In-depth product analysis - Zoom & Microsoft Teams

This is the second post in a series of blogs examining the security of various Video Conferencing products for business. In this post we examining Zoom and Microsoft Teams. 

Other posts include:

• Tixeo
• BigBlueButton
• Skype for Business
• Jitsi Meet
• Cisco Webex
• Cisco Webex Teams
• Google Meet
• Bluejeans

To read about our approach to this analysis, understand the target security model we applied or see a side-by-side comparison of the products reviewed please visit our first post from this series.

If you’re interested in the detail from Zoom or Teams, please read on.

Zoom Video Communications is a company based in San Jose, California. The business has been enjoying great success since its creation in 2011, but sales have apparently rocketed with the COVID-19 epidemic. Zoom attempts to differentiate itself with excellent service quality and thus relies on its SaaS model exclusively. Zoom is used as collaborative audio and video solution for users (licensed) of meeting rooms, which allows working internally with colleagues as well as externally with partners, with an innovative interactive interface.

Since the beginning of the COVID-19 pandemic and the implementation of self-isolation measures around the globe, the use of Zoom has grown exponentially (+535%, in the United States alone). Several vulnerabilities and breaches, under the spotlights, have undermined security and trust in the company. Whilst these concerns are warranted, we feel that there has also been a fair amount of hyperbole involved, which was part of our motivation for writing this report.

Zoom 5.0 was released on April 27, 2020 and now supports AES 256-bit GCM encryption. This will be enforced across the board starting May 30^th, 2020 meaning only Zoom clients on version 5.0 or later will then be able to join meetings.

In-meeting security controls are now grouped together under the Security icon on the host meeting menu bar. These controls allow the host to enable or disable the ability for participants to: Screen share, Chat or Rename themselves. Hosts can also “Report a User” to Zoom’s Trust & Safety team, enable the Waiting Room feature whilst already in a meeting, lock the meeting once all attendees have joined to prevent unwanted guests and remove any participants which will then prevent that individual from rejoining the meeting.

Additional safeguards have now been implemented; these include:

• Waiting Room enabled by default.
• Complex eleven-digit unique meeting IDs are now in place. IDs are also removed from the content sharing window to prevent accidental sharing of meeting information.
• Meeting passwords are now more complex and enabled by default for most customers. For administered accounts, account admins now have the ability to define password complexity requirements.
• Meeting Registration & Meeting Authentication allows you to have participants register with their email, name and other details or to enable pre-set profiles to restrict access to authenticated users or from specific email domains respectively.
• All cloud recordings are encrypted with complex passwords on by default.
• Audio Watermarks allow Zoom to help identify who recorded a meeting if it is shared without permission.
• Screen Share Watermarks superimposes a participant’s email address onto shared content in the even a screenshot is taken.
• Hosts can now select which data center regions they would like their in-meeting traffic to use when scheduling a meeting, and participants can see which data center they are connected to.

Features

The application allows screen sharing to collaborate and share notes, visible to all the participants. You can send messages to all participants with one click. Also, recording conferences on-device or in the cloud is possible.

Zoom integrates with “Personal Information Manager” (PIM) applications like Microsoft Outlook and runs on mobile phones (iOS and Android) or on touch screens to allow as many integrations as possible. It connects to numerous audio and video endpoints. To create and manage a meeting, installing a ‘thick’ (executable) client or a mobile application under Windows, Linux, Android or iOS is necessary. We found installing the product under GNU / Linux to be tricky, however. Attending or scheduling a meeting can also be done through a browser.

Zoom also provides integration with several conferencing hardware solutions for cameras, microphones and screens, via partnerships with selected vendors.

Zoom, unlike many solutions presented here, uses proprietary technology and does not use generally accepted WebRTC standards. WebRTC is an interface allowing communication in real-time online. This standard allows browsers to support voice or data sharing directly from the browser, thereby eliminating specific software or extensions to be set up.

We found Zoom to be a very functional and easy-to-use tool, which has probably contributed to its meteoric rise. It’s available for a wide majority of platforms, including a browser, and does not require specific changes to corporate platforms or networks due to its SaaS operational model. Integration with main email and calendar applications such as Microsoft Outlook or Google Suite is smooth. Zoom also offers accessibility features for all participants, for example by enabling subtitles via Rest APIs. Zoom’s widescale adoption also makes it an attractive choice for businesses wanting to connect with others outside their own organization.

Results table

Encryption

The solution is available exclusively as SaaS (or hybrid cloud), so customers need to be comfortable with trusting Zoom to protect the infrastructure and respect their data. In hybrid cloud mode, user and meeting metadata are managed on the public cloud, whilst video, voice and data sharing go through the on-premise Zoom meeting connector.

Zoom had previously suggested that its communications were end-to-end encrypted, but closer examination has revealed that this is not strictly speaking the case (using our definition above)[1]. Moreover, Citizen Lab reported that Zoom communications are encrypted using the AES-128 and not the AES-256 previously indicated by Zoom[2]. More problematic for some users, the Zoom AES-128 encryption keys could have been transmitted to third parties, possibly in China.

Zoom has however responded forcefully to address these and other issues and the new 5.0 update, includes upgraded encryption. The new ‘Galois Counter Mode’ (GCM)[3] encryption will use the 256-bit ‘Advanced Encryption Standard’ (AES) algorithm[4], which is considered to be standard, reasonable and appropriate for applications of this kind. A thorough evaluation of Zoom’s implementation of this algorithm is beyond the scope of this review, but it would be fair to assert that Zoom has put the primary historic concerns about its encryption to bed with this update.

Apparently in order to bolster their encryption capabilities, Zoom has announced the acquisition of Keybase. Keybase currently delivers an end-to-end encrypted secure messaging and file sharing platform. Zoom has stated that the acquisition is a key step in their “attempt to accomplish the creation of a truly private video communications platform that can scale to hundreds of millions of participants, while also having the flexibility to support Zoom’s wide variety of uses”. Whilst it is not clear to us at this stage what Zoom’s strategy for this acquisition is, it would appear that the technology would position Zoom very strongly to provide full end-to-end encryption based on proven public key encryption methods at some point in the future.

Authentication

Zoom administrators can enable two-factor authentication using Google Authenticator, Microsoft Authenticator or FreeOTP[5].

According to their website, Zoom single sign-on (SSO) is based on the Security Assertion Markup Language (SAML 2.0[6]). Zoom acts as the Service Provider (SP) and offers automatic user provisioning. You do not need to register as a user in Zoom. It can also work with other Service Providers such as PingOne, Okta, Azure, Centrify, Shibboleth, Gluu, G Suite/Google Apps and OneLogin. Zoom can additionally work with Microsoft’s ADFS 2.0[7] SAML implementation.

Zoom actually offers a native 2FA implementation via various ‘One Time Pin’ applications for mobile, but these are only enforced for authentication to the web interface, i.e. not for joining meetings via the mobile or desktop applications. However the SSO various platforms supported would allow enhanced features like push-to-mobile for strong authentication for all elements of the Zoom ecosystem.

Until recently instant Zoom meetings didn’t enforce a password, meaning that anyone who got the meeting ID could join the ongoing meeting sometimes with funny tricks sometimes with more unethical behavior, but this issue appears to have been addressed by a series of new features culminating in the release of Zoom v5.

It has also been disclosed that Zoom settings would add the same domain email address to a sole directory, which in some cases people using a personal email address could be added to a pool of contacts they know nothing about, sharing their personal information such as email address and photo. As of 18 April Zoom has stated that users will no longer be able to search by full name for contacts with the same domain if they are not on the same account or organization. We believe this change mitigates the issue above.

Regulations and Jurisdiction

Zoom Inc is a registered U.S. company, but media reports have suggested that it is tightly integrated with several Chinese businesses, employs developers in China and indeed has accidentally routed some traffic through servers in China for a small subset of their users. This caused concern and outcry for users and businesses who believed Zoom to fall wholly under US jurisdiction[8].

However, Zoom does have an option under its advanced settings for paid accounts that allow users to opt-out of certain data center regions. Any number of regions can be deselected, except the region from which the account was provisioned. According to Zoom’s site “Datacenter regions selections apply only for meeting and webinar traffic. The selections do not impact the location of data at rest. Datacenter region selections also do not apply to Zoom Phone or related features”[9].

Another feature promoted on Zoom’s website is worth noting. Zoom “Meeting Connector” is a hybrid cloud deployment method, which allows a customer to deploy a Zoom multimedia router (software) within the customer’s internal network. According to their site: “User and meeting metadata are managed in Zoom communications infrastructure, but the meeting itself is hosted in the customer’s internal network. All real-time meeting traffic including audio, video, and data sharing go through the company’s internal network”.

Zoom claims adherence to privacy standards like HIPAA and GDPR and asserts that its policies are designed to reflect their compliance with the requirements of the Children’s Online Privacy Protection Act (COPPA), the Federal Education Rights and Privacy Act (FERPA), the California Consumer Privacy Act (CCPA), and other applicable laws. That appears to be mostly by virtue of the fact that it doesn’t collect the relevant data or obtain user consent before doing so.

Security Features and Management

Zoom offers role-based access control which enables an account to have additional user roles. User roles can have a set of permissions that allows access only to the settings pages a user needs to view or edit.

Zoom’s ‘Admin Management’ portal appears very similar to the advanced settings page a user would work with, but with the added ability to define settings for various subsets of users. An administrator can not only set defaults for these settings but can also opt to ‘lock’ a setting so that it can’t be overwritten by an individual user. Our experience of the interface showed it to be fast, simple and intuitive once properly installed.

The portal also allows admins to view the software versions running for different users, but there doesn’t appear to be a way to centrally manage the client software. According to the Zoom site, “the Desktop Client can be mass configured for Windows in 3 different ways: via the MSI installer for both configuration and installation, an Active Directory administrative template utilizing Group Policy for configuration, or via registry keys for configuration”[10].

Vulnerability and Exploit history

The NIST National Vulnerability Database records six vulnerabilities for Zoom since the beginning of 2019:

Several of the vulnerabilities counted above would be considered ‘serious’, but at least two are being disputed by Zoom.

The recent vulnerabilities and breaches have attracted a lot of attention and apparently undermined trust in the technology. Here’s a brief summary:

• Zoom, by apparently misunderstanding the Facebook Software Development Kit (SDK), shared data of iOS users with Facebook for a certain time. Fortunately, these data transfers were stopped after being reported[11].
• Citizen Lab reported an issue in which Zoom would automatically send a live video stream of the meeting, as well as the meeting’s decryption key, to all users in a meeting’s waiting room[12].
• Zoom allows you to automatically generate address directories: People working in the same company can group directories. However, there were concerns because Zoom did the same with personal email addresses such as Gmail, exposing hundreds of thousands of email addresses to other third parties[13].
• A previous version of Zoom for MacOS installed a secret web server, which was not removed when the application was uninstalled. This issue was eventually addressed after some public outcry[14].

However, Zoom seems to understand these security issues and has been aggressively taking necessary measures to address these issues and patch vulnerabilities as soon as possible. The new 5.0 update addresses all the security vulnerabilities known to us at the time of writing, as summarized in the table below.

• [1] theintercept.com/2020/03/31/zoom-meeting-encryption/
• [2] citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/
• [3] link.springer.com/referenceworkentry/10.1007%2F978-1-4419-5906-5_451
• [4] www.itpro.co.uk/security/29671/what-is-aes-encryption
• [5] support.zoom.us/hc/en-us/articles/360038247071-Setting-up-and-using-two-factor-authentication
• [6] en.wikipedia.org/wiki/Security_Assertion_Markup_Language
• [7] docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc786469(v=ws.10)
• [8] www.cnbc.com/2020/04/15/nancy-pelosi-calls-zoom-a-chinese-entity.html
• [9] support.zoom.us/hc/en-us/articles/360042411451-Selecting-data-center-regions-for-hosted-meetings-and-webinars
• [10]support.zoom.us/hc/en-us/articles/201362163-Mass-Installation-and-Configuration-for-Windows
• [11] betanews.com/2020/03/28/zoom-data-sharing-update/
• [12] citizenlab.ca/2020/04/zooms-waiting-room-vulnerability/
• [13] digitalguardian.com/blog/zooms-privacy-problems-snowball-two-zero-days-uncovered
• [14] www.theverge.com/2019/7/8/20687014/zoom-security-flaw-video-conference-websites-hijack-mac-cameras

Microsoft Teams is a proprietary collaborative communication application, operating only in SaaS mode, officially launched by Microsoft in November 2016. The service can be integrated with Microsoft Office 365 suite and Skype for Business. It is also expected to replace Skype, which will be abandoned in July 2021. The solution allows collaborative work (co-publishing and storage of documents, access to e-mails and an instant messaging system, etc.), thus offering far beyond the traditional features of video conferencing systems. Teams also offers extensions that can be integrated into products other than Microsoft.

Microsoft Teams has been available in a free version, limited to 300 members, since July 13, 2018, although some features of Office 365 are missing. The solution now claims more than 44 million active users with an exponential acceleration since the beginning of the massive pandemic-driven teleworking migration in many countries.

Features

The solution is available on most Microsoft Windows, MacOS, Android, iOS and GNU / Linux distributions. The product is completely usable via a browser, with no need to install a client. However, the optional rich client or a fully supported browser (like Microsoft Edge based on Chromium or Chrome itself) is required to access advanced features like content sharing, control of shared content, and background[1].

A free version exists for SMEs (up to 300 users) although it offers very limited functionality. We feel that the solution might be a bit heavy for very basic or occasional needs.

Results table

Encryption

Teams uses Transport Layer Security (TLS), and mutual TLS (MTLS) which encrypt instant message traffic. Point-to-point audio, video, and application sharing streams are encrypted using Secure Real-Time Transport Protocol (SRTP)[2]. Files are stored in SharePoint and secured by SharePoint encryption. Notes are managed via OneNote and protected by OneNote encryption, also hosted on a SharePoint. Microsoft asserts that with Microsoft O365 data is encrypted in transit and at rest.

Network communications are encrypted. All Teams servers must use certificates and implement technologies like Oauth, TLS or SRTP plus 256-bit encryption. Communications are encrypted from users to Teams servers, meaning they are not encrypted end-to-end[3].

Teams requires all servers to contain at least one Certificate Revocation List distribution point for purposes of verifying that a certificate has not been revoked since the time it was issued.

Microsoft O365 offers an added layer of encryption at the application level called ‘service encryption’, which covers data from Exchange Online, Skype for Business, SharePoint Online, OneDrive for Business, and Teams files[4].

According to Microsoft Tech Community contributor ‘Alexwall’[5], “Microsoft retains an availability key, which means that Microsoft could access all customer data. The lack of encryption of Teams messages, as well as the existence of an availability key for all services, would be a concern for a customer that wants 100% security”[6].

The mobile client supports App Protection Policies from Microsoft InTune that would ensure that its content is encrypted on the mobile endpoint device[7].

Authentication

Authentication is based on Office 365 with Microsoft Azure in particular. Microsoft Teams desktop clients for Windows and Mac support ‘modern authentication’ which brings sign-in based on the Azure Active Directory Authentication Library (ADAL) to Microsoft Office client applications across platforms[8]. Microsoft Teams supports all the identity models that are available with Office 365 and has a comprehensive set of tools for provisioning and managing identities, all tied in with existing Active Directory or Azure implementations.

Multi-Factor authentication is supported with any Microsoft 365 or Office 365 plan that includes Microsoft Teams, with support for phone calls, text, One Time Pin or Mobile App Notification as second factors. Users also benefit from the additional security controls provided by Microsoft across its O365 range of services.

Jurisdiction & Regulation

Teams is categorized by Microsoft as a ‘Tier D’ compliant application, which means it adheres to ISO 27001, ISO 27018, SSAE16 SOC 1 and SOC 2, HIPAA, and the EU Model Clauses (EUMC). Teams is also German government BSI Cloud Security Alliance compliant.

For new customers only, data in Teams resides in the geographic region associated with the customer’s Office 365 organization. Currently, Teams supports the Australia, Canada, France, Germany, India, Japan, South Africa, South Korea, Switzerland (which includes Liechtenstein), the United Arab Emirates, United Kingdom, Americas, APAC, and EMEA regions[9]. We were not able to determine whether this also applies to voice, video and text communications.

However, Teams is a SaaS solution delivered by Microsoft, which falls under the jurisdiction of the United States government. Encryption keys are owned by Microsoft by default and is therefore technically able to decrypt your data. This may be of concern to clients operating outside the U.S.A.

Security Features and Management

Microsoft Teams is supported separately as a cloud app in Azure Active Directory conditional access policies. Conditional access policies that are set for the Microsoft Teams cloud application apply to Microsoft Teams when a user signs in.

As a component of Microsoft 365, Teams benefits from a comprehensive and granular set of centralized security and compliance management tools well suited to the enterprise, especially if Microsoft AD or Azure are already in use.

Microsoft 365, with all its inter-connected applications is highly sophisticated and complex, however. We feel that without the required skill and appropriate care, the average organization is more likely to suffer a breach due to an accidental leak or misconfiguration than as a result of the technical interception of data by an adversary or Microsoft themselves.

Vulnerability & Exploit History

There is one vulnerability recorded for Microsoft Teams specifically in the NIST National Vulnerability Database in the period from the start of 2019 to the time of writing, but there has been a number recorded for associated products like Skype, Skype for Business and SharePoint.

On April 28, 2020 Researchers at Cyb0rArk created a proof-of-concept (PoC) attack that involves an inside attacker getting a victim to view a malicious GIF that allows an attacker to take over the victim’s Teams account. They reported two insecure subdomains to Microsoft, which resolved the issue in under a month. Using the bug, an attacker could gain access to an organizations’ Teams accounts by making Teams API calls, which allows one to read and send messages, create groups and add and remove users.

Generally, although there is little data with which to assess this product’s security heritage, it would be fair to argue that Microsoft has robust processes and has developed a strong reputation in this regard.

1: Video killed the conferencing star
2: In-depth product analysis – Zoom & Microsoft Teams
3: Let’s examine Cisco Webex – A visionary player
4: Google Meet and BlueJeans – Re-engineered platforms for secure meetings
5: Tixeo and BigBlueButton
6: A closer look at Skype for business and Jitsi Meet

• [1] docs.microsoft.com/en-gb/MicrosoftTeams/get-clients
• [2] en.wikipedia.org/wiki/Secure_Real-time_Transport_Protocol
• [3] docs.microsoft.com/en-us/microsoftteams/teams-security-guide
• [4] docs.microsoft.com/en-us/microsoft-365/compliance/office-365-service-encryption
• [5] techcommunity.microsoft.com/t5/user/viewprofilepage/user-id/555109
• [6] techcommunity.microsoft.com/t5/microsoft-teams/end-to-end-encryption-with-microsoft-teams/m-p/804842
• [7] docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy
• [8] docs.microsoft.com/en-us/MicrosoftTeams/identify-models-authentication
• [9] docs.microsoft.com/en-us/microsoftteams/location-of-data-in-teams