The Cybersecurity Follies: Zoom EditionBritish Government and Other 'Work-From-Homers' Grapple With Remote Communications
For many, the stuck-at-home chronicles have fast become surreal, as employees collectively face down a killer virus on the one hand and the flattening of their work and personal lives on the other.
As someone said on Twitter the other day: this isn't "working from home," this is being forced to stay home by a pandemic, and for anyone lucky enough to still have a job, they're trying to get some work done while keeping themselves and their family healthy and sane.
"It's really hard for security departments or infosec people to try to fight against applications which are becoming organically popular, like Zoom."
Cue successive waves of panic, reorientation and struggles at productivity, not least as individuals grapple for ways to stay connected, tapping a number of audio and video conferencing tools, but perhaps none more so than Zoom.
British Government on Zoom
One of the videoconferencing tool's more high-profile users is Britain's Conservative government led by Prime Minister Boris Johnson. After failing to practice social distancing in his press briefings and hospital tours, on March 27, Johnson announced that he had tested positive for COVID-19, had "mild symptoms" and would be working remotely from his No. 11 Downing Street flat.
In a now-infamous image, Johnson on Tuesday tweeted a screen grab of his Zoom meeting with 34 other officials, together with the meeting ID. Thankfully, Zoom by default now requires a password for access. "Let's hope it's a strong password that's hard to guess," says British security expert Graham Cluley.
Still, one might have also hoped for more sense from a government advised by intelligence agency GCHQ and responsible for safeguarding the country's population of 67.8 million.
Because while Zoom is fine for many uses, anything touching on national security is not one of them, especially if you're not working from inside China, where Zoom's product team and one-third of its employees - about 700 of them - are based.
'Major Intelligence Collection Targets'
"COVID-19 has created - and continues to create - awe-inspiring intelligence-collection opportunities. Zoom would be a big part of that intelligence bonanza," says nation-state attack expert Thomas Rid.
"The virus is forcing an unprecedented number of leaders and managers to work from home, across all sectors, in business and in government, everywhere. Sensitive meetings, of course, didn't stop; they moved to new platforms. The most important platform today is Zoom," says Rid, who's a professor of strategic studies at Johns Hopkins University and author of "Active Measures: The Secret History of Disinformation and Political Warfare," due out later this month.
"That makes Zoom - and comparable services - major intelligence collection targets, both for signals interception and for human infiltration. COVID-19 has made those targets of opportunity even more prized," he adds.
COVID-19 has created - and continues to create - awe-inspiring intelligence collection opportunities.— Thomas Rid (@RidT) April 1, 2020
Zoom would be a big part of that intelligence bonanza.
The British government has access to secure communications systems, including a system called Rosa. But most cabinet officials don't have access to these types of systems from home, although the government says it's working to get them new tools. For now, if in a pinch, Rid says they should tap a tool that's actually encrypted from end to end, and has the security audits to prove it, such as "WhatsApp, or better, Signal."
Alan Woodward, a professor of computer science at University of Surrey, says that for any sensitive communications, it's best to avoid videoconferencing altogether, unless you have access to a secure facility, "i.e. not home to home."
"For most purposes in the current situation, it is often better to enable mass communication to get people to observe the stay-at-home rules," he tells me. "But don't assume anything other than those apps which have been security audited are really secure. ... If in any doubt, seek advice from those who truly understand cybersecurity."
Zoom: Fine for Many Users
At the same time as many experts have cautioned against governments using Zoom, they say it's fine for most users.
"For personal use there's really no problem. If there's an alternative then use that, whatever," tweets the operational security expert known as the Grugq. "But infosec losing their shit over Zoom bugs is really just silly."
Zoom - has bugs like all other software.— thaddeus e. grugq (@thegrugq) April 2, 2020
Zoom - fixing bugs and being responsible.
Zoom - software I easily taught my dad to use for remote classes over email and WhatsApp.
Zoom - not rated for sensitive data: natsec, confidential sources, etc.
Zoom - use it, it's fine.
As British security expert Kevin Beaumont has noted, it's also tough to sweat your business's choice of a communication tool, at least in the short term, when the threat of your business imminently going under is facing you down.
InfoSec industry: OH MY GOD ZOOM IS THE WORST RISK!!!1!— Kevin Beaumont (@GossiTheDog) April 1, 2020
Their employer: *goes bust*
Security Basics: Passwords, Updates
Do, however, practice some basic security precautions. "Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people," the FBI's Boston field office advises in a Monday alert.
Beyond not sharing passwords, everyone should be using the most up to date version of any software, including Zoom (see: Zoom Stops Transferring Data by Default to Facebook). In January, as the FBI notes, "Zoom added passwords by default for meetings and disabled the ability to randomly scan for meetings to join."
There's been a surge in video-teleconferencing hijacking - aka Zoom-bombing - including against students working remotely. "The FBI has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language," the agency reports.
Zoom Is Hot
By any measure, Zoom is now one of the hottest apps on the planet. The service says that as of the end of December 2019, it was seeing 10 million daily meeting participants, both paid and free. As of last month, that figure had jumped to over 200 million daily meeting participants, including access being offered for free (allowing for meetings longer than 40 minutes) to more than 90,000 schools across 20 countries to support remote education.
Yes, Zoom has had flaws, just like all software, including a pair of zero-day flaws for Zoom's macOS platform dropped earlier this week by Patrick Wardle, a former National Security Agency hacker who's now principal security researcher at Jamf. To Zoom's credit, the flaws were fixed in less than 24 hours (see: Zoom Rushes Patches for Zero-Day Vulnerabilities).
Zoom, for its part, has promised to do better. "Over the next 90 days, we are committed to dedicating the resources needed to better identify, address, and fix issues proactively. We are also committed to being transparent throughout this process," says Zoom's founder and CEO, Eric Yuan, in a Wednesday blog post. Yuan emigrated from China to Silicon Valley at the age of 27, helped create WebEx, which was later sold to Cisco, and started California-based Zoom in 2011.
Zoom might want to start by replacing its "roll your own crypto" scheme, which nation-state research group Citizen Lab, based at University of Toronto, says "has significant weaknesses." Citizen Lab says it's also alerted Zoom to another problem: "We identified what we believe to be a serious security issue with Zoom's 'waiting room' feature," it says in a security report. Hopefully, Zoom will address this quickly. "In the meantime, we advise Zoom users who desire confidentiality to not use Zoom waiting rooms. Instead, we encourage users to use Zoom's password feature, which appears to offer a higher level of confidentiality than waiting rooms."
Pandemic Trumps Tool Choices
Despite such problems, you can't fight the power of a well-designed, easy-to-use app, at least not in the short term.
"It's really hard for security departments or infosec people to try to try to fight against applications which are becoming organically popular, like Zoom is becoming organically globally popular right now," says Mikko Hypponen, chief research officer at Finnish security F-Secure.
My comment about Zoom and other similar products. This is from our webcast yesterday. pic.twitter.com/jWnPRp3gU1— @mikko (@mikko) April 2, 2020
"People will use them regardless of what you say and if the product is good enough, if it's a great application people will use it regardless of the privacy implications. Zoom is a great app. It has great usability; people will use it," he says. "Telegram is another great example. There has been a lot of discussion about how Telegram doesn't encrypt all the content in the way users think they are encrypted, but it's a great product, it works very well, people will use it. Same thing with TikTok; same thing with Huawei mobile phones. Basically, same thing with Google. We all know that Google products are great; they really make great products. We just can't pay for the products with money so we have to pay with our data."
As the COVID-19 crisis continues, using Zoom, TikTok, Huawei mobile phones and Google products will, of course, continue. And for most users, especially for personal use, the message from security experts is simple: Don't sweat it, at least for the moment. While we deal with bigger challenges, just stay connected.