting room, password etc.

Zoom and local privilege escalation

“A Local attacker can install a malware in the system”

What Happened ?

According to Patrick Wardle, a former NSA hacker, such attacks can be launched by a local attacker that’s where someone has physical control of a vulnerable computer. Once exploited, the attacker can gain and maintain persistent access to the innards of a victim’s computer, allowing them to install malware or spyware.

What Zoom did ?

As the above attack required physical access of the system, it became an external attack for the Zoom or we can say its out of bound from the security perimeter of the Zoom. A user must secure its local PC so that no unauthorized person can use system

Zoom, China, and more encryption snafus

“All the data of the Zoom Meeting and Zoom call is stored in Chinese Servers”

What Happened ?

Citizen Lab of the University of Toronto found a biggest technical finding that Zoom is using a form of encryption method called “Advanced Encryption Standard (AES) in Electronic Codebook (ECB) mode,”. Such an encryption method is not suitable for the use case like a video call. It makes the encryption key easier to guess and that is why Zoom doesn’t not support or enforces E2E encryption

Various blogs, research magazines showed headlines focusing on the threats given by Chinese government agencies having the ability to forcefully Zoom to provide key material and thus, decrypt Zoom conversations. A handful of the key servers used to establish Zoom call security are located in China, and Zoom employs some 700 Chinese researchers and product developers.

What Zoom did ?

The above issue or threat is not a concern for people who use zoom to keep in touch with friends, social events or organize lectures or knowledge sharing meetings.

Here we can see that , whenever a Zoom meeting is initiated , the device fetches a key which will encrypt audio and video. This key comes from Zoom’s cloud (some of them are deployed in China). It comes from a type of server known as a “key management system,” which generates encryption keys and distributes them to meeting participants. Each user gets the same, shared key as they join the meeting. The key is then transmitted to the zoom software on their device from KMS using another encryption system, TLS

According to a report, it was found that during a test call the encryption key “was sent to one of the participants over TLS from a Zoom server” which was located in Beijing.

Though Zoom is trying to improve the service upto the mark, we can say that the it’s service is not an end-to-end encrypted video call, and the company has access to all encryption keys and to all video and audio content traversing its cloud. There are 100% chances that government around the world could compel the company to hand over the copies of the data with the encryption key

• April 2, 2020: First post on Facebook, E2E, UNC, password prompts, and local privilege security .
• April 2, 2020: Zoom released version 4.6.19273.0402 for Mac OSX. This update probably fixes the pkg preinstall script issue described by Felix.
• April 3, 2020: Update regarding AES EBC and China

Conclusion

We can say that Zoom video conferencing is not suitable for meeting calls which involve high level national security meeting ,defence meeting, important government planning and execution meeting, discussion in favour of the nation. If these are your remote work activities , Zoom is not suitable for it.

Although Zoom video conferencing can be used for regular online classes, as a knowledge sharing platform and other company related work stuffs. Because for other countries government such Chinese, American or any other country you are just not that interesting

Resources

1. https://pib.gov.in/PressReleseDetail.aspx?PRID=1615008
2. http://164.100.117.97/WriteReadData/userfiles/comprehensive-advisory-Zoom-%20meeting%20platfom-20200412-(2).pdf
3. https://zoom.us/security
4. https://zoom.us/docs/doc/Zoom-Security-White-Paper.pdf
5. https://blog.rapid7.com/2020/04/02/dispelling-zoom-bugbears-what-you-need-to-know-about-the-latest-zoom-vulnerabilities/