This article was originally published 27 April 2020. The content of the article was updated on 6 July 2020 to reflect Zoom’s latest release.
The recent events of COVID-19 have seen a significant rise in teleconferencing usage, with many organisations, such as government departments, schools and health practitioners, using a range of tools to support business as usual.
One such tool that has received considerable negative media attention is Zoom. A number of vulnerabilities were highlighted by cyber security researchers, which bring into question whether Zoom is a suitable product for organisations to use.
There is no question that Zoom is performing well when it comes to user experience and break out meetings to support online training and education. However, in making the right decision about whether to use Zoom for general use, education or telehealth, there are some considerations you need to think about:
1. What will you be using Zoom for?
Zoom indicates the level of encryption used is Advanced Encryption Standard (AES) 256 bit over TLS 1.2 in Electronic Codebook (ECB) mode. However, researchers have identified the key length is closer to 128 bit. This is still a very good level of encryption, but there are two considerations to note:
- ECB mode is not suitable for video conferencing or as a mode to use with AES, as it contains predictable patterns in its block cypher
- Cryptographic keys are managed in offshore servers.
Zoom has recently changed the mode of encryption to Galois/Counter Mode (GCM) with a guaranteed key length of 256 bit
What this means for you
As encryption keys are held offshore, information can be obtained through compel orders, issued by the countries where the cryptographic keys are located, which could also have privacy implications. This becomes particularly pertinent if Zoom is being used for telehealth or student counselling/welfare.
There was significant attention around Zoom not having end to end encryption. It should be noted most video conferencing solutions do not provide end to end encryption, with encryption keys generated from specific servers located in secure data centres. Zoom now guarantees Australian users the key generation will occur either in Australia or the US. Consideration still needs to be given to encryption keys being held offshore.
Our tips to be cyber secure:
- Have a clear policy in your organisation that dictates the level of discussions that should be held over Zoom
- Always make sure “Advanced Encryption Chat” is enabled when you set up a Zoom meeting.
2. Will I be affected by Privacy Laws?
It is important to remember that regardless of where information is stored, if you own it, then you own it. Unless you are using the enterprise version (Zoom for Education or Zoom for Healthcare) and have Zoom servers set up in your private network (see the section on Zoom options), then you will potentially be sending information offshore. When recording to the Zoom cloud, your information could be stored in offshore servers.
For Australian users, Zoom has now guaranteed that routing will occur through Australian data centres. However, if recording to the zoom cloud, your information will be stored in the US.
For paying Australian customers, Zoom offers an Australian only service, which enables cloud recording to be stored in Australia.
Personally Identifiable Information (PII) might be sent offshore if you record to the Zoom cloud. Depending on the level of discussion or functionality you use (e.g. file sharing, chat), sensitive information might also be sent offshore, which has more serious implications and stringent mitigation requirements under both state and federal legislation.
Zoom provides the option for its users to record locally to devices, but organisations will need to ensure staff are aware of how to configure this in the settings because it is not a default setting.
The enterprise versions of Zoom still relies heavily on infrastructure in the US and, therefore, many of the regulations they adhere to are US-centric and do not consider Australian Privacy Laws. However, Zoom has made significant changes specifically for Australian customers, which includes establishing an Australian “cluster” that ensures paying Australian customers’ information remain in Australia.
What this means for you
It is important that you maintain positive control of PII and sensitive information. It is often a target for cyber criminals, who sell the information on the dark web where it can be used for identity fraud (e.g. sensitive health information). A data breach of information your organisation is meant to control can result in serious reputational damage and significant fines.
If you are a paying Zoom customer, you have the option to choose where your meeting is routed through and stored. You will need to select your location on setup and, depending on availability, this may not be guaranteed. Serious consideration of these implications needs to be given when recording to Zoom cloud.
Local recording to a device mitigates the risk of sending PII or sensitive information offshore. This makes it the user’s responsibility to ensure each meeting setting is configured properly. Additionally, organisations need to consider the implications of staff recording sensitive information to personal devices and how the information will be securely stored and transferred.
Our tips to be cyber secure:
- If you are going to record meetings or chats, configure the session to record locally, and password protect/encrypt the recording
- If you are not hosting the meeting, ask the host to configure the meeting settings, so all participants are informed when recording starts
- Use internal methods for file-sharing or transfer (e.g. a password-protected file sent through email)
- Consider using the on-premises enterprise version of Zoom for Telehealth and Zoom for Education to significantly mitigate the risk of human error.
3. Zoom options
There are two forms of Zoom: application-based and the web client. Zoom utilises the same desktop and mobile applications for free and licensed users. As indicated, the Zoom enterprise version gives the option to host Zoom servers within a private network. Doing so enables organisations to manage their recordings and encryption keys, but comes at a price. The application and web client versions both come with pros and cons.
What this means for you
When you introduce a new application into your network the most important consideration is patching. Noting the considerable changes Zoom is making to its security, there is likely to be more updates than usual. Organisations will need to stay on top of everyone updating to the latest version. Unpatched applications are one of the most common ways cyber criminals breach a network.
Using the web client can expose users to malicious sites posing as the real thing. Web browsers should be configured with security in mind to use HTTPS everywhere. Phishing is by far the most common reason an organisation will have its network breached, so everyone needs to be aware of the risks and be supported with the right controls.
Our tips to be cyber secure:
- The use of the web client version will reduce the impact on internal resources to update applications sitting on their network
- If you are paying for Zoom, consider setting up the on-premises version to maintain positive control of your information and encryption keys. Alternatively, ensure that you have selected the Australian cluster for all video conferencing traffic, which is now an excellent option offered by Zoom
- Ensure someone is responsible for checking Zoom updates and then sending reminders to users within the organisation to implement the patch.
4. Access controls
Access controls are an area where considerable attention has been placed on the operational security of Zoom. So much so that a term was given to the particular attack – “zoombombing”. Zoom has upgraded their security to increase meeting IDs to 11 digits and hardcoded random passwords into meeting IDs/URLs so uninvited users must have both the meeting ID and password to enter the meeting. However, given the surge in Zoom usage, there is likely going to be a surge in cyber criminals looking to exploit users.
What this means for you
It is not just about access to Zoom. Users should consider how they manage access to other important applications and accounts on their devices. Cyber criminals may enter through one area (Zoom) but quickly pivot and exploit another application or account on your device/network if it is not adequately protected.
Our tips to be cyber secure
- If you only do one thing ensure multi-factor authentication (MFA) is turned on across all accounts and applications (e.g. email, social media)
- Enable the waiting room feature for meetings so you can control who is let in
- Make sure you keep your personal Zoom meeting ID or URL secure.
Overall
Compared to a number of other video teleconferencing tools on the market, Zoom is performing very well when it comes to overall user experience. While there have been several vulnerabilities identified in the past few weeks, Zoom is improving how it delivers a secure service through enhanced security controls and measures. There are a number of key takeaways that organisations need to consider when selecting Zoom:
- Zoom is US-centric and will rely heavily on data centres in the US to manage information and encryption. Zoom now offers an Australian cluster of data centres that can be selected for all video conferencing routing
- Many of the mitigation measures rely on the human factor for setting up secure sessions, so organisations should have a clear policy of what and how staff can and should be using Zoom. Organisations should also define safe user guidelines that include how to configure meetings with security in mind. Importantly, provide some training on how to implement those settings
- Under Australian Privacy Laws, information gathered by Zoom and even general use meeting recordings constitutes the collection of PII. Make sure your staff, patients and parents of students are aware of this and seek their consent before allowing them to use the system
- If your discussions will be sensitive (e.g. health information, student counselling, commercially sensitive information), purchase an enterprise version and establish an on-premises/onshore capability to maintain positive control of information and encryption
- If you are going to record meetings (e.g. classroom delivery, online training), make sure staff know how to record and secure locally
- Use internal methods to transfer and share files rather than sharing via Zoom
- When using the application or web client version of Zoom, seek advice on how best to secure your local environment with realistic and cost-effective security controls
- Protect all your other applications and accounts with MFA.
During this uncertainty of working remotely, Zoom is providing a means for healthcare providers, schools and organisations to deliver services that may not have been possible otherwise. There are vulnerabilities with everything, so be smart, be informed, and mitigate the risk with some of the basic measures discussed.
Contact our Cyber Security Team if you need any assistance with understanding the potential risks of your environment when working remotely.