In partnership with the Mechanical Contractors Association of America's (MCAA) Cyber Security Expert, Nick Espinosa, the association would like to alert the industry to a possible security risk for organizations that was recently uncovered: the use of Zoom video conference.
Zoom’s issues are few-fold and encompass the following issues:
1. Technical vulnerabilities within the program. Attackers have been able to connect to Zoom meetings and disrupt them, record them and send potential phishing web links via the chat window. Further, it was uncovered that how the chat window was handling links could expose a person’s Windows username and hashed password. If the user’s password was weak it would be very easy to crack the password.
2. False claims of total privacy. Zoom had stated that when a Zoom meeting enabled encryption that only the participants of the meeting could see the meeting. Research by the University of Toronto’s Citizen Lab determined that because of how Zoom was applying encryption meetings could be viewed by others, including Zoom employees. Zoom’s Chief Product Officer, Oded Gal, later wrote a blog post in which he apologized on behalf of the company “for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption.”
3. Betrayal of the public trust. In an article by The Intercept reporting on the Citizen Lab report on Zoom, it was determined that five out of Zoom’s 73 encryption management servers, known as KMS servers, were located in mainland China and that many meetings where participants were 100 percent located in the United States or North America where receiving encryption keys issued by these servers in China despite the fact that the remaining 68 KMS servers are located in the United States. Given that the Chinese government requires access to all businesses within China, it is very possible that the Chinese government has had access to live Zoom meetings and/or recordings.
It is for this reason that NASA, SpaceX and others have ordered the use Zoom to be forbidden for organizational meetings. The MCAA now joins the growing number of organizations in the world in stopping the use of Zoom video conference and also recommends that its members follow suit, especially if sensitive information is being discussed.
When someone, or an organization, chooses to use a program or service or even walk into a store to purchase something on a corporate credit card, they enter into a trust relationship with that entity. Individuals and organizations trust their local stores will handle their credit card transaction with the correct amount of security, and they trust that a company like Zoom will safeguard them as advertised. When that trust is broken, it’s hard to get it back.
Zoom has acknowledged these issues, including the China connection, by saying it was a mistake and an error in programming and has promised fixes and updates. Until the company has been proven to be secure for some time, MCAA believes it’s time to put its trust into another video conferencing solution.