Zoom Security Vulnerabilities

For many organisations Zoom has become one of the primary methods for communicating during the COVID-19 crisis. The heightened awareness of Zoom has prompted several security issues that customers need to be aware of.

Due to these unprecedented times, the requirement for remote collaboration and video conferencing has come into the spotlight. A popular tool that has emerged is Zoom conferencing utility, however multiple vulnerabilities and risks have been identified with the use of this software.

1 Zoom Bombing

Unsecured meetings, meetings setup as public, allow anyone to join the meeting. This can cause disruption to meetings, risk data and information exposure.

2 End To End Encryption

Zoom does not use 100% complete end to end encryption. Anything you say in the meeting could potentially be recorded by a third party.

3 Encryption Standards

Zoom stated that their encryption levels were AES 256, the encryption levels have actually been confirmed as AES 128. AES 128 is still strong encryption, but this non-trival discrepancy should raise concerns of the overall level security of the product. Note, Zoom have now corrected this error in their marketing.

4 Zoom Path Vulnerability

Security researchers have disclosed details of a path injection vulnerability in the Zoom remote conferencing client for Microsoft Windows. They claim a remote unauthenticated meeting attendee can exploit this vulnerability to obtain other attendee's usernames and session (NTLM) credential hashes, comprising your local computer and network.

Our Recommendation

Due to the number of security issues we advise that organisations refrain from using Zoom where any personal information or sensitive business information is discussed. Also if your business operates in any security sensitive industry.

Alternatives

At Datcom we utilise Microsoft Teams, Microsoft have made Teams free for use for all organisations, but does require the creation of an Office 365 account. Microsoft also have a free version of Skype without the need for the creation of an account.

For more information please contact your Account Manager.

References

https://products.office.com/en-gb/microsoft-teams/group-chat-software

https://www.skype.com/en/free-conference-call/