As the world grapples a pandemic-social distancing, quarantine and lockdowns are the new normal, millions have flocked to chatting and conferencing apps such as zoom, houseparty and messenger. Video conferencing is a great way to learn and connect to our friends and family. Such apps are now seeing an all time high usage of their services, but are they resorting to insecure means to handle the growing user traffic?
Not only stars and business have put trust in these apps but also top government officials are using it to carry administrative work.

UK Prime Minister Boris Johnson accidentally revealed his Zoom ID for Cabinet meeting on Twitter, this sparked security and privacy concerns for the app.

There have been many reports stating that unknown users joined the app by managing to get the zoom meeting ids and showed obscene and graphic content.

Facebook & Zoom- A lethal mix

Zoom used Facebook’s sdk . SDK is a pre compiled code that developers can use to build certain features into their apps. Facebook can use this to steal your private information, every time you opened the app Facebook received the following information as stated in the updated privacy policy of zoom:-

• Application Bundle Identifier

• Application Instance ID

• Application Version

• Device Carrier

• iOS Advertiser ID

• iOS Device CPU Cores

• iOS Device Disk Space Available

• iOS Device Disk Space Remaining

• iOS Device Display Dimensions

• iOS Device Model

• iOS Language

• iOS Timezone

• iOS Version

• IP Address

Zoom recently removed the Facebook SDK and pretended to not know that Facebook collected the aforementioned data.

The report of the Citizen Lab, University of Toronto

A team at The Citizen Lab found that Zoom was using a non-standard type of encryption, and routing data through China, and that there are discrepancies between security claims in Zoom documentation and how the platform actually works.

Eric Yuan, CEO of Zoom Video Communications stated that this was done “by mistake” to handle the growing the number of users and to avoid crashes.

The security flaws as stated by the citizen lab were:

Zoom documentation claims that the app uses “AES-256” encryption for meetings where possible. However, in our testing, a single AES-128 key was used in ECB mode by all meeting participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption. What this finding means is that the encryption in Zoom does not seem to have been well-designed or implemented. The AES-128 keys, which we verified were sufficient to decrypt Zoom packets intercepted in Internet traffic, appeared to be generated by Zoom servers, and in some cases, were delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, were outside of China. This finding is significant because Zoom is a company that primarily serves customers in North America and sending encryption keys via servers in China may potentially open Zoom up to requests from authorities in China to disclose the encryption keys. While this scenario is plausible, we do not have evidence that authorities in China or any other state have actually obtained meeting encryption keys.

Large firms like Google, NASA, Apple, SpaceX are not allowing employees to use Zoom.

500,000 Hacked Zoom Accounts Being Sold on Dark Web!

Zoom seems to have fallen deeper into trouble as a report by Bleeping Computer states that 500K zoom accounts were hacked and their data was sold. Every account was disposed for less than a penny each, and in some cases, given away for free.The accounts include those of well-known companies such as Chase, Citibank, educational institutions, and more. According to cybersecurity intelligence firm Cyble, free Zoom accounts were being posted on hacker forums around April 1 to gain an increased reputation in the hacker community. The purchased accounts include a victim’s email address, password, personal meeting URL, and their HostKey. Bleeping Computer later confirmed that credentials posted on the forums were genuine.

Many House party users too reported e-mails and various apps being hacked after downloading the app.

So what can be a secure alternative?

End to end encrypted AES256 encryption is a must and should preferably be open source. This ensures much greater security and privacy to its users.

Here are few which can be used:-

Group FaceTime

If you use Apple products, you can use Group facetime meetings. It supports up to 30 callers and has features like screensharing.

FaceTime uses Internet Connectivity Establishment (ICE) to establish a peer-to-peer connection between devices. Using Session Initiation Protocol (SIP) messages, the devices verify their identity certificates and establish a shared secret for each session. The cryptographic nonces supplied by each device are combined to salt keys for each of the media channels, which are streamed via Secure Real Time Protocol (SRTP) using AES-256 encryption.

Signal video call

Highly secure and well know signal allows for best in class end to end encryption and lets you share all messages, photos, videos, files and chat using video.Group chats are all so supported.

For businesses

Cisco Webex meetings.

Webex Meetings offers end-to-end encryption as an option on both video and audio chat as opposed to zooms end to end encryption only on audio chats.