290 views
# Security and data protection on the CERN Zoom pilot service The Zoom service due to its recent exposure has been under very tight scrutiny by journalists, and security experts worldwide, unveiling issues with the service security or data handling. The CERN videoconference service management team tries to have a pragmatic approach to this surge of information: We analysed all security incidents we are aware of and their possible impact on CERN users' security or privacy. **We will let the pilot continue, as long as we believe CERN users are not exposed to an important security risk by using the service**. You will find below all the incidents that we were informed about, whether they were fixed by Zoom, possible mitigation actions we took ourselves, and the estimated risk for CERN users. The Zoom client comes with an automated prompt for update mechanism which makes all users benefit from bug and vulnerability fixes as soon as they are released by Zoom. What is important in assessing the situation is not so much the number of issues uncovered in recent weeks, but more the reactivity of the company, which in all cases this year is counted in days if not hours. Zoom is now reacting fast to all the disclosed vulnerabilities or issues, and has even announced a complete [refocus of all its development force to security and data protection for the coming few months](https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/). This shows a copernician revolution for a company which it seems was once focused on user experience with great success, but for which security may not have had all the attention it deserved. | Security/DP Issue | Platform | Status | Mitigation | Current risk for CERN users | | -------- | -------- | -------- | ------- | ------- | | [Serious security issue with Zoom's Waiting Room feature](https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/); As part of their research, Citizen Lab have identified what they believe to be a serious security issue with Zoom's Waiting Room feature. | All | Fixed by Zoom | Zoom has modified the way waiting rooms are moderated through a new release of the clients (4.6.10) | None | | [New criticism about Zoom encryption](https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/); Zoom uses AES128 and ECB for encrypting their meetings; Some media flow was routed through China | All | [Fixed by Zoom](https://blog.zoom.us/wordpress/2020/04/03/response-to-research-from-university-of-torontos-citizen-lab/) | Chinese servers removed from whitelist; Zoom has also enforced AES 256 for all encrypted meetings. Zoom switched all users to AES 256 GCM on 30th May. Zoom introduced a feature by which each user can decide to which geographical area their communications will be routed. | Low | | [Zoom recordings exposed on open web](https://www.washingtonpost.com/technology/2020/04/03/thousands-zoom-video-calls-left-exposed-open-web/), not by Zoom but by some meeting hosts | All | Mitigated by CERN | Meeting host who are recording meetings should be very cautious not to expose the recordings. The CERN service managers have configured the service so that meeting participants must give consent when a recording is started. | Limited, and depends on the meeting host's proper management of the recorded files. | | [Local security issue](https://objective-see.com/blog/blog_0x56.html) allowing gain of additional privileges, and access to user's webcal and microphone (local means that the attacker must already have access to the machine running the Zoom client in order to exploit the vulnerabilities) | MacOS | [Fixed by Zoom](https://support.zoom.us/hc/en-us/articles/201361963-New-Updates-for-macOS) | Upgrade to latest client | None if client up to date | | [Zoom meeting encryption criticized](https://theintercept.com/2020/03/31/zoom-meeting-encryption/) | All | [Clarified by Zoom](https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/) | Zoom does end-to-end encryption as soon as the usage scenario allows. If the usage does not allow (cloud recording or meeting joint by non-Zoom clients), then only Zoom has access to the data and only for the provision of the service. | Low | | Zoom data handling policy required clarification | All | [Fixed by Zoom](https://blog.zoom.us/wordpress/2020/03/29/zoom-privacy-policy/) | Zoom added many details to their [privacy policy notice](https://zoom.us/privacy), and clarified that they were not sharing any user data with anyone except for providing the service (user support for example) | None | | Device information sent to Facebook | iOS| [Fixed by Zoom](https://blog.zoom.us/wordpress/2020/03/27/zoom-use-of-facebook-sdk-in-ios-client/) | Upgrade to latest client | None if client up to date | | "Zoombombing" cases - attackers profit from non-protected meetings to join and share offending material | All | Mitigated by CERN | Changed CERN meeting defaults to be password-protected | None if hosts password-protect their meetings | | Instant Messages not encrypted | All | Mitigated by CERN | Changed CERN meeting defaults to be E2E | None | | "Attention-tracking" privacy issue - allows an host to track whether a participant is following a meeting | All | Fixed by Zoom | Feature removed from Zoom products | None | | CVE-2019-13567 - Attackers can force remote code execution | MacOS | [Fixed by Zoom](https://support.zoom.us/hc/en-us/articles/360031245072-Security-CVE-2019-13567) | Upgrade to latest client version | None if client up to date | | CVE-2019-13450 - Attackers can force join a Zoom meeting with camera activated | MacOS | [Fixed by Zoom](https://support.zoom.us/hc/en-us/articles/360031245012-Security-CVE-2019-13450) | Upgrade to latest client version | None if client up to date | | CVE-2018-15715 - Zoom clients are vulnerable to unauthorized message processing | All desktop clients | [Fixed by Zoom](https://support.zoom.us/hc/en-us/articles/360020436071-Security-CVE-2018-15715) | Upgrade to latest client version | None if client up to date |