As workers adapt to remote work amid the COVID-19 outbreak, it is turning many people to look for an easy to use video conferencing solution. Zoom video is an obvious first choice for many people looking to start a video meeting, easy to set up and generous free membership make it an attractive option. Since 2011, Zoom has done well to attract new users, thanks largely to word-of-mouth, “viral” adoption among employees, rather than top-down software rollouts often mandated by IT departments. As Jonathan Leitschuh discovered, there are some serious privacy and security issues to take into account with Zoom.
Security vulnerabilities with Zoom
As Leitschuch discovered, Zoom set up a local server on a Mac device that allowed the program to bypass security features. When this was ethically disclosed to Zoom, Leitschuh claims that Zoom delayed acting on the vulnerability and did not discuss what he had found until 18-days before the end of the 90-day non-disclosure “grace period.” Then, on June 24 “after 90 days of waiting, the last day before the public disclosure deadline,” Leitschuh says that Zoom simply deployed a “quick fix” he had suggested to the company three-months earlier. It would almost seem as though Zoom was somehow making use of the exploit and reluctant to promptly patch as you would generally expect a software vendor to act.
Odd security policies allowing any third party and malicious scripts
More recently (yesterday actually) security researchers Jasvir Nagra and Scott Helme noticed some odd third party scripts running that seemed to contradict the security policy. As Helme tweeted, the 50million club website is rather interesting indeed. A Google search on the same domain points to listings warning people of pop-ups by 50million club that are a social engineering attack to display fake error messages stating that your computer is infected with malware. It is not certain if Zoom is aware that they are trusting what looks to be a malicious URL.
Since publishing this post, there have been several developments with Zoom
- On March 26th, Motherboard discovered that Zoom was sending data to Facebook without an account or permission.
- On March 27th, Zoom founder Eric Yuan, thanked Joseph Cox from Motherboard for bringing privacy concerns to attention while failing to acknowledge security flaws.
- On March 30th, Patrick Wardle, a former NSA hacker disclosed a zero-day vulnerability in Zoom on his blog.
- On March 30th, Bloomberg announced a class action lawsuit was launched against Zoom for illegally disclosing personal information.
- On March 30th, the FBI warns about the Teleconferencing Hijacking vulnerability in Zoom.
- On March 31st, a report from the Intercept found that Zoom falsely advertised itself as using end-to-end encryption.
- On April 3rd, Dan Ehrlich of Twelve Security, mapped out more than 130,000 subdomains associated with Zoom.us, and also noted ties linked to military hacking activity.
- On April 3rd, researchers at the University of Toronto also found Zoom’s encryption used keys issued via servers in China.
- On April 5th, School districts, including New York City’s, started banning Zoom because of online security and privacy issues reports Tech Crunch.
- On April 7th, Taiwan joined Canada in banning Zoom for government video conferencing reports CBC.
- On April 9th, Google bans employees from using Zoom on their devices. Encourages use of Google Meet.
- On April 13th, Bleeping Computer reported that over 500,000 Zoom accounts were sold on hacker forums, and the dark web.
- On April 14th, Stay off Zoom and Google Hangouts, Standard Chartered chief tells staff via Reuters
- On August 2nd, Zoom agreed to pay $85M for lying about encryption and sending data to Facebook and Google reports Ars Technica
How can people ensure video conferencing is secure and private
Security, privacy, and ease of use shouldn’t have to be a trade-off for having online meetings. The Microsoft Teams offering with Office 365 is another popular choice, although our support team is well aware of known issues with Teams that make it a challenge for many organizations to adopt. After doing some research and testing out some more secure video conferencing tools, I found some that are open source which allows you to move the instance from another provider if you wish. With open source there is also the option to customize the source code to suit individual needs or comply with legislation such as GDPR or HIPAA. There are also no limits on how long your video should be, whereas with Zoom calls are limited to 40 minutes. Here are some alternatives to Zoom…
This Zoom vulnerability is bananas. I tried one of the proof of concept links and got connected to three other randos also freaking out about it in real time. https://t.co/w7JKHk8nZy pic.twitter.com/arOE6DbQaf
— Matt Haughey (@mathowie) July 9, 2019
Zoom has some really weird sources allowed in their CSP… They don't look good even at first glance. h/t @jasvir for the find. pic.twitter.com/EVI7XfHgJj
— Scott Helme (@Scott_Helme) March 24, 2020
That's a funky CSP policy you got going on there @zoom_us.
Sure it's only in report mode (without a report-uri) but are you legit trying to whitelist wildcard subdomains of google & cloudfront & a potential cryptominer on your login pages? pic.twitter.com/kYat4UB9jB
— Jasvir Nagra (@jasvir) March 24, 2020
Just reported to me that this evening UF’s Student Government meeting was Zoom Bombed with racist messages, swastikas, pornography and death threats. I condemn these horrific messages of hate. I have asked UF IT and UF PD to investigate. COVID-19 and hate will be defeated.
— W. Kent Fuchs (@PresidentFuchs) April 1, 2020
@zoom_us has a series of domains whose names are startling. This seems to be from their internal corporate network, as customer domains are not present under the IPA fragment: f[u]ckmenumb[.]athena.ipa[.]zoom[.]us pic.twitter.com/d2OjHbcESY
— Twelve Security (@TwelveSecurity) April 6, 2020
Jitsi
A keen leader in free video conferencing platforms is Jitsi, this is mostly due to the extreme ease of use: It runs directly in the browser with no download necessary, and no registration required, making Jitso one of the most user-friendly apps to host a video call. Because it is browser-based, it is very easy and fast for people to join a meeting. To set up a video-conferencing session, you just point your browser to Jitsi Meet (meet.jit.si), enter a user name (or select the random one that’s offered), and click Go. This way you can start a conference with just meeting links. Once you give Jitsi permission to use your webcam and microphone (sessions are DTLS/SRTP-encrypted), it generates a web link and a dial-in number others can use to join your session, and you can even add a conference password for an added layer of security for video streaming. Jitsi is written in Java and managed to keep low latency due to passing audio and video directly to participants’ local devices. The Jitsi team has done an excellent job in creating a solid and free Zoom alternative while including many of the Zoom features.
An excellent cross-platform solution with Android and iOS apps allowing you to make and take Jitsi video conferences on the go, and you can host your own multi-user video-conference service by installing Jitsi Video bridge on your server. There is also an option to record meetings and have them saved to your Dropbox account. While Jitzi will support multiple people on a call with over 100 participants, even over 1000 participants in one meeting, testing with 250 participants seemed to slow performance and put high CPU load on the host computer with HD video-enabled.
Benefits
Easy of use
No sign up required
Open Source
Free
Group calls & chat
Limitations
Uses local computer resources
Brave
The privacy-focused web browser Brave has been busy in recent years, last year BAT was launched that allowed users of the browser to earn cryptocurrency when they clicked on opt-in advertisements. The browser by default will block ads and trackers on websites loaded, this cuts down on data usage and load time. It is built on Chromium so looks and behaves much like Google Chrome. Brave now boasts over 13.9 million people now use it monthly,
The latest feature to be added to Brave is an online video conferencing service that does not require any download. It is based on the open-source software offered by Jitsi above. Simply visit the together.brave.com via the Brave browser to start your video call. While it is limited to just 2 people on the call, it may not be the best choice for business meetings, however, any number of participants can join to view the meeting.
Benefits
Easy of use
No sign up required
Open Source
Free
No Download
Limitations
Uses local computer resources
Nextcloud
We have been a big supporter of the Nextcloud project even before when the developers were part of ownCloud. This open-source software provides you with your own private cloud space with plenty of tools geared toward collaboration installed on your own server. Although this is free, open-source software, you will need a server and with our service, you can set one up with a few clicks and have Nextcloud pre-installed. Users can store and share documents and files using either the web interface or just by dropping them into a Nextcloud directory on their desktop, which gets synchronized automatically with the Nextcloud desktop client. The web interface also features a chat application called Talk, which features the ability to make voice calls, conference calls, and video calls to now offer Nextcloud as a complete conferencing platform with virtual backgrounds. We tested the chat app with 50 participants and it worked great with the excellent video quality.
Benefits
Regular new features
Open Source
Unlimited users
Limitations
Requires server
Resource intensive
Early days for video
Jami
A true open-source product, Jami is licensed under the GPLv3, and takes its commitments to security and free and open-source software seriously. Communications are secured by end-to-end encryption with authentication using RSA/AES/DTLS/SRTP technologies and X.509 certificates.
Jami’s features include teleconferencing, media sharing, and text messaging. For more information about Jami, access its source code repository, and its FAQ answers many questions about using the system.
Benefits
No sign up required
SIP compatible
Easy to use
Limitations
Basic video conferencing
Both users require app
Riot
riot.im
Riot is a lot more than just a video-conferencing solution—it’s team-management software with plenty of communication features built-in, including voice and video conferencing, file sharing, notifications, and project reminders. Another great feature of Riot is that you can communicate with people using other collaboration tools—including IRC, Slack, Twitter, SMS, and Gitter. Riot can be installed on your own server or you can use a free public Matrix server. It is available under an Apache 2.0 license, its source code is available on GitHub, and you can find documentation, including how-to videos on its website.
Benefits
Mobile friendly
Free & Open Source
Easy to use
Limitations
Requires server
Implementation can be tricky
Limited desktop support
Signal
For mobile devices running Android or iOS, the open-source Signal app offers end-to-end encrypted voice, video, text, and photos, and it’s been endorsed by security and cryptography experts including Edward Snowden and the Electronic Frontier Foundation. It is really simple to register, you just download from the iOS or Android app store on your device or visit signal.org/install, enter your mobile number and you are good to go. To make a video call, both users will need the mobile app, there is a desktop app, but it does only allow text chat and not video chat. An excellent choice for secure group chats with great video and audio quality. Signal supports meetings for up to 40 participants.
Benefits
Mobile friendly
Free to use
Easy to use
Limitations
No video conferencing
Both users require app
Limited desktop support
Linphone
Linphone is dual-licensed; there’s an open-source GPLv2 free version as well as a closed version which can be embedded in other proprietary projects. As a VoIP service that operates over the session initiation protocol (SIP), you will need a SIP number to use the service, and Linphone limits you to contacting only other SIP numbers—not cellphones or landlines. Linphone can provide you with a free SIP service to use which allows you to make audio and video calls, do web conferencing, communicate via chat, and share files and photos (SIP TLS, SRT. P, SRTP-DTLS, zRTP), including end-to-end encryption for messaging. A drawback is there are no other screen-sharing, meeting rooms nor collaboration features.
Benefits
Mobile friendly
Free & Open Source
Easy to use
Limitations
No cellphones or landlines
No collaboration features
No screen sharing
Others worth looking at
These are services that are on out list to try out and look good. I actually tried Wire on a free trial and it offers great experiences for cloud based video conferencing.
- Wire
- Cisco Webex
- Proficonf
- RingCentral
- Zoho meeting
- FreeConference.com
Zoom re-branded services
These vendors are using Zoom to power their own video conferencing service paid plans. If you use any of these video conferencing apps for video calling, you are also using Zoom.
- Zhumu
- Telus Meetings
- BT Cloud Phone Meetings
- Office Suite HD Meeting
- AT&T Video Meetings
- BizConf
- Huihui
- UMeeting
- Zoom CN
We recognize that working from home is going to require a reshuffle of how organizations, offices, and employees work. However, workers’ personal privacy should not be sacrificed in this transition.
Now that offices are closed, it is more important than ever that workers remember security guidelines. We have resources that can help you stay safe. Our 5 tips to stay safe online outline best practices, our Internet Security Bundle can help employees maintain their security and privacy while working from home.