On Tuesday, 4/28/20, the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) published an advisory that cited certain cyber vulnerabilities associated with the Zoom platform. This follows a more detailed publication of those vulnerabilities by the U.S. Department of Homeland Security released on 4/27/20, which was referenced by the NJCCIC. The DHS publication recommends that any organization using or considering Zoom should evaluate the risk of its use.
Zoom Video Communications, Inc. provides videotelephony and online chat services through a cloud-based software platform. With the current pandemic, there has been a dramatic increase in remote workers and, consequently, a significant ramp in usage of technologies, such as Zoom, to support those remote workers. According to a Zoom company blog, there was a twenty-fold increase in Zoom usage to 200 million daily users in the first three months of 2020. Since then, the company is reporting over 300 million daily users.
The NJCCIC states in its publication that Advanced Persistent Threat (APT) actors likely will identify vulnerabilities in Zoom. These vulnerabilities can be exploited to compromise user devices, accounts, and corporate networks. The NJCICC judgment is based on “recent public exposure of Zoom’s numerous vulnerabilities.”
Also, the NJCICC discusses Chinese access to Zoom servers and Beijing’s unique ability to target U.S. users of the Zoom platform. Although Zoom is headquartered in the U.S., according to a Canada-based research lab, it appears that the main Zoom application was developed by three companies in China. The research lab’s studies observed that Zoom meeting encryption and decryption keys were transmitted to servers in China. China’s 2016 Cybersecurity Law compels foreign firms to provide intellectual property, including source code, to Chinese authorities.
In addition, according to the NJCICC report, other countries may capitalize Zoom’s vulnerabilities. User and organization delays in deploying security patch updates can be a factor contributing to vulnerabilities.
How is Zoom Video Communications Addressing Security Concerns?
On 4/22/20, Zoom Video Communications announced encryption security enhancements to be provided with the upcoming general availability of Zoom 5.0. This is a part of the company’s 90-day plan to proactively improve the security and privacy capabilities of its platform. It also took actions on changing the defaults that helped address meeting privacy concerns.
On 4/28/20, it was announced that Zoom selected Oracle as its cloud infrastructure provider for its core online meeting service. In addition to other benefits, the move to Oracle will enable Zoom to move their services to properly secured facilities that are designed to ensure customer privacy. We believe the change to the Oracle Cloud Infrastructure will alleviate concerns about Zoom meetings routing through servers in China. Zoom is already transferring huge amounts of data through Oracle servers each day. Over the few next months, Zoom will continue to enhance its security features, in addition to migrating to the Oracle platform.
powersolution.com is a member of the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC)
New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) – powersolution.com is a member of the NJCCIC, contributing and sharing cybersecurity practices and other cybersecurity-related information with the New Jersey Office of Homeland Security and Preparedness (OHSP), New Jersey Office of Information Technology (OIT), and other State organizations.