What you need to know
- More concerning security issues have been found within popular video-conferencing app Zoom.
- They include an encryption vulnerability, servers in China, and an automated tool that can find 100 Zoom meeting IDs an hour.
- Zoom has already publicly apologized for previous issues, vowing to freeze new features for 90 days whilst it issues fixes.
Two separate reports have revealed further issues within popular video-conferencing app Zoom.
First up, a report from The Verge notes that a security professional has used an automated tool that can scour meetings to find ones that are not protected by passwords. Apparently, it was able to find 2,400 calls in a single day, extracting a link to meeting, date, time, organizer and meeting topic information. From the report:
Security professional Trent Lo and members of SecKC, a Kansas City-based security meetup group, made a program called zWarDial that can automatically guess Zoom meeting IDs, which are nine to 11 digits long, and glean information about those meetings, according to the report.
In addition to being able to find around 100 meetings per hour, one instance of zWarDial can successfully determine a legitimate meeting ID 14 percent of the time, Lo told Krebs on Security. And as part of the nearly 2,400 upcoming or recurring Zoom meetings zWarDial found in a single day of scanning, the program extracted a meeting's Zoom link, date and time, meeting organizer, and meeting topic, according to data Lo shared with Krebs on Security.
Automated Zoom conference meeting finder 'zWarDial' discovers ~100 meetings per hour that aren't protected by passwords. The tool also has prompted Zoom to investigate whether its password-by-default approach might be malfunctioning https://t.co/dXNq6KUYb3 pic.twitter.com/h0vB1Cp9Tb— briankrebs (@briankrebs) April 2, 2020
In a statement to The Verge regarding this issue Zoom said:
"Zoom strongly encourages users to implement passwords for all of their meetings to ensure uninvited users are not able to join... Passwords for new meetings have been enabled by default since late last year, unless account owners or admins opted out. We are looking into unique edge cases to determine whether, under certain circumstances, users unaffiliated with an account owner or administrator may not have had passwords switched on by default at the time that change was made."
A second separate report from The Intercept published today claims that Zoom's encryption algorithm has "serious, well-known weaknesses" and that keys are being issued by servers sometimes based in China, even if all the participants are based in the US.
MEETINGS ON ZOOM, the increasingly popular video conferencing service, are encrypted using an algorithm with serious, well-known weaknesses, and sometimes using keys issued by servers in China, even when meeting participants are all in North America, according to researchers at the University of Toronto.
The researchers also found that Zoom protects video and audio content using a home-grown encryption scheme, that there is a vulnerability in Zoom's "waiting room" feature, and that Zoom appears to have at least 700 employees in China spread across three subsidiaries. They conclude, in a report for the university's Citizen Lab — widely followed in information security circles — that Zoom's service is "not suited for secrets" and that it may be legally obligated to disclose encryption keys to Chinese authorities and "responsive to pressure" from them.
Zoom has not commented further on this issue, which was also reported by Forbes who note:
"...in an interview published on Forbes on Friday, Chief Executive Eric Yuan said the company was going to check on how it was routing conversations to China, but emphasized the data was protected. As Citizen Lab hadn't sent its findings to Zoom, saying it was in the public interest to release the information as soon as possible, the videoconferencing company wouldn't have been aware of the findings. But Yuan assured that if user data was being transferred to China when users weren't even based there, "we are willing to address that."
Security concerns regarding Zoom are now seemingly well noted in the community. The encouraging sign is that Zoom has taken notice, apologized and vowed to fix all of these issues over the next 90 days, freezing new features in the meantime.
Motorola RAZR 2 leak reveals a Snapdragon 765 chipset, 2845mAh battery
According to a new leak, the RAZR 2 foldable phone will be powered by a Qualcomm Snapdragon 765 chipset and feature an upgraded 48MP rear camera. It is also tipped to pack a bigger 2,845mAh battery.
One UI vs. OxygenOS: Which is the better Android version?
One UI and OxygeOS are arguably two of the best Android interfaces on the planet, but which one is truly supreme? Here's an in-depth look at both platforms and how they compare to each other!
Why software is infinitely more important than any other phone spec
There are a lot of factors that come into play when deciding to buy a new phone. Above all else, software stands out as the most important. Let me explain.
These apps make it easy to check the specs of your phone with ease
While the Settings app on your phone does a decent job at telling you some of the specs on your smartphone or tablet, it doesn't tell you everything. Luckily, there are a plethora of apps that allow you to not only check your phone's specs, but so much more.