An article by Jason Spulak, Call One’s Senior Product Manager

As if the daily barrage of troublesome COVID-19 headlines aren’t enough to deal with, there’s another major story making major headlines, and if it hasn’t captured it already – it certainly deserves your attention: Zoom Security and Data Privacy leave users at risk.

What happened?

Due to the impact of COVID-19 across the world, there has been a massive surge in the number of users across the world using video conferencing applications.  The wildly popular Zoom application has been the platform of choice for many as we look for ways to keep business moving and remain connected to one another during this unprecedented crisis. Zoom also happens to be the tech stack used to facilitate video conferencing and collaboration with the Call One UC platform

For Zoom, this major moment in the global spotlight has not been as shining a moment as I’m sure they had hoped.  By now I’m sure you’ve heard that security experts have identified security and privacy issues with the platform as these vulnerabilities have been widely publicized in the press.

Without missing a beat, malicious attackers have seized on this opportunity and have been busy exploiting these vulnerabilities, creating uncertainty for users as they question whether the integrity of this platform.

I’m here to assure you, that while there are some challenges ahead, Zoom is actively working to address these vulnerabilities and if you follow the best practices described below you can enjoy peace of mind when using the Call One UC platform to keep business moving and stay in touch with those you can’t physically be with during the COVID-19 crisis.

As a Call One UC subscriber, how am I affected?

All customers that are subscribed to Call One UC with Accession Meeting are affected.  Users are currently exposed to two different types of vulnerability, those that affect Security and those that affect Data Privacy.  Here’s what’s currently being done for you and actions you can make to protect yourself:

Security

UNC Path Injection

This relates to a vulnerability in the Zoom Windows client that allows a malicious party to steal Windows login credentials or run software on a PC, both occurring when they click on a malicious link in chat.

What’s being done to address this vulnerability?
  • Call One and our partners are working with Zoom to provide a fix for the UNC path injection vulnerability.  We will communicate the expected date that this will be available as soon as possible.
How can I protect myself?
  • In the interim, the Meeting chat function can be disabled to mitigate.  Users can do this in the Advanced Settings under Tools->Options->Meeting
ZoomBombing

ZoomBombing is where when uninvited attendees break into and disrupt a meeting. This can happen when a Meeting URL is posted on a public forum, or the Meeting ID is guessed by a 3rd party.

What can I do to protect myself?

By default, meetings and webinars will not start without the host being present, but there are also a number of Call One UC Accession Meeting features that you can use to mitigate the risk from this vulnerability.  For example:

  • Meetings can have password protection.
  • Waiting rooms require the host to actively admit new participants.
  • The host can view their participant list, lock their meeting, and remove participants.
  • Chime upon entry notifies the participants when someone new joins the meeting.

Additionally, V2.33 will include two fixes that will make it very difficult for attackers to guess valid meeting IDs:

  • The server will no longer indicate whether a requested meeting ID is valid or invalid, making automated scanning for valid meeting IDs more difficult and time consuming for a bad actor.
  • The server will detect repeated attempts to scan for meeting IDs and blocks such scans for a period of time.
It is highly recommended that all customers upgrade to V2.33 when it is released.
End-to-End Encryption

Various press articles have questioned Zoom’s use of end-to-end encryption to describe their network.

Zoom clarified their encryption in a recent blog post.

  • If all users of the meeting are using Zoom (or Call One UC Accession Meeting) clients then the traffic is encrypted at all times, only being decrypted on the endpoints themselves.
  • If a user connects via a Room System, then traffic is encrypted between the device and Zoom’s Room Connector where it is decrypted and then re-encrypted to pass onto other endpoints.
  • If a user connects via dial-in, then traffic is encrypted between Call One’s SBC (as it leaves the customer’s network) and Zoom Telephony Connector where it is decrypted and then re-encrypted to pass onto other endpoints.

In the latter two cases, it is in reference to the connection being encrypted from Zoom end-point to Zoom end-point.  This encryption ensures that no-one intercepting the traffic before it gets to Zoom can decrypt it, which is similar to how many communications (e.g. voice calls) are encrypted.

Privileged Escalation to Root

It has been reported that a malicious user can use Zoom’s install process to run their own script with escalated root privileges, if a user installs the Zoom client as a non-admin user on a Mac.

What can I do to protect myself?

This exploit does not impact Call One UC Accession Meeting as it is packaged with our own installer and so does not use the same script.

However, it could impact 3rd parties who are invited to meetings created by these end-users as the 3rd parties just download the standard Zoom installer.

What’s being done?
  • Call One and our partners are working with Zoom to provide a fix for the Privileged escalation to root vulnerability.  We will communicate the expected date that this will be available as soon as possible.
Code Injection for Mic & Camera Access

It has been reported that a malicious user can inject a library into Zoom’s executable on Mac to gain access to the microphone and camera without requesting permission from the end-user.

What’s being done?

Call One and our partners are working with Zoom to provide a fix for the Code injection for Mic & Camera access vulnerability.  We will communicate the expected date that this will be available as soon as possible.

Data Privacy

Zoom is sharing or selling user data

It has been reported that Zoom was sharing or selling personal user data to 3rd party marketers. This data can include names, addresses, and any other identifying data, job titles and employers, Facebook profiles, and device specifications.

Call One UC has a dedicated separate instance of Zoom’s software with a separate subscriber database. Our software controls what information is provisioned into our instance – and this does not include email, address, job titles, etc.

Zoom verified via an update to their privacy policy stating “Zoom does not monitor or use customer content for any reason other than as part of providing our services. Zoom does not sell customer content to anyone or use it for any advertising purposes”.

Zoom Mobile client sharing data with Facebook
What can I do to protect myself?

This does NOT affect the Call One UC Accession Meeting client.

Report that Zoom is displaying LinkedIn data without permission
What can I do to protect myself?

This does NOT affect the Call One UC Accession Meeting client.

 

 

Many of the major concerns seen in recent headlines have been addressed here and it’s a lot to digest. If you have any additional questions – Call One is here to help.  Our technical support teams are available 24/7 to address any concerns you may have with this product.

Siobhan Glenn