Sunday 5 April, 2020
Zoom needs to up its game — it’s playing in the big league now
This morning’s Observer column:
Then there’s the issue of security, and of encryption in particular.
“We take security seriously and we are proud to exceed industry standards when it comes to your organisation’s communications,” says the Zoom website. Any host of a meeting can “secure a meeting with end-to-end encryption”. Well, that’s not quite right, at least if by “end to end” you mean encryption where the service provider has no way of decrypting the content (as, say, with WhatsApp or Signal). The encryption on Zoom communications at the moment is the kind that protects your communications with any website with ‘https’ in its URL. But the content is unencrypted while it is passing through Zoom’s cloud servers.
There may be good reasons for this, but at the very least the company’s website shouldn’t be making exaggerated claims about encryption. It should privilege facts over marketing puffery.
And the moral of all this? Zoom is providing a service of real value in these desperate times, but it needs to grow up. It’s playing in the big league now.
It’s Zoom, Zoom, Zoom all day long
Rumours, facts, misunderstandings and hearsay about the supposed (in)security of Zoom conferencing has been rife for the last week. Lots of my friends and acquaintances have been asking me about it, in the (mistaken) belief that I know lots about it. I don’t. I only know what I read from trusted and knowledgeable sources.
The Citizen Lab report
Top of my list in this regard is the Citizen Lab at the Munk School of the University of Toronto. It was founded by Ron Deibert, who is a hero of mine, and has for years done sterling work on detecting and unearthing the tools that unscrupulous regimes and companies have developed for snooping on human rights activists, journalists and other good folks. They have now completed a pretty thorough investigation of the cryptographic protocols at the heart of Zoom’s service and published an illuminating report. It makes for fascinating reading if you’re a geek, but the gist is that their research shows that (contrary to the company’s public claims to the contrary) Zoom uses non-industry-standard cryptographic techniques with identifiable weaknesses and is thus not suitable for sensitive communications. But it seems ok for non-sensitive uses.
There are also potential security issues with where Zoom generates and stores cryptographic information. While based in Silicon Valley, Zoom owns three companies in China where its engineers develop the Zoom software. Its AES-128 keys, which we verified are sufficient to decrypt Zoom packets intercepted in Internet traffic, are transmitted by Zoom servers to all meeting participants. In some of our tests, our researchers observed these keys being distributed through Zoom servers in China, even when all meeting participants were outside of China. A company primarily catering to North American clients that distributes encryption keys through servers in China is very concerning, given that Zoom may be legally obligated to disclose these keys to authorities in China.
Given the sudden embrace of Zoom by a wide range of sectors across society, it is reasonable to assume that many government’s signals intelligence agencies, as well as criminals, will be subjecting Zoom to the type of analysis we did. Some of them may choose to privately exploit those weaknesses for nefarious purposes and with harmful consequences.
As a result of these troubling security issues, we discourage the use of Zoom at this time for use cases that require strong privacy and confidentiality, including:
Government communications Proprietary or confidential business activities Healthcare providers handling sensitive / confidential patient information Human rights defenders, lawyers, journalists, and others working on sensitive topics
But the good news is that
For those using Zoom to keep in touch with friends, hold social events, or organize courses or lectures that they might otherwise hold in a public or semi-public venue, our findings should not necessarily be concerning.
This is a relief because it’s more or less what I’ve been saying to friends and family. It was based on a hunch that the vulnerabilities in the Zoom system would be mainly of interest to state-level actors.
On the other hand, I hadn’t known of the extent to which Zoom’s development work is being done in China, or that data packets and encryption keys seem to pass through servers that are based there. If I were running Zoom, I’d rethink that soonest.
Good advice from Mozilla
Many of the problems that have arisen with Zoom stem from the fact that it has had massive take-up of its free offer — which means that it is now being used by millions of non-technical users who probably know relatively little about online security. So it’s good to see that the Mozilla Foundation (which provides the Firefox browsers) has published some useful tips “to make your Zoom gatherings more private”.
They are:
1. Use your account with the latest version of Zoom. Sign-in and update to the latest version of the Zoom client or app. This will give you access to the meetings that are available to invited participants and ensure that your system has up-to-date security patches.
2. Use password protection. You can make your meetings password protected to prevent people from guessing your room ID and joining.
3. Keep your Personal Meeting ID private. Don’t use your Personal Meeting ID – especially for events you’re broadly publicizing. That will stop people from trying to enter your personal room at other times. Instead, generate a unique meeting ID by scheduling the meeting.
4. “Lock out” uninvited participants. Don’t share Zoom meeting invites or Meeting IDs with anyone you don’t want to join.
5. Utilize the “mute all” feature. Using the “manage participants” function, you can mute all participants. You should not unmute them again without telling them that’s what you’re doing.
6. Stop unwanted content from being shared. You can stop participants from sharing their screen, or if necessary, stop their video. This is helpful if you’re inviting lots of people you don’t necessarily know so that someone can’t maliciously share content – a practice now known as “zoombombing.”
7. Respect chat privacy. Decide ahead of time if you will save the chat or record the video of the meeting and make sure all participants have agreed and know how you plan to use that information. Recording and saving chats may have legal implications so make sure you’ve checked into that before enabling these options.
All good advice.