Is Zoom’s Lack of End-To-End Encryption a Problem?
All of the work-from-home activity coupled with all of the media about Zoom’s lack of end-to-end (E2E) encryption has resulted in a few clients asking us if Zoom can still be trusted to host meetings.
It’s not exactly as they portray
For those of you catching up, Zoom’s privacy and security have been the target of several articles in the past few days. Specifically, it appears that Zoom had some claims about E2E encryption, while the majority of meeting communications use transport layer (TLS) encryption.
In short, this means that your Zoom meetings are secured between you and Zoom and again between Zoom and the other parties—but somebody at Zoom could theoretically access your meetings and meeting materials.
While this has some major privacy implications, from a security perspective the core risk here is that if Zoom were breached or had an internal rogue employee, your meetings could be compromised.
Zoom probably has a number of access restrictions and monitoring controls in place to help prevent this, but I have not seen anything on these controls to date—so we should not rely on them too heavily.
If an attacker is looking for a quick return, it’s a bit of extra work
The return on investment related to getting highly sensitive corporate data directly from listening in on a Zoom meeting is probably pretty bad, but savvy adversaries could use access to meeting information to easily generate powerful social engineering attacks with the intent of getting previous meeting attendees to ‘download updated information from the meeting’ or to ‘click the link to register for the service as discussed in the meeting.’
Take these steps
As such, there are a few things that you and your teams can do to help prevent damage if your meeting is accessed due to a compromise of the service itself. These apply to Zoom as well as any other remote meeting technology:
- Ensure employees treat all virtual meetings like they are in a coffee shop and avoid sharing extremely sensitive material.
- If sensitive material must be discussed, ensure that the meeting name does not suggest that it is a top-secret meeting, which would make it a more attractive target for potential eavesdroppers.
- Restrict the sharing of sensitive files to approved file-share technologies, not as part of the meeting itself.
- Remind employees that adversaries could use virtual meetings as part of a social engineering attack, so be suspicious of all strange or unexpected contacts—even if referencing the previous meeting. When in doubt, follow-up phone calls or emails based on prior contact information can be used to validate unexpected requests.
- Triple-check your phishing, anti-virus, and web-filtering controls to make sure that employees remain protected from momentary lapses in judgment.
- Ensure that end-users know to set up their meetings with unique IDs and passcodes to ensure that there are no unexpected drop-ins.
- Review your application-level configurations to ensure that they are configured with security in mind.
- Monitor the situation! Increased use and attention could lead to additional security issues being uncovered, which may require patches and/or mitigating controls.
E2E encryption ensures that the content of calls is protected throughout their duration. Without E2E encryption, we are relying on Zoom’s controls and protections instead of our own. Although there are some privacy concerns here, a number of other popular video conference solutions take the same approach. Using the above guidelines to address some of Zoom’s default behaviors will substantially decrease the likelihood of major issues arising.
Full Disclosure: TrustedSec is vendor-agnostic and does not promote or discourage the use of any specific remote meeting platforms. Additionally, TrustedSec currently uses Zoom as its tool for virtual meetings.