Site icon Infused Innovations

Using Zoom? You Just Failed Your Compliance Audit

Using Zoom? You Just Failed Your Compliance Audit 9

Have you been on a Zoom group call recently? I have—not for work, but my kids’ school class has done online show-and-tell over Zoom, and my extended family has organized virtual gatherings with it. Schools and universities use it as their go-to platform for online teaching. Friends are using it for happy hour meetups. And, as you may have heard, graduate students are defending their dissertations there—and being interrupted with hackers’ pornography and hate speech.

The blatant disregard for fundamental security practices in Zoom’s non-existent Security Development Lifecycle have led to Zoombombings and unsecured meeting scraping tools. But it doesn’t stop there. Zoom also violates data sovereignty and data protection policies that are present in every cybersecurity framework (NIST CSF / HIPAA HITRUST / PCI-DSS / ISO27001) and consumer privacy laws such as CCPA and GDPR. Third-party risk management must be sacrosanct for all organizations, and Zoom is failing its customers across the board. School districts in New York and aerospace industries have started banning zoom because of security issues, and your organization should too.

Security Weaknesses in Zoom

Rather than using existing encryption standards for voice and video content, Zoom creates its own. Our CISO, Dan Chemistruck, says that “unless you have a dedicated security research lab, like Apple or MIT, this is an open invitation to hackers to breach your platform.” Zoom’s security methods consist of “transport” encryption between servers and devices—not end-to-end encryption. Until very recently Zoom misled users to believe that its encryption was end-to-end. After the news reports of hacking incidents last week, Zoom representatives apologized in a blog post on April 1 for the “discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.”

 

 

The University of Toronto’s Citizen Lab examined transmissions through Zoom and found that a single encryption key (AES-128) was used to encrypt and decrypt audio and video for all participants in each meeting. These AES-128 keys can be easily intercepted along the way. They’re also sent using a mode called electronic codebook (ECB), which preserves patterns within the encryption rather than fully coding or disguising them. Renowned security guru, Bruce Schneier, flat out states “using ECB mode indicates that there is no one at the company who knows anything about cryptography.”

What’s more, the encryption keys are often sent to servers in China, even if no one on the call is located there. Test calls between the U.S. and Canada showed keys routed to Beijing during the process. Perhaps that isn’t surprising, considering that Zoom owns two companies in China where its software is developed (although the company has its headquarters in Silicon Valley). However, the Chinese government has the authority to inspect all data transmitted into China and this is a third-party risk that your organization must be willing to accept.

It’s worth noting that Zoom may be pressured or obligated to share its encryption keys with authorities in China.

In April of 2020, the Windows Zoom client was revealed to have a known vulnerability that allows password credential theft. While Windows 10 Enterprise has Virtualization Based Security features to block these attacks, consumers and Windows 10 Pro users are out of luck until this vulnerability is patched. (Group Policy can also be configured to mitigate the vulnerability, but this doesn’t really help consumers.)

Privacy Concerns and Consumer Protection Failures

Microsoft Cloud App Security (MCAS) is a Shadow IT discovery tool that ranks over 20,000 companies across more than 70 risk factors. Zoom averages a 6/10 rating in MCAS and in the screenshot below, you can see its failure to adhere to common compliance frameworks and consumer privacy laws. If you work in education, Zoom is not FERPA (Family Educational Rights and Privacy Act) compliant and you should discontinue use as soon as possible. Update 4/6: The MCAS product team is reviewing Zoom’s recently revised K12 Privacy statement to validate FERPA, COPPA, and CCPA compliance. This post will be updated if Zoom completes any new compliance frameworks.

 

 

The folks at Zoom like to use this idea of “commonly accepted definitions” as a way to cover up both security and privacy concerns. Up until the end of March, their privacy policy stated, “In our humble opinion, we don’t think most of our users would see us as selling their information, as that practice is commonly understood.” Zoom does collect a long list of personal data from its users, which it shares with many third-party trackers. It gives out surveillance data for profit, and it makes it easy for users to proceed without seeing or accepting this.

Other digital platforms collect data in a similar way, but Zoom’s access has extended even to the content shared while using the service. This has resulted in recent lawsuits for violation of the California Consumer Protection Act, and an investigation by the New York State Attorney General.

When you sign up for a free online consumer product or service, you are likely the product. And all of your data is probably being sold to third-parties.

Shaky Foundations and Knee-jerk Reactions

Zoom has become a lot more popular in recent weeks, but it’s got a history of sketchiness that goes back further. Last summer Apple issued its own update to remove Zoom software from Macs after it discovered that Zoom used a hidden web server on Macs, ostensibly to provide additional convenience. This web server created a serious vulnerability that allowed any website to start a Zoom call automatically on a user’s computer with the webcam on, without the user’s direction.

This January, Check Point Research published a report that pointed out flaws which allowed uninvited hackers to listen in on large Zoom meetings. And last month the app was found to be leaking user data such as email addresses and photos because of a flaw in the way contacts are organized.

In a blog post from April 4th, Zoom said it will be enabling meeting passwords by default on its free tier to prevent Zoom bombings. This means if you’re paying for Zoom, you will still be vulnerable. And there has been no announcement yet on plans to implement industry standards for end-to-end AES 256-bit encryption without ECB mode.

Better Collaboration Options than Zoom

 

At the end of 2019, Zoom had fewer than 2,000 employees worldwide, including sales and administrative staff. By comparison, Microsoft has over 3,500 employees working in their cyber security division alone. In addition, Zoom uses labor arbitrage by hiring developers in China at lower wages, and then selling the product at US rates.

This is a stark contrast to your tech behemoths. With Azure / GCP/ AWS, you know where your data is stored, how it’s handled, and that they’re adhering to data sovereignty rules. (And paying hefty fines when they run afoul.) Zoom simply does not have the resources required to keep up with the security demands required by their recent explosive growth.

For more secure video calls, it’s a better idea to go with an app from a well-known company with a good security reputation. Microsoft has the most secure and compliant offerings, with Amazon and Google close behind. (Lagging mostly because Alexa and Google Assistant are recording everything you say with loosely defined data retention policies.)

 

 

 

 

 

 

 

 

 

 

Webex is owned by Cisco and has been a trusted business communication platform for years.

Compliance Results for Other VoIP & Video Services

There are plenty of other vendors in the VoIP and Video space. The following gallery contains some of the more common but less compliant services.

  • 8×8
  • Discord
  • Facebook Messenger
  • GoToMeeting
  • RingCentral
  • Twitch

 

How do I Protect a Zoom Meeting?

If you do find yourself on Zoom for whatever reason, take precautions:

The company is attempting to respond to the uproar about all of these vulnerabilities. But your safest bet is to explore one of the alternatives above. Because of Zoom’s security and privacy issues, SpaceX and NASA are now prohibiting use of the app among their employees. If you’re doing business or sharing private information, you need to adopt that policy too. Otherwise you will fail your next compliance audit.

Infused Innovations is protecting our clients by marking Zoom as an unsanctioned app in Microsoft Cloud App Security, and enforcing this policy on endpoints via Microsoft Defender ATP. If you’re already on the Microsoft Threat Protection stack, this process takes about 2 minutes to complete. If you haven’t made the jump yet, we offer free cybersecurity roadmap sessions and Zero Trust Security Accelerators to get your organization protected quickly.

Update 7/28/2020:
Below is an updated compliance review for Zoom:

 

 

Exit mobile version