Security concerns regarding the use of Zoom Video Communications

During these difficult times, when remote working has become a standard for most of us, a need for video meeting applications has grown more than ever, for one-to-one calls, education sessions, and webinars. 

One popular choice for many has been to utilize the meeting software known as Zoom. (The usage reports of the application have skyrocketed over the last few months.) 1  

Security concerns regarding Zoom 

It's convenient to utilize Zoom since it's free, with an easy sign-up, and doesn't require much effort to get started. However, in the shade of extreme growth, some massive security and privacy flaws have been reported. To mention some of the ones discovered lately: 

• Zoom client can leak network login credentials from your Windows PC. 2 
• They are claiming to utilize TLS 1.2 for end-to-end encryption, when it doesn't. 
• The iPhone app for Zoom was sharing its data with Facebook. (This, however, should be fixed now. Nonetheless, it is a massive violation of privacy.) 3 
• Just recently over 500.000 Zoom passwords was found for sale on the dark web. 4

As a response to the various privacy and security concerns that have surfaced lately, several organizations (e.g. Google, NASA, SpaceX) and government entities (e.g. Australian Defence Force, Government of Canada, United Kingdom Ministry of Defence) has banned the usage of Zoom. 

Our recommendation 

At Ironstone, we feel the same as the organization and government entities mentioned above: Zoom as a software solution is a liability when it comes to security and privacy concerns, and we would in no way encourage users to utilize this software.  

So, If you are in any way responsible for your users' client platform, we recommend you to take the following actions: 

1. Update your IT policy to ban the use of Zoom - Make it clear for your end-users that the utilization of the application is a vulnerability. It means that any meeting invites that requires the usage of the meeting app Zoom must be declined, due to security concerns. This policy applies to any meetings, across any device. 
2. Blacklist the software – It doesn't matter if you utilize Intune, SCCM or any other Device Management solution, make sure to block this application from the installation (Both for regular users and local admins)* 
3. Meet the need for remote working and meetings – Multiple other applications meet the same user requirements as Zoom. Find them and onboard your users. 
4. As a Microsoft partner, we will mention Microsoft Teams in this context. It would be a shame if we didn't. At the beginning of March, Microsoft posted a blog post about their commitment to helping organizations everywhere to stay connected and productive during these troubled times, by offering Microsoft Teams licenses for free (six months).  

If you have any questions or concerns regarding this matter, or how to get started with Microsoft Teams, don't hesitate to contact us. 

Source:

1 https://venturebeat.com/2020/04/02/zooms-daily-active-users-jumped-from-10-million-to-over-200-million-in-3-months/

2 https://www.zdnet.com/article/windows-10-alert-zoom-client-can-leak-your-network-login-credentials/

3 https://www.zdnet.com/article/zoom-to-iphone-users-were-no-longer-sending-your-data-to-facebook/

4  https://www.businessinsider.com/500000-zoom-accounts-sale-dark-web-2020-4?r=US&IR=T