Zeroing in on Zoom’s Threat to Financial Services

Ray Hillen, Managing Director of Cybersecurity at Agio

COVID-19 has induced a significant shift in the way we work. Remote is the new reality. As large swathes of the financial services economy acclimate to working from home, its workers are finding new methods for cross-enterprise communication.

For many, Zoom has been the answer to staying connected in the workplace. The video conferencing tool’s growth has exploded since virtual meetups became the new norm, with many organizations embracing the platform to exchange sensitive data, discuss proprietary information and conduct high-stakes business negotiations.

Ray Hillen, Agio

The app’s customer base surged from 10 million users pre-outbreak to 200 million. Including 600,000 new clients onboarded on March 15 alone, the same day social distancing orders were first put in place across the country. The US government stands out here, having signed enterprise contracts with Zoom valued at $1.3m as part of its pandemic response.

There may be, however, a tremendous cost to Zoom’s convenience.

Simply put, the widespread adoption of Zoom amid a global pandemic might be the security vulnerability of the decade. In fact, any financial services organization using the service should immediately assume their user credentials are under malicious parties’ control. In recent weeks, New York Attorney General Letitia James has probed Zoom’s data security strategy, and whether the company’s security protections can keep up with the spike in users. It is also our understanding the FBI, among other federal government agencies, has also prohibited the use of Zoom and WebEx due to security concerns.

At Agio, we have discontinued the use of Zoom. This piece explains why the platform’s use poses a significant risk to organizations and what actions leaders should take to mitigate that risk.

Privacy Policy

Zoom has already set a precedent for lax privacy and security. Until recently, the platform created a local web server on users’ device allowing it to turn on the device’s camera. This server was not mentioned in any official documentation and The Electronic Privacy Information Center filed an FTC complaint against Zoom, alleging intent to “bypass browser security settings…without the knowledge or consent of the user.” This, in turn, introduced risks including “remote surveillance, unwanted videocalls, and denial-of-service attacks.” Arvind Narayanan, associate professor of computer science at Princeton University and digital privacy expert, has even referred to Zoom as ‘malware’.

The platform’s privacy policy is another cause for concern. While it claims not to sell user data for money, this does not include sharing information with third parties like Google or Facebook, for targeted advertising or other undisclosed business purposes. Despite the exchange taking place, it is not bound by any privacy agreement. The process for rejecting data collection is also notoriously complicated, with experts reporting that users must opt out of more than 85 separate ‘cookies’.

Encryption

Another area of concern is Zoom’s claims around encryption capabilities. After initially stating its platform used end-to-end encryption to protect virtual meetings, the firm recently admitted in a blog post this was not the case. Instead, calls are encrypted using transport layer security (TLS), which is known to be less secure. The company also claims that audio and video meeting data is protected by 256-bit advanced-encryption-standard (AES) keys. Several sources, however, have revealed the keys are actually 128-bit. They are also run in “electronic code book (ECB) mode,” which fails to completely anonymize underlying data. This runs counter to the professional recommendation that encryption keys are run in “Segmented Integer Counter” or “f8” mode. Crucially, Zoom’s lack of end-to-end encryption extends to its Company Directory, opening the door to thousands of email addresses and photos being leaked to strangers. With this information, a bad actor can conduct Zoom video calls with the owners of those emails.

Zoom now states it has “implemented robust and validated internal controls to prevent unauthorized access to any content users share during meetings” and that an on-premise solution exists today to give users direct control of the key management process. To date, however, Zoom has not addressed criticisms of encryption key length, mode discrepancies or its lack of true end-to-end encryption.

An added vulnerability, which is particularly prevalent on Windows operating systems, is Zoom’s ability to convert universal naming convention (UNC) paths into hyperlinks. If a meeting participant is duped into clicking on one of these links pasted inside Zoom’s chat section, they can unknowingly send their computer’s username and password hash to a bad actor’s server. Using decryption software to uncover these credentials, the bad actor can then breach users by joining calls as an uninvited guest (Zoombombing); accessing the user’s desktop remotely; browsing through any shared network folders; breaching local network devices; and conducting SMBRelay attacks (where the attacker can alter communications being exchanged between two other parties).

Server Hosting

A geopolitical dimension to our concerns around Zoom is the company’s ties to China. The AES 128-bit keys used to encrypt Zoom meetings come from the company’s cloud infrastructure, which consists of servers that situated all around the world, including China. Servers in China may even be engaged when a virtual meeting’s participants are all domiciled outside of the country.

Zoom’s recent filing with the SEC reveals the company owns three China-based subsidiaries employing more than 700 R&D employees to create Zoom’s app. Keep in mind that more than 80% of Zoom’s revenue comes from North America. An application used by financial services businesses to exchange high-value information, especially one with limited security, is a ripe target for nation state attackers conducting electronic espionage.

Against the backdrop of a trade war and claims that 5G equipment manufactured by Chinese telecom companies might threaten US national security, one should consider whether Zoom could be pressured, or legally obligated, to share servers or encryption keys with Chinese authorities on-request, and what the state would do with that information. Compared to other technology companies, Zoom has provided little information around how many government requests it receives for data, or whether they comply.

Conclusion

So, what protective retroactive steps can an organization take to secure itself, and its devices, when conducting virtual meetings? Here are some suggestions:

  • If using Zoom is absolutely essential, one should ensure the latest version is installed by checking for new software patches. Older versions that have not been updated will be most exposed to vulnerabilities.
  • Prepare the organization to switch its virtual meeting platforms by informing and securing buy-in from key senior executives such as CEOs, CTOs and CISOs.
  • Implement a mandatory password change across the organization, for all employees and the devices they use for business.
  • Establish multi-factor authentication to access virtual meetings and all devices used for work to mitigate the risk of account takeover.
  • Whenever possible, use an iPhone mobile device to join Zoom calls, versus a Windows host. If the platform is installed on a Windows operating system, stop using Zoom immediately.
  • Identify when Zoom was first installed on a work device or system and determine how far back in time an investigation must go. The earliest date to start tracking may be the last time the employer or operating system requested a password change. This will also inform who else has potentially been compromised by way of joining Zoom meetings.
  • If the organization works in a heavily regulated industry, such as financial services or healthcare, its leaders should explore whether there’s a mandatory obligation to disclose potential breaches via Zoom.
  • Establish a process for distributing meeting passwords over a different communication channel than Zoom, invites, or email.

If an organization opts to use Zoom, the consequences can range from breached employee privacy and corporate sabotage, to reputational damage and theft of intellectual property. Regardless of Zoom’s retroactive measures, which allegedly include new patch fixes, enhanced bug bounty programs and third-party security expert review, this platform is not fit for commercial use.

In Zoom’s case, the convenience is simply not worth the cost.

The views represented in this commentary are those of its author and do not reflect the opinion of Traders Magazine, Markets Media Group or its staff. Traders Magazine welcomes reader feedback on this column and on all issues relevant to the institutional trading community.