Many of us are using Zoom quite often right now, including functions for chat, video conference and webinars. Zoom has been in the media a lot lately. Reports have covered a variety of security issues like encryption, traffic being sent through China, “Zoom bombing”, and passwords being sold on the dark web. Most of these reports concern the public version of Zoom used by individuals, mostly in the US.

Zoom at SU

SU buys its Zoom service from Sunet (Swedish University Computer Network) which uses NORDUnet to deliver the service. Zoom at SU is not part of the “public Zoom”. NORDUnet’s Zoom service follows GDPR and other European data regulations and all data is stored and handled inside the EU.
NORDUnet has its own license for Zoom and keeps the installation on premise on its own servers. Zoom has a private network and private cloud for Sunet/NORDUnet customers. All meeting data is contained within NORDUnet’s installation. A certain amount of personal information is shared with Zoom/EU (Frankfurt). No personal information is shared with Zoom/US.
SU’s Zoom uses the SWAMID login protocol (where you log on through SU and then are redirected to the service), so your passwords are never stored in the Zoom service.

  • All data from meetings are stored in Stockholm/Copenhagen (video, voice, chats, shared pictures, etc.)
  • Metadata from the meeting are stored in Frankfurt (username, SSO-attributes (e.g. whether you’re a student or employee), IP address, network quality, and location data).
  • Information detailing license-owning organisations (like SU), license type and number of licenses is stored at Zoom/US.

Zoom in the news

The public version of Zoom has received a lot of press attention. These issues do not affect SU much because we do not use the public version.

Zoom bombing

“Zoom bombing” is when an uninvited participant manages to connect to a Zoom meeting and disturb others by writing in the chat or sharing inappropriate materials. It has nothing to do with the integrity of the service but still requires management. It can create worry and irritation. 
Things to think about:

  • Don’t distribute the invitation to more people than necessary. It can be misused.
  • Protect your Zoom meeting with a password.
  • If you arrange meetings, activate the waiting-room function for connecting participants. That way you can approve participants before they connect to an ongoing meeting.
  •  As the meeting arranger you can restrict the meeting to only people with an SU account. Please do this unless you have invited external participants.
  • Consider using the lockout function when all of the expected participants have joined or at a specific time. Then no new people can join the meeting.
  • If someone disturbs a meeting, ask the arranger to kick them out.
  • Turn off the possibility for participants to share their screen, chat and exchange names if you don’t need it.

Zoom passwords for sale on the dark web

These reports dealt with the public Zoom service and users who recycled passwords for different accounts. Passwords from earlier data leaks at other organisations were tested on Zoom and many of the usernames and passwords worked even in Zoom.
SU uses federated logins through SWAMID, which means that your password is never saved in Zoom.
Things to think about:

  • Always use different passwords for each online service.
  • Don’t use the same password for university and private accounts.
  • If your account/password has been hacked and misused, change passwords.
  • Passwords should be unique and long (at least 12 characters).
  • Activate two-factor identification wherever you have the opportunity, especially for services that are important to you, like the private email account you use to reset other account passwords.

Encryption of traffic

Zoom has been criticised for its encryption practices. Protected communication should have end-to-end encryption meaning that only meeting participants can access the information in a secure video conference including both video and sound. Zoom encryption in some cases is lacking and not really “end-to-end”. The encryption in Zoom is done between the user and the Zoom server.
When users connect to a Zoom meeting from devices that don’t use Zoom’s normal communication protocol, e.g. dialling in by phone, Zoom’s encryption cannot be used directly by the phone or other device. This can be handled by using a Zoom Connector. There are connectors for telephone systems, Skype, smart rooms, etc.

  • If every participant in a meeting uses the Zoom client, the traffic is encrypted.
  • If some participants dial in, the traffic between the phone and the connector is not encrypted.

Something to think about:
Zoom is not an appropriate tool to discuss confidential information.

Routing through China

This issue does not affect SU because we use NORDUnet’s Zoom service.
When Zoom increased its global capacity to meet the increased demand caused by social distancing, some Zoom calls from mobile telephones were routed through China’s large-capacity Zoom cloud. This happened primarily with mobile calls in North America and the public version of Zoom. Normally, Zoom keeps conversations in the region where they originated. When maximum capacity is reached traffic is directed to the nearest datacentre with space. China is normally excluded from the list of datacentres that the West uses for security reasons (like GPDR). When the capacity for Zoom’s public service needed to be increased a mistake was made which is how this failure happened. The fault was corrected within hours.

Clickable links in chat

UNC links are those which direct to files on your own or another computer and can be a security risk. A vulnerability in the Zoom client was remedied on 1 April 2020. This is why it’s important to always update your copy of Zoom even on your mobile and other devices.
Things to think about

  • Think about Zoom the way you think about email. Don’t click on unknown links and images.
  • Beware of the privileges Zoom has on macOS.
  • The vulnerability was rectified on 1 April 2020
  • The vulnerability was serious, but an attacker had to have already broken into your computer to exploit it.

SU-specific questions

Q: Is data shared outside of SU?
A: User data for the service is saved in the European datacentre (Frankfurt). All meeting data is saved on NORDUnet’s servers in Stockholm and Copenhagen

Q: Does IT Services save any information? If so, what?
A: Yes, SU has session data information (firewall logs), login data and time information on chats and such (how many minutes is the video call, how many chats). It’s only the metadata about the conversation, not the contents from users.
SU also has 7-days of saved chat data for IM (Instant Messaging) – not meeting data, though, just in the chat channel. Unfortunately, we at IT Services have not been able to turn off this function. Only SU has access.

Q: Is Zoom being monitored?
A: No, Zoom is not used for surveillance.
We check that the service is functioning properly, but we do not monitor how the service is used, who is connected, what is being said, etc.

Other questions? Please contact information security.