This document outlines the privacy and security issues that Zoom faced from March to April 2020. It provides a timeline of events where investigations found that Zoom was sharing user data with Facebook and others without encryption. Zoom also had vulnerabilities that allowed malicious actors to access users' webcams and microphones. This led to several lawsuits and governments banning the use of Zoom. The document also discusses Zoom's privacy problems in collecting excessive user data and lack of end-to-end encryption. Users are advised to use passwords, waiting rooms and limit sharing of meeting IDs to improve security when using Zoom.

1. Zoom: Privacy and Security – A case study
Adri Jovin J J, M.Tech., Ph.D.
UITC203 CRYPTOGRAPHY AND NETWORK SECURITY

2. Zoom
UITC203 CRYPTOGRAPHY AND NETWORK SECURITY 2
• Cloud-based Video Conferencing Service
• Founded: 2011
• Founder: Eric Yuan

3. Privacy issues – The timeline
March 26, 2020
• Investigation by Motherboard revealed that Zoom App (iOS) was sending user analytics data to Facebook
March 27, 2020
• Zoom removed Facebook data collection features
March 30, 2020
• Investigation by Intercept found Zoom call data was sent back to the company without end-to-end encryption
• Two more bugs discovered: (i) Malicious actor can gain control over user microphone or webcam
(ii) Vulnerabilities that allow Zoom to gain root access on MacOS desktop
• Zoom violated California’s new data protection law
• Zoombombing – led FBI to issue public warning about Zoom security vulnerabilities
UITC203 CRYPTOGRAPHY AND NETWORK SECURITY 3

4. The timeline…
April 1, 2020
• SpaceX bans Zoom
• Motherboard reported the leakage of data such as email addresses and photos to strangers through a feature which
operated as company directory
April 2, 2020
• Automated tool, zWarDial was able to find 100 Zoom meeting IDs, which were left unprotected by password, in an
hour
• New York Times reported that the data-mining feature of Zoom had secret access to Linkedin profile data of other
users
UITC203 CRYPTOGRAPHY AND NETWORK SECURITY 4

5. The timeline…
April 3, 2020
• Investigation by The Washington Post found thousands of recordings of Zoom video calls left unprotected and viewable in
open web
• Plans for Zoomraids by attackers
April 5, 2020
• Some video calls were mistakenly routed through two Chinese Whitelisted servers
April 6, 2020
• New York’s Department of Education urged schools to switch to Microsoft Teams
• Zoom accounts found on the dark web (352 accounts)
• Third class action lawsuit filed against Zoom in California (3 issues: Facebook data-sharing, incomplete end-to-end encryption,
vulnerability which allows actors to access webcams)
UITC203 CRYPTOGRAPHY AND NETWORK SECURITY 5

6. The timeline…
April 7, 2020
• Taiwan bans Zoom from government use
April 8, 2020
• Fourth lawsuit for falsely asserting that the service was end-to-end encrypted
• Google bans Zoom
• Sales of Zero-day exploits of Zoom by hackers for USD 5,000 TO USD 30,000, reported by Motherboard
• New update removing meeting ID from title bar for ongoing meetings to slow attackers who circulate screenshots
• AI Zoombombing
UITC203 CRYPTOGRAPHY AND NETWORK SECURITY 6

7. The timeline…
April 9, 2020
• US Senate informs members not to use Zoom
• Singapore teachers banned from using Zoom
• German Ministry of Foreign Affairs in a circular told employees to stop using Zoom due to security concerns
April 10, 2020
• Pentagon restricts Zoom usage
April 13, 2020
• Cyble discovered that over 500,000 Zoom accounts are being sold on the dark web and hacker forums
• Zoom users advised to change their passwords and to check the data breach notification site https://haveibeenpwned.com/
UITC203 CRYPTOGRAPHY AND NETWORK SECURITY 7

8. The timeline…
April 14, 2020
• Lawsuit against Facebook and Linkedin for eavesdropping on Zoom users’ personal data
• Zoom introduces new privacy option for paid users
April 15, 2020
• Two critical exploits, one for Windows and one for MacOS that could allow someone to spy Zoom calls for sale in underground
market for USD 500000
April 16, 2020
• Security researcher discovered two new crucial privacy vulnerabilities in Zoom
i. found a way to access and download a company's videos previously recorded to the cloud through an unsecured link
ii. discovered that previously recorded user videos may live on in the cloud for hours, even after being deleted by the user
• Zoom hired Luta security to revamp its bug bounty program allowing white hat hackers to identify security flaws
UITC203 CRYPTOGRAPHY AND NETWORK SECURITY 8

9. Security and Privacy implications
Three basic problems
a. Bad privacy practices
b. Bad security practices
c. Bad user configurations
UITC203 CRYPTOGRAPHY AND NETWORK SECURITY 9

10. Privacy issues
• Spies user for personal profits
• Collects data including user name, physical address, email address, phone number, job information, Facebook profile
information, computer or phone specs, IP address, and any other information you create or upload
• Uses data for profit against your interest
• On March 29, 2020, Zoom rewrote its privacy policy as
“We do not sell your personal data. Whether you are a business or a school or an individual user, we do not sell your data. ….. We do not use data we obtain from your use of
our services, including your meetings, for any advertising. We do use data we obtain from you when you visit our marketing websites, such as zoom.us and zoom.com. You
have control over your own cookie settings when visiting our marketing websites.”
UITC203 CRYPTOGRAPHY AND NETWORK SECURITY 10

11. Security issues
• Last year, a researcher discovered that a vulnerability in the Mac Zoom client allowed any malicious website to enable
the camera without permission.
• Zoom designed its service to bypass browser security settings and remotely enable a user's web camera without the
user's knowledge or consent.
• Zoom patched this vulnerability last year.
• It only provides link(not end-to-end) encryption, which means everything is unencrypted on the company's servers
• Uses AES-128…ECB [Schneier quotes this as “there is no one at the company who knows anything about
cryptography”]
UITC203 CRYPTOGRAPHY AND NETWORK SECURITY 11

12. Bad User Configuration
• If the meeting is not configured appropriately, it open to all sort of mischief.
• A common one: Zoombombing
• Even without screen sharing, people are logging in to random Zoom meetings and disrupting them
• Meeting ID not long enough to prevent someone from randomly trying them
“Instead of making the meeting IDs longer or more complicated -- which it should have done -- it enabled meeting passwords by default. Of
course most of us don't use passwords, and there are now automatic tools for finding Zoom meetings”
-Checkpoint Research
UITC203 CRYPTOGRAPHY AND NETWORK SECURITY 12

13. Some guidelines
If usage of Zoom is unavoidable….
• Do not share meeting ID more that how much you have to
• Use password in addition to meeting ID
• Use waiting room if you can
• Pay attention to the permissions granted to users
• Advisory provided by Ministry of Home Affairs, Government of India
UITC203 CRYPTOGRAPHY AND NETWORK SECURITY 13

14. References
Zoom: Two new security exploits uncovered “https://www.cnet.com/news/zoom-every-security-issue-uncovered-in-the-
video-chat-app/”
Security and Privacy Implications of Zoom “https://www.schneier.com/blog/archives/2020/04/security_and_pr_1.html”
More on Zoom and privacy “https://blogs.harvard.edu/doc/2020/03/28/more-zoom/”
EPIC Files Complaint with FTC about Zoom “https://epic.org/2019/07/epic-files-complaint-with-ftc-.html”
Zoom-Zoom: We Are Watching You “https://research.checkpoint.com/2020/zoom-zoom-we-are-watching-you/”
UITC203 CRYPTOGRAPHY AND NETWORK SECURITY 14