Given the current restrictions caused by COVID-19 and the unprecedented increase in the need for secure remote access, there has been a corresponding increase in the use of common audio and video conferencing solutions, such as Microsoft Teams, Zoom, Webex and GoToMeeting. Whilst Zoom's features make it a popular choice, we would like you to be aware of some recent flaws that have been uncovered in Zoom’s client versions, according to researchers. The web conferencing platform vulnerabilities could give attackers some control of your systems, allowing them to access your information and / or microphone and camera.
Whilst some of these concerns relate to flaws in Zoom’s code, the majority of these attacks are targeting Zoom users with poor cybersecurity hygiene and / or incorrect privacy settings in Zoom.
Zoom has recently fixed a feature that came under fire for “undisclosed data mining” of user's names and email addresses, used to match them with their LinkedIn profiles. Per The New York Times, the tool also automatically allowed other meeting participants to covertly access this LinkedIn profile data, without Zoom asking for users’ permission or notifying them.
Zoom has also patched several recently-disclosed vulnerabilities – including two zero-day flaws uncovered this week in the conferencing platform’s macOS and Windows client versions, which could enable attackers to steal the Windows credentials of users.
Zoom claims to implement end-to-end encryption, widely understood as the most private form of internet communication, protecting conversations from all outside parties. It has been suggested that it only offers what is usually called transport encryption. In fact, Zoom is using its own definition of the term, one that lets Zoom itself access unencrypted video and audio from meetings.
With millions of people around the world working from home in order to slow the spread of COVID-19, business is booming for Zoom, bringing more attention on the company from those with malicious intent wishing to find exploits in the platform. As such, we recommend the following:
- For internal or regular communication / collaboration with your own staff and vendors, utilise Microsoft Teams
- For external or consultative meetings, utilise platforms such as Zoom, Webex or GoToMeeting. If possible, use the professional / paid versions of the platform with additional administrative control
- If you are using Zoom, ensure that you always enable password protection on your meetings
We would also like to note that Zoom have stated they have paused all development on their platform to prioritise work on addressing any vulnerabilities. If you would like any further information about the above, or alternate platforms to Zoom, please do not hesitate to contact us.
If you would like to read further into the specific issues with the Zoom platform, you read further below:
https://threatpost.com/two-zoom-zero-day-flaws-uncovered/154337/
https://theintercept.com/2020/03/31/zoom-meeting-encryption/