Online platforms have served as virtual conference rooms for months now, as the COVID-19 pandemic continues to require many to work from home. The remote-working strategy has also increased the public’s attention to the privacy of online meeting tools, putting the security and privacy issues of these tools under the spotlight.

Thousands of recordings exposed

Recently, thousands of online meeting recordings, most of which seem to be associated with Zoom, were found to be online with no protection at all. A taped one-on-one therapy session, a K12 class with children, and an aesthetician’s training sessions were just a few of the videos exposed. Many of the videos include personally identifiable information (PII) including voices, faces and contact numbers of the attendees as well as company confidential data.  

The files were not found on Zoom’s servers [1], rather discovered on random servers including S3 Amazon buckets across the internet. Because of a generic naming convention associated with the meeting app, one can easily find these media streams through a simple search on the web. The content of the discovered files scrambled serious privacy concerns among privacy advocates and professionals. 

Following record-breaking downloads of meeting applications, Eric Yuan [2], CEO of the Zoom, announced, “We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home.”  

In a weekly Zoom webinar on April 8th, Yuan announced Zoom will freeze any new features over the next 90 days, solely focusing on fixing security and privacy issues. In the meantime, they plan to expand demos and training sessions to educate new users on new use cases, such as online K-12 classes. Zoom also updated its privacy policy to more understandable language universally, and disabled any known privacy-violating features, such as “attention tracking.”

Consenting for the recording?

Currently, there is no feature for Zoom members to give their consent for session recordings, and the recording disclaimer is only shown to members if enabled in the settings. If the recording disclaimer is enabled, users are notified of activating recordings and have the option to leave the meeting.

As the privacy of Zoom and other online meeting tools received national attention, Attorney Generals [3] for Connecticut, New York and Florida started to look into privacy practices of Zoom particularly. “We are alarmed by the Zoom-bombing incidents and are seeking more information from the company about its privacy and security measures in coordination with other state attorneys general,” Connecticut Attorney General William Tong said. Similarly, a letter sent by the New York attorney general’s office explains “… Zoom’s existing security practices might not be sufficient to adapt to the recent and sudden surge in both the volume and sensitivity of data being passed through its network. While Zoom has remediated specific reported security vulnerabilities, we would like to understand whether Zoom has undertaken a broader review of its security practices.”

More on Privacy

A recent investigation by Motherboard [4] also revealed Zoom’s iOS app was sending personal data to Facebook, even if individuals did not have a Facebook account. This data includes location, the type of device used, advertising identification data, and the email addresses of “at least a few thousand people.” 

These vulnerabilities were not made clear in the app’s privacy policy until recently. Following media attention, Zoom immediately took action to remove the Facebook SDK in iOS clients on March 27th. On March 29th, the privacy policy was updated to be more transparent to users. 

Zoom uses TRUSTe certification along with compliance to the EU-U.S. Privacy Shield Framework. If a US company declares compliance with Privacy Shield Framework, it needs to be GDPR-compliant in its privacy policy and practices.

This type of compliance essentially requires disclosure of the type of data collected as well as the purpose for the data collection. How long the data is stored, what security measures are in place to protect the data in transit and at rest, and transfer to third parties are among the obligations that data collectors make clear to users.

Businesses and individuals need to thoroughly read privacy policies before using a new application.  Although it is hard to say whether the privacy policies and transparency fully meet consumer expectations for each platform, GDPR and recently enacted US State Laws, such as CCPA, now help protect users in terms of privacy and consumer rights. 

With a proliferated use of remote working apps, the privacy of vendors is an even more integral part of the vendor security risk assessment process. Among the 19 cyber rating categories, the Black Kite® Information Disclosure category analyzes the privacy policy of a vendor and derives the key elements that need to be disclosed to application users. According to a recent cyber rating study on the most trending online meeting applications, the Information Disclosure category was among the lowest scored categories. 

End-to-end Encryption Or Transport-Layer Encryption

End-to-end encryption has become an expectation for communication platforms, especially during the COVID-19 pandemic. Apple’s FaceTime, an example of group video conferencing using end-to-end encryption (E2E), most meeting platforms do not provide this feature to its users.

Recently, a Zoom spokesperson revealed [5], “Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.” Most platforms, like Zoom, only encrypt the user-server communication, which is Transport layer security. The content is decrypted as it enters the Cloud. 

In reality, video conferencing is difficult to encrypt end-to-end. The service provider has to detect who is talking, which only allows the platform to send a high-resolution video stream from the person who is talking in that given moment. It seems FaceTime [7] stands as the only app encrypting end to end for both one-on-one and group calls, although details as to how they accomplish this encryption have not been revealed.

GoToMeeting, another popular online meeting tool, claims to have multiple layers of strong cryptography. It provides an additional layer of encryption for session data, independent of those provided by TLS. Declared in its HIPAA Compliance Guide [6], “GoToMeeting provides true end-to-end data security that addresses both passive and active attacks against confidentiality,” by using AES-128 bit encryption. It is not clear how mechanisms such as key agreement and key renegotiation work.

Authentication

Most online platforms enable role-based authorization, depending upon the ability to correctly identify and authenticate every user. When logging into the application or system, most require a minimum of eight-character passwords including both uppercase and lowercase letters, and numbers to make the passwords hard to crack. Passwords stored in servers should be resilient to offline dictionary attacks. Captcha protection is a recommended remediation against online brute-force attacks. Multi-factor authentication should always be enabled as an extra layer of security, both against bots and stolen credentials where possible.

Network Security

Which network controls are in place to secure the infrastructure and backend servers are also critical. With businesses leveraging these services as part of their business-as-usual activities, it means they are extending their perimeter to their SAAS vendors. Infrastructure security should be continuously monitored both as an outside-in approach and internally.

Recent Vulnerabilities

In June 2019, the security researcher Jonathan Leitschuh [8] discovered an exploitable remote 0day vulnerability in the Zoom client for Mac, which “allow[ed] any malicious website to enable your camera without your permission”.  Using this vulnerability, a user could be forced by any website to join a Zoom call and activate the camera without his/her permission.

In addition, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.

If a user has previously installed Zoom, and then uninstalled the application, a localhost web server still runs on the user machine that will re-install Zoom without requiring any user interaction. Following this finding, Apple pushed an update to all Macs removing the web server installed by Zoom using the built-in Malware Removal Tool. The associated vulnerability codes are  CVE-2019-13449, CVE-2019-13450 and were recently patched by Zoom.

Some Good Practices for Businesses and Individuals

For businesses, it’s obvious the attack surface has extended with the proliferated use of online meeting tools among employees.  

Some organizations, such as German Foreign Ministry [9], announced the restriction of the use of Zoom in an internal memo due to its security and privacy issues. The restriction currently scopes to confidential meetings as the application lacks end-to-end encryption. As the majority of the population continues to work remotely, we expect to hear more on the security and privacy issues of these applications.

In the meantime, Black Kite recommends several good practices in order to maintain the privacy of conversations and reduce the attack surface. 

For Businesses:

1. Keep an inventory of your SAAS vendors  including video conferencing apps

2. Continuously monitor your SAAS vendors and assess their risk 

3. Understand the encryption strategies for these apps; whether it is end-to-end encryption or just the transport-layer encryption

a. Decide which model you need

b. Beware of files, messages sent through the meeting application

c. Encrypt sensitive data/files offline before sending through the meeting application

4. Check privacy policies

5. Increase employee awareness 

For Self-Employed Individuals:

1. Update to the latest versions of apps to get the full benefit of settings

2. Learn the application and the privacy and security settings

3. Keep meeting invitations private against uninvited guests 

4. Enable passwords on meetings where possible

References:

[1] https://www.washingtonpost.com/technology/2020/04/03/thousands-zoom-video-calls-left-exposed-open-web/

[2] https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/

[3] https://lawstreetmedia.com/tech/three-attorneys-general-question-zoom-about-security/

[4] https://www.vice.com/en_us/article/k7e95m/zoom-leaking-email-addresses-photos

[5] https://theintercept.com/2020/03/31/zoom-meeting-encryption/

[6] https://logmeincdn.azureedge.net/gotomeetingmedia/-/media/pdfs/gotomeeting-hipaa-compliance-guide-092017.pdf

[7] https://www.apple.com/privacy/features/

[8] https://objective-see.com/blog/blog_0x56.html

[9] https://www.reuters.com/article/health-coronavirus-germany-zoom/german-foreign-ministry-restricts-use-of-zoom-over-security-concerns-report-idUSS8N2BH023