Viewable by the world

Table of Contents:

Sub-links:

Background

This FAQ provides LBNL's analysis and recommendations on recent security and privacy concerns associated with Zoom, the primary video conferencing software used by LBNL. This FAQ is intended to be a summary, providing an overview, for details on any particular issue please see the reference section. 

  • Zoom Bombing - this is the term used when uninvited guest crashes your Zoom meetings. These uninvited guests can cause various annoyance or interruptions, including sharing inappropriate content with attendees.  Bombing is possible due to default Zoom settings not requiring authentication to join and Zoom links being shared openly, e.g. in calendar invites or on webpages. More sophisticated attackers have developed utilities to brute-force and locate open Zoom meetings.  The short answer to this issue is to consider keeping Zoom links protected and/or password protecting your Zoom meetings. That said in the vast majority of situation, this is not necessary.  

  • Client Vulnerabilities - multiple vulnerabilities have been found in the Zoom client over the years.  The most recent vulnerabilities may allow Windows passwords to leak or expose OSX to a local privilege escalation. While this may sound alarming, client vulnerability are not unique to Zoom.  All software has vulnerabilities; all software requires constant updating and Zoom is not an exceptions.  The short answer to this issue to insure you are always running the current Zoom client. 

  • Encryption Issues - Zoom has been criticized for using relatively weak encryption and not actually performing end-to-end encryption - the encryption is proxied by Zoom.  Adding to the criticism is the fact Zoom may have been misleading or misrepresented what they are doing with encryption, further eroding trust.  While not perfect, Zoom provides a reasonable level of encryption for the sort of conversations occurring at Berkeley Lab. 

  • Foreign Involvement - Some Zoom product development work is done in China and recently Zoom calls were routed through China. The challenge in US and China relations is well documented.  Zoom is just the latest example of a company in the middle of these challenges.  The short answer is that none of the information about Zoom and China is concrete or concerning enough to reevaluate our usage of Zoom.

Our Zoom Assessment 

Recent events have not changed LBNL's view that Zoom is an appropriately secure video conferencing solution for use at Berkeley Lab.  Zoom, which is offered by LBNL and all the UC campuses under a negotiated agreement, is LBNL's recommended and supported video conferencing system.  

We have created Our Zoom Security Assessment, which is limited to LBNL employees, to provide additional details.  This page also includes a few details we've learned about UC and other DOE Lab assessments. 

In addition, please see the UC Systemwide Note on the use of Zoom.

Colleague Challenges

Some peer institutions have made different risk assessments and restricted the use of Zoom. You should keep in mind that these assessments are often grounded in situations that are distinct from ours:

  • Many of our higher education peers do not have a contract with Zoom.  The UC-wide agreement and the LBL agreement provide contractual protections on privacy and security that are not necessarily in place for those without an agreement.
  • Some of our Laboratory and Federal peers conduct very sensitive work and have judged that they want that work to take place via other tools.   Their risk posture is necessarily different from our quite open environment.  

If you're having difficulty with a colleague accessing Zoom from another institution, you have options:

  • Have your colleague use the phone and dial into Zoom.   
  • Have your colleague use Zoom's "join from browser" option, which does not require the installation of any client software 
  • Have your colleague use their smartphone with the Zoom client, which some organizations are permitting.
  • Consider using Google Hangouts:Meet instead if this is permitted by the other organization
  • If someone else is hosting the meeting, use the software (WebEx, BlueJeans, etc.) provided by the host
  • Let us help you push back - reach out to [email protected] so we can get in touch with their organization's cyber security staff and explain the impact of this decision.

Information we have gathered on the postures of other institutions is available here.

What should you do?

  • Make sure your Zoom app is updated to the latest version.  Here are the Zoom instructions for updating

  • Familiarize yourself with meeting controls, many of which are discussed in our Zoom Security Settings page. 

  • Evaluate the content of your Zoom meetings and consider password protecting

Questions or Feedback

If you have any questions about using Zoom, please contact the Help Desk - [email protected] or call x4357.

If you have any feedback on this page please contact [email protected].

References

We don't necessarily agree with or condone any of these references, it's just a list of discussions that we've found useful to further our understanding. 

Overviews:

https://blog.rapid7.com/2020/04/02/dispelling-zoom-bugbears-what-you-need-to-know-about-the-latest-zoom-vulnerabilities/

https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/

https://www.tomsguide.com/news/zoom-security-privacy-woes

Encryption details: 

https://blog.cryptographyengineering.com/2020/04/03/does-zoom-use-end-to-end-encryption/

https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/

Similar Issues with other collaboration software:

https://threatpost.com/cisco-webex-flaw-lets-unauthenticated-users-join-private-online-meetings/152191/

https://www.techrepublic.com/article/slack-vulnerability-allows-attackers-to-intercept-modify-downloads/

https://www.cybersecurity-insiders.com/microsoft-teams-vs-slack-security/


Please link to this page with https://go.lbl.gov/zoom-security