Co-authored by: David Kennedy, founder TrustedSec, Binary Defense

Amit Serper, VP Security strategy and principal security researcher, Cybereason

Russ Handorf, PhD. Principal Threat Intelligence Hacker, WhiteOps

This post is NOT sponsored by or affiliated with Zoom in any way.

Zoom is not malware. Zoom is safe to use for both you personally and businesses, but you should read through on how to best protect yourself and your company. Throughout the past few days, social media (mostly infosec twitter) is gushing with various opinions and hot takes about Zoom being malware due to multiple issues found with it. Some of these issues are indeed problematic (and are/were taken care of by Zoom) and some of the issues that are being raised and discussed in social media are in fact not bugs or issues with Zoom itself but issues with the way operating systems work.

We want to be clear that if there are security exposures identified, they should be addressed and so far, Zoom has done that. Additionally, based on what we’ve seen from the response from the CEO over at Zoom — security is a direct focus and they are taking additional steps to address concerns and ensure security and privacy of the product. There may be additional vulnerabilities and exposures that are identified over the course of the next few days, weeks, months or years — it’s how a company responds to addressing them and how they look to improve their security program that is the important step here.

Some of the criticism is warranted in the sense of their marketing redefining end-to-end encryption which was only for the chat feature and not for the video which was TLS (transport layer). This has since been clarified, and in the latest update reflects the changes to the terminology. Conversely, Cisco’s WebEx supports E2E however severely disrupts the normal functionality of Cisco’s solution. This more reflects the importance of having consistent terminology being used industry wide not being made ambiguous such as when organizations attempt to rebrand or redefine standards to fit their products capabilities.

According to Cisco:

“Note that when end-to-end encryption is enabled, the following features are not supported: • Web App • Network-based recordings • Join Before Host • Video Endpoints” — https://www.cisco.com/c/dam/en/us/products/collateral/conferencing/webex-meeting-center/white-paper-c11-737588.pdf

There has been some responsible reporting and this isn’t a blanket statement to everyone. The news should cover risks and exposures in a measured way and not create alarming details to individuals that may not understand the ramifications. Some notable mentions on good reporting:

https://www.theverge.com/interface/2020/4/3/21203720/zoom-backlash-apology-zoom-bombings-eric-yuan

https://www.wired.com/story/zoom-backlash-zero-days/

https://www.forbes.com/sites/kateoflahertyuk/2020/04/03/use-zoom-here-are-7-essential-steps-you-can-take-to-secure-it/#2f6fe5387ae1

While it is true that some of the issues are more severe than others and could, potentially, be exploited by social engineering, it is also very easy to protect against and mitigate these issues. We want to commend Zoom in taking proactive steps above and beyond anything that we’ve seen before. Within one day of two zero-days (exploits that have no patch) were presented, Zoom had already released a new version addressing the security threats. These threats were primarily a local privilege escalation issue that would allow an attacker who already compromised your system to gain elevated access. The second was a design issue within Windows that could be abused to execute remote files — that design issue could be abused in many other applications other than Zoom.

Zoom fixed these two issues almost immediately and out to their customers. To put it in perspective, every single piece of software has had security exposures or vulnerabilities. It normally takes several weeks to months to get companies to acknowledge an exposure exists and to patch it. In this case, Zoom wasn’t afforded the opportunity and the exploit code was published online to the public. Zoom’s response in this fashion was commendable in addition to the response from the CEO.

https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/

In the blog, the CEO emphasizes privacy and security as core foundational building blocks of the company and the steps to ensure the public that Zoom is a safe product to use. We want to be clear, security researchers should absolutely do analysis on software and help companies get better with security. The industry’s goal is to make the world a safer place when leveraging technology. When not using responsible disclosure, it causes the media to go in overdrive and what we saw transpired.

It should be noted that no other video teleconference has gotten the same level of scrutiny as Zoom has. Historically taking a look back at vulnerabilities year over year, the other major players have had substantial exposures and people continue to use them:

https://www.cvedetails.com/product/18500/Cisco-Webex.html?vendor_id=16

https://www.notebookcheck.net/GoToMeeting-is-found-to-be-potentially-susceptible-to-hacking.442684.0.html

https://www.exploit-db.com/exploits/39061

What has transpired over the past several days is alarming in the fact that most of the exposures identified would be considered low to medium risk. In the media it was portrayed that you should stop using Zoom now, that it’s malware, and you are at risk if you use the product. This is false. Already requiring direct access to someones system (an already compromised asset) or phishing campaigns to click on links. Nothing that has been released up until this point would be categorized as a substantial risk to anyone using the product. It is important to remember — ramifications of clicking malicious links is not an “exclusive” danger to Zoom, we have been dealing with it pretty much since the dawn of the Internet.

The same practices and caution towards links should be taken in Zoom sessions as well, especially in the current complex situation we are all in. Zoom became a critical tool that many of us work with and just like almost any tool or program out there — it could always be used maliciously.

There are other things to take into consideration, the news has reported on “Zoom Bombing” which is when someone shares the link to the public, or has a personal meeting ID (PMI) and is open to the public.

One of Zoom’s main issues is that it IS simple to use. It’s designed to be simple, and it’s designed to allow any age old or new to have open collaboration and in a simple way. With that, there are configurations that if left open, could potentially pose some risk towards you from anonymous individuals coming into the meetings.

Things you can do to secure your Zoom Sessions:

Ensure that if you are using a personal meeting ID (PMI), that it is secured with a PIN or Passcode. https://support.zoom.us/hc/en-us/articles/360033559832-Meeting-and-Webinar-Passwords- Use scheduled meetings. These create unique IDs that are more difficult to guess. In addition ensure that the meeting ID has a passcode on them. https://support.zoom.us/hc/en-us/articles/360033331271-Account-Setting-Update-Password-Default-for-Meeting-and-Webinar If you are hosting multiple people and you are the main presenter, use the webinar function to create a Zoom meeting, not a meeting itself. This will restrict who can share the screen and prevent “Zoom Bombing”. https://support.zoom.us/hc/en-us/articles/200917029-Getting-Started-With-Webinar Use Multi-Factor Authentication (MFA) on your Zoom account so that if a password is compromised, the attacker does not have access to your Zoom account. https://support.zoom.us/hc/en-us/articles/360038247071-Setting-up-and-using-two-factor-authentication Lock down your classrooms for students. https://blog.zoom.us/wordpress/2020/03/27/best-practices-for-securing-your-virtual-classroom/ Enable a waiting room feature to screen individuals that are coming into your meeting room. This will prevent unknown individuals from joining your session. https://blog.zoom.us/wordpress/2020/03/27/best-practices-for-securing-your-virtual-classroom/

A message to reporters and journalists:

The Internet, and especially infosec twitter is full of hot takes and attempts to generate sensational headlines and alarmist news items. It’s important to remember that “not all that glitters is gold”. Vulnerabilities exist in many programs and no piece of code is immune to such issues. Not every vulnerability or exposure is critical and creates an unmitigated or dangerous risk. Knowing what your threat is and applying careful thought to threat modeling is a crucial part of understanding the problem and determining its true effects.

We have a responsibility to portray accurate information and explain exposures in a clear way to the public as to not create fear. There are definitely times where fear is warranted based on the severity and risk to the public. Zoom thus far seems to be like many other organizations and has already demonstrated it is receptive to improving. Zoom is safe to use, Zoom is fine for personal and business use, and it is a great way to collaborate between groups of people during these trying times.

A message to the community at large:

We should take a pause to reflect more not on the positive actions taken by the employees at Zoom, which we feel has handled rapid growth and scaling in unprecedented times better than most, but more on the individuals who are trolling (i.e “zoom-bombing”) this and other systems. In any other circumstances trolls are ignored, get their moment of notoriety and/or 15 seconds of online fame and then move onto other platforms where they try more shenanigans. But right now, much like how April Fools was distanced out of the sake of being kind to each other, there is behavior that people should just simply not do right now because of the impact they are having on the legitimate users of the system. We are all living through a global crisis together; what we should be doing is helping each other, not disrupting or vandalizing systems for non-refundable and non-legal tender Internet points. We can’t imagine that the people at companies who are having to handle massive code pushes and changes to all these systems are having a fun time. There’s a human on the end of each computer keeping the lights on and the systems humming, and that recognition should not be forgotten or lost. Please be kinder and more understanding with each other as we all get through this together.

Thank you for taking the time to read our thoughts.