Zoom is facing scrutiny over vulnerabilities as it took advantage of the Coronavirus pandemic to quickly become the # 1 Video Conferencing platform in the United States during the COVID-19 Response "Stay at Home" orders and as a remote meeting solution for essential workers who have had to #WorkFromHome. "Zoombombing" was just the beginning as it was soon discovered over the past month just how vulnerable Zoom actually is.
On paper, Zoom may be headquartered in the US (and listed on the NASDAQ), but the actual Zoom app appears to have been developed by companies in China which all have the name 软视软件 ("Ruanshi Software"). Two of the three companies are owned by Zoom as Chinese subsidiaries while the third is owned by a company called 美国云视频软件技术有限公司 ("American Cloud Video Software Technology Co., Ltd.").
In its most recent filing with the Securities and Exchange Commission, Zoom admits (through its Chinese affiliates) that it has at least 700 employees in China who work in "research and development." The SEC filing also indicates over 80% of the company's revenue comes from North America. Outsourcing development to China allows Zoom to reduce its expenses while increasing its profits.
On April 27th, the US Department of Homeland Security issued a warning that any organization currently using or considering using Zoom "should evaluate the risk of its use". The same day, Risk Based Security® (RBS), a global leader in vulnerability intelligence, breach data, and risk ratings, published an article including a list of corporations, governments, and educational institutions which have already banned or discontinued the use of Zoom.
TechCrunch explains how this is a small part of a much larger, sinister strategy of the Chinese Communist Party in an article it published on April 11th titled "China's next plan to dominate international tech standards".
On March 30th, the FBI Field Office in Boston reported that it received multiple reports of instances where malicious users hijacked Zoom Video-Teleconferencing (VTC) meetings, flooding the Zoom meetings with pornographic and/or hate images as well as threatening language.
In the FBI's warning they included several recommendations to reduce the threat of having your Zoom Meeting hijacked:
As individuals continue the transition to online lessons and meetings, the FBI recommends exercising due diligence and caution in your cybersecurity efforts. The following steps can be taken to mitigate teleconference hijacking threats:
• Do not make meetings or classrooms public. In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests.
• Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people.
• Manage screensharing options. In Zoom, change screensharing to “Host Only.”
• Ensure users are using the updated version of remote access/meeting applications. In January 2020, Zoom updated their software. In their security update, the teleconference software provider added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.
• Lastly, ensure that your organization’s telework policy or guide addresses requirements for physical and information security.
Source: FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic (FBI.gov)
On April 1st it was reported that account information of over 500,000 compromised Zoom Accounts was available for sale on the Dark Web, including email addresses, passwords, and personal meetings URLs and host keys. Source: Over 500,000 Zoom Accounts for Sale on the Dark Web (Dashlane)
On April 16th, the Republic of India's Ministry of Home Affairs issued an advisory that Zoom "is not a secure platform" for private use, having advised all government offices not to use Zoom for any purpose because it had been discovered that the application's data was being sold to foreign governments such as the People's Republic of China.
In mid-April the British Government and Parliament were told by its intelligence agencies not to use Zoom for confidential business, "due to fears it could be vulnerable to Chinese surveillance." The UK's National Cyber Security Centre (NCSC) issued an explicit warning to "not use [Zoom] to talk about things detrimental to the interests of China".
While Zoom released its new version 5 on April 8th with improved encryption and privacy controls, along with features to prevent "Zoombombing", The Citizen Lab (University of Toronto) released a report the same day disclosing an issue with the Zoom "Waiting room" which proved that the Zoom servers provided both the meeting's encryption keys and a live video stream of the Zoom meeting to all users in the meeting's waiting room, even if the "waiting" users had not been approved to join the meeting, allowing for an arbitrary, unauthorized Zoom user in a waiting room to intercept and decrypt "encrypted" video content.
In an earlier report on April 3rd, The Citizen Lab released a report disclosing discrepancies between security claims in Zoom documentation and how it actually works. Essentially, it was discovered that encryption in Zoom was not well-designed nor implemented.
"The AES-128 keys, which we verified were sufficient to decrypt Zoom packets intercepted in Internet traffic, appeared to be generated by Zoom servers, and in some cases, were delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, were outside of China. This finding is significant because Zoom is a company that primarily serves customers in North America and sending encryption keys via servers in China may potentially open Zoom up to requests from authorities in China to disclose the encryption keys."
The Citizen Lab's report continued, discouraging utilizing Zoom if confidentiality and/or privacy are a concern.
Based on the findings of our April 3 report, we discourage the use of Zoom in cases where strong confidentiality and privacy is required, including:
• Governments worried about espionage
• Businesses concerned about cybercrime and industrial espionage
• Healthcare providers handling sensitive patient information
• Activists, lawyers, and journalists working on sensitive topics
April 9th, 2020: Time Magazine reports "Foreign Spies are Targeting Americans on Zoom and other video chat platforms, U.S. Intel Officials say."
April 3rd, 2020: "Zoom's Encryption is "Not Suited for Secrets" and has surprising links to China, Researchers Discover" (The Intercept)
RingCentral recently replaced its whitelabel version of Zoom, which was called "RingCentral Meetings", with its secure, integrated video conferencing solution "RingCentral Video", announced April 2nd, 2020. RingCentral is allowing existing customers the ability to switch from RingCentral Meetings to RingCentral Video without incurring any additional costs. RingCentral Video offers integrated video conferencing, screen-sharing, and team messaging.
Insercorp, in partnership with RingCentral, is currently offering RingCentral Office (which includes RingCentral Video) free for 3 months for government, healthcare providers, political organizations, non-profits, educational institutions, and news media. Read the announcement to learn more.