Intelligence Rating: A1
Zoom Security Concerns
Key Takeaways
- Zoom’s privacy policy allows it to gather PII data such as physical address, job information, computer or phone specifications and more. [1]
- Encryption of meetings is not end to end as company claims. [1]
- Uses AES-128 in "Electronic Codebook Mode" (EC
mode which is considered to be insecure. [1]
Increase in Zoom usage began in early March owing to countries starting to go under lockdown due to the COVID-19 pandemic and further, organisations with several staff working from home.
With more people in the world using Zoom to host or attend meetings, unwittingly allow their PII to be exposed due to the platform’s lacklustre privacy policy.
Zoom fails to meet security measures due to the platform not using the common definition of “true end-to-end encryption” but rather their own definition, which is considered to be insecure [1]. For more detail on Zoom's definition of end to end encryption, refer to their blog post. [2]
On April 1
st, Zoom CEO Eric S. Yuan stated in a blog post, that Zoom is “Enacting a feature freeze, effectively immediately, and shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues.” [3]
Until the platform is more secure, it is recommended to lock one’s settings down as much as possible and follow recommended practices [4] or avoid using it whenever possible.
Details
According to CEO Eric S. Yuan, the use of Zoom has increased rapidly since March from 10 million users a day to 200 million. Many are transitioning to work from home due to country or state wide lockdowns in relation to Covid-19, using the platform to hold meetings and stay connected.
According to their privacy policy, Zoom collects a large amount of PII from the users including: username, physical address, email address, phone number, job information, Facebook profile information, computer or phone specs, IP address, as well as any other information created or uploaded during your meeting. This is acquired via cookies, which one can opt out of, with some effort [5].
Zoom advertises a capability for "end-to-end encryption" utilising AES-256. Analysis of the software/protocol has however revealed that it is not true "end-to-end encryption" as the data is decrypted on Zoom's servers.
Additionally their encryption mechanism utilises AES-128 in "Electronic Codebook Mode" (EC
, with the same key used for all parties in the call; ECB mode for AES is considered to be insecure as it leaks significant amounts of information about the plaintext.
[1]
Security and Privacy Implications of Zoom - Schneier on Security
[2]
The Facts Around Zoom and Encryption for Meetings/Webinars - Zoom Blog
[3]
A Message to Our Users - Zoom Blog
[4]
The Complete Guide to a Secure Zoom Experience - Zoom Blog
[5]
https://blogs.harvard.edu/doc/2020/03/28/more-zoom/
Source Ratings
| A |
Reliable |
No doubt about the source's authenticity, trustworthiness, or competency. History of complete reliability. |
| 1 |
Confirmed |
Logical, consistent with other relevant information, confirmed by independent sources. |
Originally Posted by DiscoMick
Bookmarks