Get to know how security vulnerabilities can occur in Zoom even with their commitment to patch it up. See how Toasty is built differently.
Zoom has faced many criticisms in the past year. And it has come up with a number of countermeasures in an ongoing attempt to remediate lost consumer trust. The company has had issues with data privacy, security breaches, and other vulnerabilities.
Some blog posts covering Zoom’s security vulnerabilities and misdemeanors use technical jargon but miss out on what’s more important – why these vulnerabilities occur.
There is no 100% perfect security. However, looking at the way Zoom delivers their app, and the way they make claims about their security, we can see two major risk factors that are ongoing concerns for users where security is top of mind.
Zoom Security Risk 1: Desktop App
When users download and run Zoom as a desktop app (running on their PC/Mac), users generally have a better experience than using the Zoom on a web app.
To make the experience possible, users need to allow developers to have direct access to security features. These features include things like listening on various ports so their website can communicate with the app.
This opens up an attack surface where malicious users can routinely do evil like finding an exploit to spy on other users’ webcams without them knowing, create zoom-like fake apps to spoof users into downloading malware, and “zoom-bombing“- where people randomly join a chat without password protection and intrude on private conversations.
Zoom has patched up most of these vulnerabilities. Minor annoyances are avoidable by keeping good security hygiene (e.g. setting a password and waiting room).
The fact is that many users still use their desktop app. This means they continue to have a huge attack surface open for more undiscovered vulnerabilities in the future. And that is quite unsettling.
Zoom Security Risk 2: Claims Don’t Match Reality
We’ve heard all about Zoom having a rough history with implementing End-to-End encryption. Accusations of misleading investors about their level of encryption have been aplenty. Criticisms have also been levelled for initially only letting paid users access the feature.
A Note on End-to-End Encryption
Having highly sensitive conversations that require total protection? End-to-end encryption (E2EE) is the gold standard to ensure maximum peace of mind.
Transport based (TLS) encryption, secures communication data (text, audio, and video) between the users’ browser/app and the service provider, and potentially can be decrypted by the service provider. End-to-end encryption, however, only decrypts the data when it arrives at the recipients’ device.
For video conferencing (not just Zoom), there is a trade-off when seeking the maximum level of encryption. You have to give up on a few key features. Recording, live transcription, and any other feature that requires associating an activity to a unique identity needs to go.
“Although E2EE meetings are more secure, they don’t work with a few of Zoom’s features. These include its cloud recording, live transcription, polling, meeting reactions, and join before host features. Participants also won’t be able to join using “telephone, SIP/H.323 devices, on-premise configurations, or Lync/Skype clients,” as Zoom says these can’t be end-to-end encrypted.”The Verge
Instead of being honest, Zoom chose to make false claims of its encryption security. It only owned up after being discovered. They use the incompatibility with their other features as an argument to not tell the truth. It isn’t difficult to imagine other malpractices that have not yet been brought to light.
Toasty is built on Industry Leaders
At Toasty, we have written openly about our own security standard.
Toasty uses Jitsi Video Conferencing
For video conferencing, we trust Jitsi. With Jitsi being open-source, anyone can vet the source code for its strength. Having the need to stand up against public scrutiny incentivizes developers to have security top-of-mind. They have written about end-to-end encryption and privacy.
Jitsi uses a component architecture that requires each component to use a well-defined interface to each other. So an attempt to exploit any vulnerability in one component will likely need that all partner components be hacked. And they all need to “somehow be OK” with the hack.
Locating a “cooperating” vulnerability in multiple components is much more difficult than finding a vulnerability in one app.
Having components defined separately, verbose logging, and requiring open source maintainers to write extensive tests before being approved and accepted help, it is less likely a vulnerability will pass through the multiple layers of checks.
Toasty uses Amazon Web Services
From deploying our apps, to storing data, to operating our infrastructure securely, we use Amazon Web Services and their immense suite of technology. Their 88-page white paper talks in-depth about how they adhere to strict international standards and governing bodies. It also details their compliance program and their service-specific security measures. AWS is a practitioner of the “Defense-in-depth” information security concept, with resource-specific security rules, identify/access management, and much more.
Toasty is delivered through the Browser
At Toasty, we deliver our app through the web browser, specifically Google Chrome on Desktop and Safari on iPad.
Understanding the Browser Sandbox
When launching an app within a web browser, it must obey the browser “sandbox” security model. This means apps run with increased limitations and cannot arbitrarily run code, or mess around with your camera and microphone.
“A sandbox is a tightly controlled environment where programs can be run. Sandboxes restrict what a piece of code can do, giving it just as many permissions as it needs without adding additional permissions that could be abused.”HowtoGeek.com
Browser Security also follows “Defense-in-depth”
Using a browser drastically reduces the attack surface on the application. Web browsers get updates much more frequently. They have a well-known development practice and also follow “Defense in-depth”. Browser developers go through security training. Their codebase undergoes automatically checks using security analysis tools. Regular audits of the browser by not only an internal team but occasionally an external team is a given. On top of this, all apps and websites must be executed inside their sandbox.
By trusting Zoom’s desktop app, you give it permission to change your computer’s security settings). This leaves a large attack surface open. Their pattern of being less than honest in disclosing their security vulnerabilities indicates they believe they can get away with less than secure best practices.
Sure you can generally use Zoom for your casual chit chat. But you may want to reconsider using something more inherently secure for your peace of mind.
At Toasty, we are open to discuss any security or data privacy matter. We encourage our users and customers to check our work regularly.
Have we missed something about security and privacy that we should talk about? Please reach out to us at [email protected].