With everyone working and functioning from home these days, staying connected, both for work and play, has become important. As a result, people have turned to Zoom for conference calls, chats, and more. While incredibly convenient, the first half of 2020 exposed some extensive security vulnerabilities with the application. Learn about the newest Zoom vulnerability(s), potential Zoom alternatives, and how to protect yourself.

zoom vulnerability and the search for zoom alternatives

Zoom’s Rise in Popularity

Over the past several months, Zoom’s popularity has risen, in large part due to its ease-of-use. In March 2020 the company noted that its average daily users grew from 10 million to 200 million since December.

Zoom Vulnerability Discoveries: A Recent History

Zoom is no stranger to controversy when it comes to security. However, over the past month, security researchers have discovered several Zoom vulnerabilities and insecure privacy settings. These vulnerabilities range in levels of seriousness and have even forced the FBI to urge consumers to search for alternatives to Zoom.

Zoom Vulnerability 1: Facebook Data Sharing

iOS users were in for a shocking surprise in late March. According to an analysis by Motherboard, Zoom’s app implemented an API that shared analytics data with Facebook, even if users did not have a Facebook account. Furthermore, users were not aware that this was happening, as Zoom provided no mention of this in its privacy policy.

Since the release of Motherboard’s report, Zoom has fixed the issue as part of its April 1 update. Users running older versions of Zoom on their iOS devices are encouraged to update their apps.

Zoom Vulnerability 2: Misleading Encryption Standards

Zoom has also come under fire for its misleading encryption practices. On its website, Zoom wrote that it supports end-to-end encryption for its video calls, as long as users use a computer connection. As reported by The Intercept, this was not entirely true. Instead, Zoom calls use TLS protection, the same one used by web servers to protect HTTPS sites. The company has since updated what it means by “end-to-end,” but some researchers still note that the new language is still misleading.

Another investigation by the Citizen’s Lab in Canada found that Zoom’s encryption keys themselves were not as secure as advertised. Despite claiming to use 256-bit AES keys for encryption, the researchers found that Zoom used 128-bit encryption keys. While 128-bit keys are still considered secure, some companies have transitioned to 256-bit keys. Even so, it is unclear why Zoom misrepresented its encryption security standard.

In addition, Citizen’s Lab also raised concerns over the company’s use of the ECB (Electronic Codebook) algorithm for encryption. Researchers’ concerns stem from how ECB encodes patterned data. Unlike in other types of encryption, patterned data in ECB can still show patterns.

Has Zoom Addressed Its Encryption Vulnerability? – July 2020 Update

After public outcry regarding Zoom’s security encryption standards, the company began working on improving its encryption offerings. The company updated AES 256-bit GCM encryption for all their meetings as part of its new Zoom 5.0 release. The feature was rolled out in late April and early May.

Soon afterward the company announced its acquisition of Keybase, a company specializing in encryption technology. Following the acquisition, Zoom released plans for the development of end-to-end encryption technology on May 22.

Starting July 2020, Zoom plans on expanding access to end-to-end encryption for users on their devices. Initially, the feature was set to be rolled out only for paid customers. However, pressure from civil liberties groups convinced Zoom that expanding the feature was the right option. Although, free users must confirm their identity before getting access to the feature.

Zoom Vulnerability 3: Potential Data Exposure to China

Citizen’s Lab also found that some meetings on Zoom are encrypted using keys issued by servers in China. The investigation found that 5 of Zoom’s 73 encrypted key servers were in China, with the rest in the United States. While Chinese servers are not an issue themselves, the researchers, who are based in the US and Canada found that their Zoom meeting was encrypted with a key created in Beijing.

The researchers pointed out that this could be a potential issue, as Chinese authorities may force Zoom to hand over information to them. This can be potentially concerning for users who use Zoom for sensitive information, such as national governments.

Zoom has since issued a statement claiming that the issue came about as a result of the company incorrectly whitelisting Chinese servers for the creation of non-China-based meetings and that it has since fixed the issue. Zoom also indicated that the bug did not affect Zoom of Government. However, in light of this Zoom vulnerability, Citizen Labs recommends erring on the side of caution and avoiding the software for sensitive discussions.

Has Zoom Addressed Its Potential Data Exposure to China? – July 2020 Update

After the publication of Access Labs’s report, Zoom released a feature called data routing control. The feature allows account admins to choose the location of servers that process their meeting data, as well as choose regions through which they don’t want meeting data to pass through. Upon release, the feature was only available to paying customers.

Zoom also clarified that non-China located customers would not have their data transferred through Chinese servers by default. Additionally, the company announced that data requests from the Chinese government would not apply to those outside of China.

Zoom Vulnerability 4: Zoombombing

One of Zoom’s biggest issues has been “Zoombombing” or “Zoom-bombing,” a phenomenon where private and public meetings are bombarded by trolls and pranksters. Often, these trolls share pornography, racial slurs, or worse during meetings. In most cases, these issues occurred due to security-poor default settings. Zoom has released several guidelines on how to avoid issues, including:

  • Avoid sharing your meeting ID on social media.
  • Use a random meeting ID, as opposed to your personal meeting ID.
  • Require a password to share your meeting.
    • Be careful when using the “Copy Invitation” Feature. If it’s a long URL with a question mark at the end, the link includes the meeting password. That’s fine if you’re sharing it just with users, but not if you’re posting it on social media. In that case, just share the public meeting ID instead.
  • Lock the Meeting before your meeting starts, that way no one can enter without permission.
  • Disable the “Join Before Host” feature.
  • Turn off Screen Sharing (unless you need it).
  • Use Waiting Rooms to screen new participants.

For more information, visit the Electronic Frontier Foundation’s extensive guide on Zoom.

Has Zoom Addressed Zoom-Bombing Vulnerabilities? – July 2020 Update

Zoom has made an effort to reduce the occurrence of Zoom-bombing. With the release of Zoom 5.0 in late April, the company added a number of controls to allow hosts more access over who can access the meeting, as well as several UI enhancements to clarify how data is being processed. Many of the recommendations that Zoom made in early April, including meetings passcode, waiting room, and limited screen sharing are now enabled by default on the app.

The FBI Weighs In on Using Zoom for Conferences

While this advice is helpful, Zoom’s security issues have attracted the attention of the FBI, who have made several recommendations. According to the Boston Department of the FBI, users should take the following steps to mitigate teleconference hijacking threats:

Do not make meetings or classrooms public. In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests.

Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people.

Manage screensharing options. In Zoom, change screensharing to “Host Only.”

Ensure users are using the updated version of remote access/meeting applications. In January 2020, Zoom updated their software. In their security update, the teleconference software provider added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.

Lastly, ensure that your organization’s telework policy or guide addresses requirements for physical and information security.

What are Zoom’s Next Steps in Addressing Vulnerability Concerns?

Zoom has indicated that over the next 90 days the company will focus on fixing existing vulnerabilities with Zoom Conference, Zoom Meeting and its other products. In a recent blog post, Zoom has announced that they are spending the next 90 days tightening their product security.

In the post, Zoom announced a pause on new features, outlined steps that users can take to protect themselves, what they’ve fixed and what issues the company will focus on fixing over the next three months.

Has Zoom Addressed Its App Vulnerabilities? – July 2020 Update

July 1 marked the end of the 90-day period freeze outlined by the company. To mark the occasion, the company released a post outlining what it had achieved. As mentioned above, Zoom released a number of updates to its platform, enhanced its encryption settings, and began work on an end-to-end encrypted connection for its users.

The company announced a number of new security initiatives, including a CISO council, more oversight of its security practices, a bug bounty program, and enhanced penetration testing of the platform. Zoom’s CEO Eric Yuan also promised a transparency report detailing what data requests the company receives. While the Zoom initially planned on releasing the report on June 30, Zoom now promises a release “later this year.”

While these moves are impressive and have won the company praise, it’s important to stay grounded. Many features are still rolling out, and researchers have already identified more existing vulnerabilities. Users should still be wary of what information they’re sharing with the service. In the meantime, people need to still work, socialize, and connect virtually during the next few months. So, if users are uncomfortable with using Zoom, FlashRouters has a few potential Zoom alternatives.

What Are Some Zoom Alternatives?

If the latest zoom vulnerability has you worried, check out these popular alternatives to Zoom.

Jitsi

Perfect for the open-source enthusiast, Jitsi is an open-source communication platform that allows communication on the web or via its apps, which are available for both iOS and Android. And, while this Zoom alternative is not end-to-end encrypted, Jitsi allows users to run their own server so they can encrypt the video streams to this server, which they control.

iMessage/FaceTime

Apple’s iMessage and Facetime products are considered the gold standard for secure communication. Both boast end-to-end encryption and can host up to 32 participants. However, these Zoom alternatives are only available on Apple products. Meaning, users either need to shell out some money for an Apple product, or be left out of the meeting.

Google Meet

One of the most popular video-conferencing platforms, Google Meet is easy-to-use and allows a connection via phone and online. However, it is not end-to-end encrypted and requires a Google account to use.

WhatsApp

One of the most popular messaging apps in the world, WhatsApp is available across many platforms and offers end to end encryption, despite being owned by Facebook. However, WhatsApp is not a great Zoom alternative for large meetings, as its video service only allows 4 simultaneous connections.

Signal

For those who don’t like using Facebook-owned products, Signal is a great end-to-end encrypted Zoom alternative. Plus, it’s open-source and used by many leading journalists and hackers. Signal allows users to chat, call, and video-conference using an E2E connection. However, desktop users cannot use the service to video chat on Signal. However, as far as Zoom alternatives its a strong pick.

Protection Beyond the Next Zoom Vulnerability

Secure conferencing is not the only important aspect of working and socializing from home. Beyond looking for secure Zoom alternatives, users need to ensure that they’re able to work securely from home. These users require a powerful router that can handle a heavy network load and which features upgraded networking and security capabilities. These users need a FlashRouter.

What is a FlashRouter?

A FlashRouter is a powerful wireless router that comes pre-installed with open-source firmware called DD-WRT. The DD-WRT firmware enhances and upgrades the performance and features of wireless routers. The firmware lifts restrictions that are built into the default stock firmware that comes with store-bought routers. DD-WRT also allows for full VPN optimization, enhancing your network security.

AX3000 WiFi 6 VPN FlashRouter

AX3000 WiFi 6 VPN FlashRouter
$99.99
$149.99
BUY NOW
  • Perfect for Medium Homes
  • Perfect for 20-30 Devices

Flint Wi-Fi 6 VPN Router by FlashRouters

Flint WiFi 6 AX1800 VPN Router by FlashRouters – Front View
$164.99
$229.99
BUY NOW
  • Supports WiFi 6 (Wireless-AX) speeds
  • Includes WireGuard Fast VPN Protocol Support

Asus RT-AX58U FlashRouter

Asus RT-AX58U Merlin FlashRouter - Front View from Above
$159.99
$249.99
BUY NOW
  • Blazing-fast Wi-Fi 6 (Wireless-AX) Speeds
  • Easy Router Setup via Asus App

Protect Your Network with a VPN

As mentioned above, a FlashRouters unlocks a number of features, including VPN configuration. A VPN is a service that lets you encrypt your Internet connection and circumvent various restrictions while keeping your information secure. This is done by routing your Internet connection and data to a secure VPN server.

After your Internet connection reaches the VPN server, the VPN server then directs your connection to the website or service you’re trying to access. These websites and services only see your VPN connection rather than your personal home connection. And, FlashRouters supports leading VPN Providers, like the ones below!

$3.19
PER MONTH
SIGN UP HERE!
  • Access 5000+ servers worldwide
  • No logs policy
$6.67
PER MONTH
SIGN UP HERE!
  • 3,000+ VPN servers in 90+ countries
  • 5-Star Customer Support
$2.29
PER MONTH
SIGN UP HERE!
  • Servers in 70+ countries
  • Port Forwarding, DDoS protection, and Dedicated IP Available as Add-ons

And, for users who use a VPN for work, FlashRouters offers a unique solution.

Have any questions on Zoom, video conferencing and more? Let us know what we can answer for you!