7 ways to make your Zoom meetings safer

Zoom was a popular online conferencing application before COVID-19 infected the world, but the pandemic drove usage of the service to astronomical levels. Before the virus spread, the platform garnered about 10 million meeting participants a day. By March, that number was 200 million a day.

“[W]e did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying and socializing from home,” confessed Zoom CEO Eric S. Yuan in a company blog. “We now have a much broader set of users who are utilizing our product in a myriad of [sic] unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived,” he added.

Many of those were security challenges, some of Zoom’s making, some caused by new users unfamiliar with the world of online meetings. However, Zoom’s action in addressing some of its glaring security problems coupled with security measures already in place allow users to hold safe meetings online. Here are some ways to do that.

UNC attack

Zoom automatically converts Universal Naming Conversion (UNC) paths exchanged in chat to clickable links. If a user doesn’t know where those links lead, they may end up at a malicious website or download a malignant payload.

In addition, if the poisoned UNC leads to a server controlled by a threat actor, Windows users could get their credentials hacked. By default, Windows sends a user’s name and hashed Microsoft’s NT LAN Manager (NTLM) password to a server it’s connecting to. Once in possession of that information, a malicious actor can crack the password using a variety of tools available online.

How to prevent a UNC attack The simplest way to address this problem is to upgrade your Zoom client. The UNC issue was addressed in version 4.6.9 released April 2.

The problem can also be mitigated by blocking traffic on port 445. Since credentials are sent through that port, blocking traffic from hosts that don’t require access to remote Server Message Block (SMB) file sharing via IP would prevent the UNC vulnerability from being exploited.

A third and extreme solution would be to bar Windows from sending NTLM credentials to unknown servers. Since this approach could foul up legitimate traffic to trusted hosts, it must be applied carefully. Microsoft includes an option in its Group Policy settings called “Audit all,” which can be used to identify if legitimate activity is being denied.

Privilege escalation

Privilege escalation occurs when an intruder penetrates a system using the credentials of a user with low-level privileges and leverages that identity to increase its privileges. This can happen when Zoom is installed on the macOS.

During installation, Zoom runs a function that executes a script called runwithroot, which has administrative privileges. If a malicious actor or their malware gains local access to a Mac, runwithroot can be manipulated to escalate Zoom’s privileges and use the program to work mischief on the system.

How to prevent privilege escalation This attack was fixed in Zoom version 4.6.9 (19273.0402) on April 2. Attacks like this that require local access aren’t confined to Zoom. That’s why all users should be careful about downloading or installing packages from unknown or untrusted sources, especially when the application asks for administrative privileges.

Unauthorized camera and microphone access

This is another flaw in the macOS version of Zoom. The creators of Zoom protect the security of its code by requiring it to have a code-signing certificate and compiling its code with Hardened Runtime, which, along with System Integrity Protection, is designed to stymie code injection, dynamic link library hijacking and memory space tampering.

They forgot, however, to enable the library validation entitlement in the program, so arbitrary, unsigned code could be loaded into the app. That means a threat actor could switch out the app’s legitimate libraries and substitute malicious libraries, which would be able to intercept the calls going to the legitimate libraries without a user’s knowledge. With that kind of attack, a threat actor could obtain control of a Mac’s camera and microphone and use them to record a user’s activity without their knowledge.

How to prevent unauthorized camera and mic access This vulnerability was also corrected in Zoom 4.6.9 (193.73.0402).

Zoom-bombing

Zoom-bombing—where unauthorized parties crash a videoconference and engage in inappropriate behavior—gave the platform a black eye in the media, but the attack can’t be blocked by a software fix. That’s because it’s related to security hygiene, which shouldn’t be surprising considering the number of new users that were added to the platform in a matter of weeks.

How to prevent zoom-bombing Videoconferences are “bombed” when the link to them is shared publicly. To bomb-proof online sessions, here are a few tips to conference hosts.

• Share conference links and passwords only with individuals who are advised not to share the links with anyone else. If a meeting is open to the public, it might be wise to block your audience’s ability to share their audio and video.
• Don’t use your personal meeting ID to host public events. Instead, create a new meeting ID and share it with your audience.
• Use the meeting room feature for conferences. It allows you to screen participants as they arrive so you can screen out any uninvited guests. You can also allow guests to participate without remembering pesky passwords. They only need the link to the waiting room to participate.
• Hosts should familiarize themselves with Zoom’s conference security tools. They allow you to keep conference attendees under control. You can mute participants’ sound and block their video, which has the added benefit of saving on bandwidth. You should also turnoff collaboration features—annotation, chat, file transfer and screen sharing—until they’re needed.
• Hosts should never turn their screens over to anyone they don’t know and trust.

Unencrypted chat

When chatting on Zoom, your conversation can be seen by uninvited viewers in plaintext unless you instruct the application otherwise.

How to prevent unencrypted chat You can boost the protection of your conversations by enabling advanced encrypted chat. That will scramble your chat messages using TLS 1.2 and AES 256-bit encryption.

There are some drawbacks to using advanced encryption. You won’t be able to use the integrated GIPHY library, edit sent messages, or search your chat message history. In addition, some older versions of Zoom will take a functionality hit when advanced encryption is enabled. However, you will still be able to share files, photos, emojis and screenshots.

Advanced encrypted chat can be turned on by going to Account Management>IM Management and clicking the IM Settings tab at the top of the web page.

Insecure authentication

For the sake of convenience, Zoom meetings are often set up with no authentication required, or with authentication that does not meet the security standards for an organization. This lowers the barriers for bad actors to disrupt a Zoom session.

How to prevent insecure authentication Zoom users who want the protection of the single sign-on (SSO) they use with their company can do so with the platform’s SSO feature. Based on SAML 2.0, Zoom acts as a service provider and automatically provisions a corporate user. Once Zoom receives an identity response from an identity provider, it checks to see if the user exists. If they don’t, Zoom creates an account automatically with the user’s ID.

Zoom SSO works with other service providers, including PingOne, Okta, Microsoft Azure, Centrify, Shibboleth, Gluu, G Suite/Google Apps, OneLogin, and RSA SecureID. The platform also works with ADFS 2.0 SAML implementations.

Zoom traffic routed to questionable locations

The security of Zoom’s conference routing practices were called into question by Citizen Lab at the University of Toronto in early April. The university researchers found that traffic from some conferences originating outside China were being routed through China. What was worse, though, was that Zoom encryption keys were being generated on servers in China where they were at risk from potential government interference.

How to prevent traffic from being routed to questionable locations Zoom has addressed those problems by allowing paying customers to opt in or out of the data center assigned to host their conferences. Non-paying customers won’t have pick-a-route privileges, but Zoom has promised that no conferences originating outside China will have their traffic routed through China.

Zoom has data centers in eight regions: U.S., Canada, Europe, India, Australia, China, Latin America and Japan/Hong Kong.

Better Zoom security in the wings?

In his blog, CEO Yuan pledged to shift all his company’s engineering resources to identify, address, and fix issues proactively. Those will include these security measures: 

• Conduct a comprehensive review with third-party experts and representative users to understand and ensure the security of all new consumer use cases.
• Launch a CISO council in partnership with leading CISOs from across the industry to facilitate an ongoing dialogue regarding security and privacy best practices.
• Engage a series of simultaneous white box penetration tests to further identify and address issues.
• Upgrade its encryption scheme from 128-bit Advanced Encryption Standard (AES) keys to AES 256-bit GCM encryption.