Zoom meetings: the very popular but not very secure videoconferencing service
Zoom is a video-conferencing application that allows you to create a video meeting in a matter of seconds where you can see your colleagues, send text messages and files, as well as share your PC’s desktop and application views.
Security breaches, questionable development techniques, blurred marketing… The new darling of confined teleworkers is far from being a panacea in the world of videoconferencing.
What should we really think about Zoom? Since half of the world has been confined, this videoconferencing service has been steadily gaining in popularity, apparently with good reason.
The interface is pleasant and the audiovisual quality is of a very good level. But more and more shadows are appearing in the picture, in terms of security and protection of personal data.
Last week, as you may recall, the company had to make several back-pedals. According to the Vice site, its iOS application was sharing user data with Facebook without this being clearly mentioned.
At the same time, a Harvard researcher alerted in a blog post about Zoom’s potential sale of personal data for advertising purposes.
Last Friday, the app was updated to stop this exchange with Facebook. In the wake of this, the company modified its personal data protection policy by adding the following sentences:
“Zoom does not monitor or use customer content for any reason other than the provision of our services. Zoom does not sell customer content to anyone and does not use it for advertising purposes. “End of controversy? Not really.
Is Zoom a safe app?
The Intercept site has now revealed that Zoom’s audio and video communications are not encrypted end-to-end, despite the company’s strong suggestion to that effect on its website and in a technical white paper.
In its words, this would make it possible to “secure a meeting with end-to-end encryption. But in reality, only instant messaging can be end-to-end encrypted.
Audio and video streams are only encrypted in TLS between client terminals and Zoom’s servers, as is the case for any other secure website.
In theory, the company can, therefore, listen to and view the content of meetings… and government authorities can do the same if they wish.
Zoom’s marketing communication is therefore far from clear on this subject, probably because the company is trying to hide this technical weakness.
Other services offer end-to-end encryption. This is the case, for example, for Signal voice calls and Apple FaceTime audio and video conferencing.
Security researcher Matthew Green told The Intercept that end-to-end encryption of a multi-person video conference is difficult to achieve because you need to be able to detect who is talking in real-time.
When everything is encrypted, you have to implement specific mechanisms, which is “doable, but not easy,” he says.
And that’s not all. Time and time again, we discover bugs and quirks in Zoom’s software. The Vice site has just revealed that people who shared the same domain name in their e-mail addresses were automatically grouped together in the same address book.
They could, therefore, access profile information and make video calls to complete strangers.
At the company level, this may make sense, but for personal addresses from Internet Service Providers, this is already much less the case.
The Zoom developers had the presence of mind to exclude addresses from large providers such as Gmail, Yahoo or Hotmail, but they obviously didn’t think about the other cases.
A vulnerability in the Windows client
Hackers have also just found a rather simplistic vulnerability in the Windows client. Instant messaging allows injecting external links in the Windows network format.
If the user clicks on them, the person controlling the external server in question can retrieve the user’s password fingerprint, a data that a hacker can decipher quite easily.
On macOS, Zoom’s reputation has long been quite deplorable. In July 2019, remember, a security researcher revealed that any website could activate a Mac user’s webcam, due to a permanent local web server that Zoom installed on the computer that was neither seen nor known.
A quirk that Apple finally ejected manu militari through an emergency update.
Techniques worthy of a hacker
But this is not the end of bad practice. In a Twitter thread, another security researcher has now analyzed the installation procedure of the current software client on macOS.
Result: to improve user comfort, Zoom’s developers do not hesitate to use techniques worthy of a hacker.
All these discoveries show that while Zoom’s engineers have succeeded in creating a powerful videoconferencing software, security and personal data protection were not really at the heart of their concerns. Let’s hope that this will change.