The business landscape has undergone a sudden, drastic shift to remote access, in order to cope with the current social isolation requirements. Commensurately, the usage of video conferencing applications has skyrocketed. Perhaps the video conference tool that has most benefited from this change in business model is Zoom. The company has seen a huge boost in popularity, with reports of up to a 535% increase in traffic.
Wide adoption can help reduce the burden of continued operations challenges faced by a company, and a simple, reliable and flexible platform is an IT teams dream. In spite of this, a number of security concerns persist within the Zoom platform, which should be taken into account when looking to implement within an organisation’s operations.
Challenges in vulnerability remediations
The core security concerns raised around the Zoom platform to date, related to the ability to perform video-chat hijacking, insufficient end-to-end encryption, and a number of recently discovered vulnerabilities within the client installed on a user’s device. One issue previously identified within the software, related to privilege escalation on Mac OSX device, which may be leveraged to achieve malicious code execution, or in the case of a malicious actor, be used as an entry point into an organisation’s wider infrastructure. Another concern related to sensitive information disclosure that may be allow an attacker to manipulate a user into leaking their user credentials inadvertently.
Ever Evolving Threats
While these issues had been previously identified and were obviously a concern for people using the platform, with such a significant increase in user base, this has led to security researchers and malicious actor seeking to identify attack vectors within the software to target users. This has resulted in three Zero-Day vulnerabilities in the software being identified and publicised during the first 3 days of April 2020. The first two vulnerabilities may allow an attacker to inject malicious code within a Zoom installer to achieve privilege escalation. This may be used in tandem with other attack vectors such as a phishing attack to target individuals or organisations.
Another vulnerability identified may allow a malicious actor to perform a malicious code injection attack that would give the attacker equivalent access rights to that of the Zoom application, meaning they would be able to intercept and spy on users via the microphone and web cam used as part of the chat.
The final issue, which was raised publicly on April 3rd 2020, related to the use of inadequate data encryption, which appeared to be an in-house implementation. It is highly recommended to avoid ‘rolling your own’ cryptography implementation and to use established and comprehensively reviewed methods that are widely available. The encryption implementation Zoom use was determined to contain flaws which in some instances may allow encrypted data that has been intercepted to be decrypted.
Slow start, but a rapid response
While Zoom have acknowledged the presence of these issues and have announced publicly that they are in the process of resolving them, concerns persist about the nature of their ongoing security activities and processes. Security researchers have been critical previously of the response times between disclosure of bugs and remediation by the company. On March 30th 2020, New York’s attorney General, Letitia James, contacted the company requesting an outline of the security measures that Zoom are undertaking to resolve these issues, as well as safeguard the platform, particularly due to the swell in its user base. Zoom published an open letter on their public blog detailing the steps they have taken already, as well as steps they will be taking over the next 90 days to improve the security posture of the platform as a whole.
The steps highlighted will include a freeze on new features to allocate developers to resolving open security issues and platform hardening. They intend to engage with third parties such as security architects and penetration testing firms to perform audits and security assessments on the platform, enhancing their existing bug bounty platform and employing methods of transparency with users to allow them to understand what is done with their data, and whom it may be shared with. They have also released security fixes for Mac OSX and Microsoft Windows clients to remediate a number of the vulnerabilities publicised.
In reality, while the flaws raised publicly so far are concerning, they should be considered in context. Many of them require at least a low privileged user account on local devices, which may significantly reduce the likelihood of a successful device compromise, unless another attack is successful to gain that initial access. In the matter of the encryption implementation, the significant resources required for a successful attack to be performed make it a fairly low risk attack vector, and the majority of users would be unlikely to be legitimate targets.
As with any adoption of new conferencing technology during this period of change, organisations should ask themselves if they are comfortable with what is being discussed over the conferencing platform and what adverse impact could intentional or unintentional disclosure of that content cause the business.
Further consideration should be given to any risks that the installation of software could bring to the integrity of end point devices. While Zoom are now clearly in the headlights, and will undoubtably take additional steps to assure organisations that they can deliver, so the increased attention is likely to result in further security concerns being identified.
Matthew Linney (Senior Consultant)