Two separate reports have revealed further issues within popular video-conferencing app Zoom.
First up, a report from The Verge notes that a security professional has used an automated tool that can scour meetings to find ones that are not protected by passwords. Apparently, it was able to find 2,400 calls in a single day, extracting a link to meeting, date, time, organizer and meeting topic information. From the report:
Security professional Trent Lo and members of SecKC, a Kansas City-based security meetup group, made a program called zWarDial that can automatically guess Zoom meeting IDs, which are nine to 11 digits long, and glean information about those meetings, according to the report.
In addition to being able to find around 100 meetings per hour, one instance of zWarDial can successfully determine a legitimate meeting ID 14 percent of the time, Lo told Krebs on Security. And as part of the nearly 2,400 upcoming or recurring Zoom meetings zWarDial found in a single day of scanning, the program extracted a meeting’s Zoom link, date and time, meeting organizer, and meeting topic, according to data Lo shared with Krebs on Security.
Automated Zoom conference meeting finder ‘zWarDial’ discovers ~100 meetings per hour that aren’t protected by passwords. The tool also has prompted Zoom to investigate whether its password-by-default approach might be malfunctioning https://t.co/dXNq6KUYb3 pic.twitter.com/h0vB1Cp9Tb
— briankrebs (@briankrebs) April 2, 2020
In a statement to The Verge regarding this issue Zoom said:
“Zoom strongly encourages users to implement passwords for all of their meetings to ensure uninvited users are not able to join… Passwords for new meetings have been enabled by default since late last year, unless account owners or admins opted out. We are looking into unique edge cases to determine whether, under certain circumstances, users unaffiliated with an account owner or administrator may not have had passwords switched on by default at the time that change was made.”
A second separate report from The Intercept published today claims that Zoom’s encryption algorithm has “serious, well-known weaknesses” and that keys are being issued by servers sometimes based in China, even if all the participants are based in the US.
MEETINGS ON ZOOM, the increasingly popular video conferencing service, are encrypted using an algorithm with serious, well-known weaknesses, and sometimes using keys issued by servers in China, even when meeting participants are all in North America, according to researchers at the University of Toronto.
The researchers also found that Zoom protects video and audio content using a home-grown encryption scheme, that there is a vulnerability in Zoom’s “waiting room” feature, and that Zoom appears to have at least 700 employees in China spread across three subsidiaries. They conclude, in a report for the university’s Citizen Lab — widely followed in information security circles — that Zoom’s service is “not suited for secrets” and that it may be legally obligated to disclose encryption keys to Chinese authorities and “responsive to pressure” from them.
Zoom has not commented further on this issue, which was also reported by Forbes who note:
“…in an interview published on Forbes on Friday, Chief Executive Eric Yuan said the company was going to check on how it was routing conversations to China, but emphasized the data was protected. As Citizen Lab hadn’t sent its findings to Zoom, saying it was in the public interest to release the information as soon as possible, the videoconferencing company wouldn’t have been aware of the findings. But Yuan assured that if user data was being transferred to China when users weren’t even based there, “we are willing to address that.”
Security concerns regarding Zoom are now seemingly well noted in the community. The encouraging sign is that Zoom has taken notice, apologized and vowed to fix all of these issues over the next 90 days, freezing new features in the meantime.