A Summary of Zoom's Bad Security Month
May 23rd, 2020 | 11 minute readAs a result of the global pandemic Zoom has seen an explosion in usage (going from 10M to 200M daily active users) and has received quite a bit more scrutiny into their security and privacy practices. This has caused them to get reamed in the press for a number of issues:
- Their default meeting settings allowed anyone to join meetings just by entering the meeting id, which is easily enumerable. This lead to trolls “zoombombing” meetings and harassing people.
- The Zoom mobile app was using the Facebook SDK, which was sending device id and other data to Facebook, even if you don’t have a Facebook account and before you could accept (or reject) any privacy policy.
- Zoom’s marketing materials falsely claimed their video streams were end-to-end encrypted.
- Though there’s no end-to-end encryption, Zoom does provide encryption in transit. However it turned out they were routing the decryption keys through servers in China, and were using weak encryption.
- They were leaking thousands of email addresses and profile photos.
- Their desktop apps got hit with multiple “0day” (brand new, unpatched) vulnerabilities: here, here, and here (all separate issues!). They also got called out for their missing basic security practices on their linux client.
- All this press caused the Zoom app to be banned by Google, SpaceX, many school districts, and other organizations.
There were actually even more negative headlines than this but you get the idea.
I have mixed feelings about all this. Undoubtedly Zoom has underinvested in security and is now paying a heavy price for it. At the same time I think some of these issues have been blown out of proportion. Consider just 3 of the issues linked above:
1) For the “end-to-end encryption” issue, there’s not a single commercial teleconferencing product available today that provides end-to-end encryption (more on this later) - it is simply not an expectation that I ever had about their product. Obviously it was a mistake for them to claim they had it in their marketing materials.
2) For the Facebook issue, sending data to Facebook when the app opens is a property of the Facebook SDK, not the Zoom app. It also happens on a dozen other apps on your phone, and that anger should be directed at Facebook.
3) For the “weak encryption” issue, the problem is that Zoom was encrypting your video stream data using AES-ECB. Many of you have probably heard of AES before for encrypting data. Every laptop, phone, tv, router, etc, that you buy has special hardware instructions just to make AES go faster. It is the most ubiquitous encryption algorithm in the world, by far.
But AES is a low level primitive that can only encrypt 16 bytes of data. If you want to encrypt something larger than 16 bytes, which is most things, then you need to define some way of running AES on the input repeatedly to do that. This is called the “encryption mode”, and there is an entire alphabet soup of different modes to do this - ECB, CBC, CTR, and so on.
Zoom was using ECB mode, which works like this:
- Take the data you want to encrypt and split it into 16 byte chunks
- Encrypt each chunk separately
- Concatenate the encrypted outputs
It is very simple. But it has a flaw which is that any identical 16-byte blocks in the input will also be identical in the output. This is famously demonstrated with the following image of a penguin:
And the same image, encrypted with AES-ECB:
That is some poor encryption! As you can see the mode and other parameters you choose are critically important to the security of any encryption algorithm, and really you should never use ECB mode for anything.
But.
The reason ECB is so bad for this penguin is that the image is a bitmap, which means that there is a 1-to-1 mapping between the pixels of the image and the byte data being encrypted. Repeated pixels means repeated bytes. No one sends video frames as bitmaps though - Zoom saves bandwidth by compressing the video frames, and a side effect of compression is that the output looks nearly random. This probably nullifies the vulnerability, because there’s so much noise in the output that any repeated blocks are likely uncorrelated. It is still a bad issue that should have never landed in production in the first place, but reading some of the news articles about it you’d think that someone could decrypt your entire video stream, and it is exceptionally unlikely that anything close to that was possible.
And so on for all the rest of their problems. Not great, not terrible. Zoom certainly has a lot of security work ahead of them, and they should have started investing in it a lot earlier, but maybe they don’t deserve some of the headlines they got either.
Nevertheless, all these issues have resulted in 2 separate lawsuits being filed against Zoom, as well as calls by senators for an investigation by the FTC (which the FTC was happy to oblige). One of the lawsuits claimed that as a result of Zoom using Facebook’s SDK, Zoom gave Facebook access to video stream content (relevant snippet, full filing). This is unequivocally false, but people can sue you for whatever they want ¯\_(ツ)_/¯.
The other (more interesting) lawsuit is a class action case by Zoom’s own shareholders, because all the negative security and privacy headlines have hurt their stock price. I find this kind of funny because the same global pandemic that has caused the entire market to plunge has caused Zoom to be one of the few companies that has stayed positive: from the market peak on 2/19 to the time the lawsuit was filed on 4/8, the S&P500 was down 19% and Zoom was up 13%. Obviously having your company perform well doesn’t mean that you aren’t doing sue-worthy stuff, but also just imagine outperforming the S&P500 by 32%, during a global pandemic, and having your shareholders sue you. Not outperforming enough, I guess!
Now, even though I think some of the headlines are overblown, I’d be lying if I said I didn’t find it satisfying watching it all happen. Something that is quite frequently true is that people tend to not care about security until they’re in the news for it, and it’s validating to be able to point to some of these headlines and say, “look. look at it.” To their credit, Zoom has been handling the fallout better than most. Since their troubles began they:
Released fixes for some of the client vulnerabilities, and announced a full 90 day feature freeze to focus entirely on security and privacy issues.
Created a CISO council and tapped former Facebook CISO Alex Stamos as an advisor.
Clarified their encryption language.
Acquihired Keybase.io and published an open design document for deploying end-to-end encrypted conference calls. This would make them the only commercial provider to do so and would be a game-changer for, e.g. telemedecine and also just generally.
Removed the Facebook SDK from their mobile app (logging in with Facebook is now performed via a webview), and also updated their privacy policy.
Provided enhanced security controls for fixing zoombombing and other issues.
Provided data center routing options to configure what regions your data flows through.
Fixed their weak ECB encryption.
Engaged with well known security firm Trail of Bits.
and offered an internship to a college freshman who was involved in one of those 0day vulnerabilities.
Obviously it’s best to not have security issues like this in the first place, but when organizations do inevitably have problems or even breaches it’s fantastic to see them “be human 🙃”, own their mistakes, and respond with openness and transparency.
P.S. If you enjoy this kind of content feel free to follow me on Twitter: @arkadiyt