Zoom is an "Echternach" procession: three steps forward and two steps backward

Zoom is an "Echternach" procession: three steps forward and two steps backward

It was almost impossible to fail. The US Federal Trade Commission (FTC) intends to file an official charge against Zoom. The reason is that, according to the FTC, Since 2016 Zoom has been compromising its users' security and privacy. However, Zoom has claimed to protect users with end-to-end 256-bit encryption.

Despite repeated assurances to the contrary, Zoom kept the cryptographic keys in its own hands. That way, Zoom retained the ability to access its customer's meeting content. Which means less security for those meetings.

The lists of broken promises sound depressingly familiar. In its June 2016 and July 2017 HIPAA Compliance Guidelines, Zoom claimed it used end-to-end encryption for healthcare. As late as January 2019, Zoom claimed in a white paper that it applied end-to-end encryption for all users.

Those claims were more partially true and only concerned visitors using Zoom Connecter. For users who did not, a lower level of encryption applied, which risks the dangers as described above. The FTC also accuses Zoom of being careless with the content that users want to store on Zoom's Cloud. This happened repeatedly only after 60 days. In the meantime, that data was unprotected in the company's servers.

The FTC will initially try to make an arrangement with the social platform. A comprehensive security program must be established to safeguard and guarantee the security and privacy of users. The Democrats on the committee were not very fond of this arrangement because the misguided user is not financially compensated. Zoom doesn't even need to notify users that they've been fooled for years. In fact, the scheme does not even require end-to-end encryption in so many words. However, the platform must urge its users to use strong and unique passwords; it should deploy tools to block non-human logins and limit the number of login attempts to block violent attacks. Incidentally, a number of investors and users have filed a financial claim with Zoom, because they feel misled and disadvantaged.

Passwords are anything but secure

Zoom clearly violated the security and privacy of its users as is evident from the charges. Yet there are also security issues for users of any platform that a Zoom or Skype can do little about. This is shown by a study by two researchers at the University of Texas. In a paper Zoom on the Keystrokes: Exploiting Video Calls for Keystroke Interference Attacks. They come to the conclusion that participants in a Zoom meeting are able to guess your password. They can do this by the movements of the arms and shoulders.

Someone with malicious intent could record the meeting using a high definition webcam. Then a software program is released on the recordings. It removes the background and focuses on the face. That becomes the benchmark to which the movements of the arms and shoulders are related. Once that has happened, the movements of the arms and shoulders are analyzed. In this way, it can be accurately determined which letters of the keyboard were used. These results are then linked to a long list of words and common passwords. If it is one of the 1 million most common passwords, the chance is that 75% of the password will roll out. If the e-mail address of the user is known, the score increases to even 90%.

Regular users of Zoom, but also of Skype or Teams should therefore be aware that they are vulnerable in several respects. There is always something to get for unsuspected villains. This certainly applies when it comes to business users. What can you do about it? Fortunately, the recommendations are not earth-shattering. Wear long sleeves and drape slightly over your shoulders. Learn to type with 10 fingers or use a chair that can move. After all, you can also dim the light.

The underlying message of the researchers is that users of platforms should become more aware of the risks they run. The platforms are incredibly sloppy when it comes to privacy and security. The user is naive if he/she thinks that things are going well.