Zoom/Microsoft Teams — Major Security Concerns Comparison Report

10 years ago, Skype was the go-to video conferencing application that wasn’t exclusively used for meetings or interviews. There was a time when Skype was used by the average user to connect with their family and friends. Skype connected people living across different continents and gave them the ability to have an “audio-visual” conversation. Eventually, other companies followed suit and from 2011–2013, there was a spike in the number of video-calling applications. As smartphones became advanced, developers were determined to make video calling a necessary feature. Fast forward to 2020, video calling is an indispensable commodity. In the era of quarantine (at the time of writing), video calling is hailed as a blessing from the “technology gods” and besides connecting people, it has also allowed businesses to function.

Zoom and Microsoft Teams

While Zoom gained mainstream popularity due to the onset of corona virus, it was already being used by at least half a dozen Fortune 500 companies in 2019. Microsoft Teams also has the same story to it. Microsoft had tie-ups with businesses as well as universities, so it was popular in its own right.

But these services, while popular, do suffer from serious security issues that are worth talking about. That’s what this report addresses. The report compares the security concerns that Zoom and Microsoft Teams raise and looks at some of the recommendations that could potentially safeguard their users from these issues.

What Can the Statistics Tell Us?

While the rise of Zoom’s usage has been remarkable, it is worth noting that majority of it comes from free users. So, even if Zoom is the preferred platform of choice, its still not pulling in much revenue. On the other hand, a subscription of Microsoft’s Office 365 includes access to Microsoft Teams. Hence, it becomes easier for users to use Teams since Office 365 is a pre-requisite for all kinds of work. But that doesn’t take away from the fact that Zoom is ahead in terms of its users and Microsoft Teams is right on its tails.

Also, Skype is owned by Microsoft and is bundled with Office 365 and every Windows based device. Thus, it is safe to say that Microsoft has a better presence in the market.

But How Do They Technically Work?

With respect to Zoom and Microsoft, they are built on the same foundation. Video and audio inputs from the respective audio-video devices convert the received digital data for the user. With the right application optimization, the digital data is further broken down for quick transmission and seamless viewing across the screens of the users.

However, this leaves out a major feature of both the platforms. Have you wondered how are these applications able to share your screens? This works by an interaction between the host systems. The host systems (computers or phones) communicate with one another and the screen presenter host communicates what’s on this screen to the target host. This information flies via the internet and that’s why it asks for a unique pin to the target user’s system so that the information successfully reaches it. Also, it also compresses the data and by understanding the important changes that need to be shared and minimizes the bandwidth usage. Bear in mind that all information packets that fly over the internet are encrypted (with SSH or 128-bit advanced encryption standard).

Feature Breakdown

At their core, both Teams and Zoom are telecommunications applications. Their features overlap with one another, which is also responsible for the competition among them. As for availability, both the platforms are available for use on smartphones (Android and iOS) as well as Windows and MacOS devices.

Here is a head-to-head breakdown of the distinct features offered by both the platforms

Just like any other application, there are pros and cons of using either. Since Teams is a product of Microsoft, it is thought to be more secure than Zoom and the integration with Office 365 makes it extremely attractive, especially for businesses and employees. Zoom, however, has a clean and simple UI and its freemium based model is better than Microsoft Team’s. Hence, if you’re looking for a platform that boosts your work efficiency, Teams might be better suited. However, Zoom would be attractive to those not willing to spend so much and have no problem navigating around without the Office 365 integration.

Let’s Talk About Security First!

The whole scandal pulled off the lid on how companies like Facebook misusing user data for the benefit of running ads. Advertisements fetch revenue for these websites offering free memberships, with every click that you make fetching them revenue from the advertiser. The advertisers need data to curate ads according to items that you have been looking for. This still remains to be the case and is unlikely to change. With respect to Zoom and Teams, however, there are other threats that need to be discussed.

While data breach is a common concern among every application in use, spying is the other end of the spectrum. Since these applications utilize video-audio input, users are in close proximity to being spied down, even when these cameras aren’t in use. Sensing people’s paranoia, major notebook manufacturers like HP and Lenovo designed a video camera lock on their notebooks, which gives users the option to physically block the video camera when not in use.

Zoom has been riddled with security issues, especially since its usage rate spiked up. The clout around its security issues led numerous authorities to forbid its use in their institutions and in some cases, countries. Until its security concerns came to light, Zoom’s privacy policy gave it explicit permission to do whatever it wanted with its user’s data. Also, its clean, easy-to-use UI also makes it susceptible to invasion by uninvited agents. Lastly, there have also been reports of Zoom being vulnerable to Foreign Surveillance.

Microsoft Teams isn’t any safe either. First off, its owned by Microsoft, the behemoth that controls majority of computing devices in the world. A group of independent developers also noticed a flaw that exploits Microsoft Teams’ users, if left unattended. Also, there are certain password cracking methods that Teams hasn’t addressed (at the time of writing) that warrants concern.

How do Zoom and MS Teams fare, Security Wise?

Zoom

Zoom doesn’t have the kind of resources that Teams has, given it’s the brainchild of one of the largest tech companies in the world. Thus, the people working behind it, especially on security, have a lot more to deal with. Malware-embedded installers are extremely common across the realm of the internet. Harmless, legit looking programs can infect a system with malware that can easily go unnoticed as it tends to run in the background, sucking up resources from the system. Zoom does tend to have a history with it. These malware infected installers accomplish diverse tasks such as mining cryptocurrency as well as breaking into the target’s system to provide unrestricted remote access. This also explains how foreign hackers are able to maximize their “attack-rate” as these installers act as malware carriers. This incident eventually made Standard Chartered take notice and it became the first major bank to ban the use of Zoom over its cyber security woes.

The corona virus also created unemployment, with more job seekers desperately looking for a source of income to support themselves. Their vulnerability gave rise to Phishing scams, which were carried out via Zoom Video Call Invites. These invites were disguised as potential networking opportunities with prospective employers and forced the attendees to disclose their confidential information. Hacking has a come a long way and appearances matter. So, this particular phishing scam was perfectly executed to the “T” as the hackers took a lot of time in developing fake web pages that looked the same as a legit web page, of a legit company.

One would expect Zoom to be encrypted, given the intimate nature with which it is used. Unfortunately, that isn’t the case. While Zoom makes some claims over its encryption prowess, that is far from the truth. Zoom uses TLS encryption for its meetings. This is the same encryption standard that is used by servers to secure the HTTPS sites (its used for secure communication on the internet). Therefore, the connection between the Zoom application running on any device and Zoom’s servers is secure. Even if someone were spying on a user’s Wi-FI won’t be able to see their communication with others. The only exception in this case is the Internet provider itself, who potentially has access to anything that their subscriber does on the internet. It is worth noting that Zoom chat, however, is well-encrypted. But Zoom’s isn’t solely a chat application, is it?

Advertisers also make matters worse for Zoom’s security framework (if any). It explicitly shares data with its advertisers and since majority of its users are on the free plan, it turns to ads to earn revenue. It harvests personal data, all for the sake of earning money, and essentially, feeds off of it. This personal data will be used across the internet and encroaches upon the little privacy that the users have.

Zoom has a meeting ID which the host generates. Once generated, anyone who has the ID can join it. That is also easily hack-able, as there are ways to figure out the code using zWarDial. This method creates random or sequential numbers that further searches for meetings happening across the platform. Once the correct ID is generated, hackers can join those meetings, with the attendees being completely oblivious to it.

Zoom also reported issues with its File-Sharing system, wherein the system took over the mic and camera on macOS. While this was fixed later on, it doesn’t take away from the fact that this could also spill over to other devices and has the ability to infect files. Fake Zoom sites also sprung up during the corona virus pandemic, with over 70 fake Zoom sites reported to have captured personal information.

Microsoft Teams

The same situation is applicable in the eDiscovery industry as well, an industry which Office 365 has silently disrupted. By becoming more eDiscovery friendly, it enticed users to permanently switch to Office 365 for all their needs. Which implies that Teams has to be the preferred communication channels. This is due to the fact that migrating data outside this environment requires a steep learning curve and is flat out, time consuming.

In December 2019, Microsoft revealed that it had encountered a security breach of its customer support database which predominantly affected Teams and harvested sensitive information from the platform. A similar incident was reported in April 2020 wherein an “Evil Gif” stole data from various groups. This only affected the desktop and browser versions of Teams and this flaw exposed that Microsoft’s method of handling authentication tokens for image files had issues. The tokens were handled by a server, which could easily be hijacked, making way for hackers to orchestrate their attacks.

Similar to Zoom, the rise of Microsoft Teams also resulted in a host of fake, genuine-looking Microsoft Team login pages. These login pages have been consistently used to extract passwords and since they appear to be genuine, they also ask for a sum of money to get more Office 365 features. As of May 1, 2020, researchers reported that over 50,000 users had been victims of this attack.

Hence, most of Microsoft Teams’ woes relate to the subdomains that it uses. The issue of granting authentication tokens (“authtokens”) exposed that Microsoft needs to work out how it grants authentication to users and it starts by identifying breaches in the first place. CyberArk managed to expose the authentication aspects that Microsoft had completely neglected. To be fair, they did act upon it as soon as it was reported. It just makes one wonder whether the framework is still susceptible to it or not.

What Should Be Done?

So, as an online user, you need to embrace the fact that if you are going to be online, the internet will learn that knowledge and store it within its framework. So, does that mean you should stop accessing the internet altogether? Of course not! That won’t be any fun, would it?

If users are going to use the internet, they need to be up to date with issues that surround the platforms that they use. User interaction forms the core of any online service, so it’s the user’s responsibility to observe caution and be aware of how the dynamic world of the internet works, even if they aren’t as tech-savvy as they should be. The argument here is that since they are using the internet so intimately, it’s the least they can do to protect their online identity. So here is a PSA — pay attention to the kind of permissions that applications are asking from you before blindly granting them. Some of them wouldn’t be justified and if you feel that way, deny the request right away, even if the application is as legit as Facebook!

With respect to Zoom and Microsoft Teams, their developers do need to step up and protect their users from the security vulnerabilities that come with using them. Corporate affairs are dependent on these platforms in the COVID-19 era and will be the same moving forward. COVID-19 gave rise to a bunch of fake news that pushed the wrong buttons with people (People believing 5G deployment caused COVID-19) and that also happened with both Zoom and Teams. A common issue between them was of fake, malware-infested installers stealing people’s data and both the companies need to focus on assigning the right online moderators who are skilled at dealing with an issue of this magnitude. Online moderators manage the content of their platforms and since these installers are the gateway to some confidential conversations, moderators will help curb these installers. This also means that users need to observe caution while downloading the installers and should only download it from reliable sources, such as the main website of the application itself. Differentiating it might be a tough task and that’s where moderator intervention will ease things off.

The next solution has more to do with the issue of unwanted individuals spying in meetings. Zoom and Teams have an issue with this, and they need to curb this altogether. Irrespective of whether someone is using the free version or the paid, privacy is a basic right and needs to be respected. It also ties into the authentication issue that Microsoft Teams reported and having a team that is focused on solving these issues, especially with peak traffic, is imperative moving forward. Since traffic will only increase moving forward, they need to hire the right kind of people who are competent enough to handle the pressure it will bring along with it.

Picture a scenario. You have been trying to find a job at a time when there are no jobs in the economy. You get a mail from a prospective employer that they are interested in you and would like to arrange a Zoom or Teams interview. They send you a link to join and you do it, since your career is riding on it. Once you access the link, you realize that it was a scam and a ransomware attack orchestrated on you. What do you do? This unfortunate experience is pretty common among these platforms, to prey on the desperate, and it pays off for the attackers. Therefore, it is imperative that communications are encrypted, and links are verified by the server.

Here is an overview of the recommendations that should be adopted, along with the pros and cons that can potentially follow suit after adopting them: -

Here is an overview of the recommendations that should be adopted, along with the pros and cons that can potentially follow suit after adopting them

Alternative Providers

The same goes for the battle between Zoom and Microsoft Teams. There are alternatives and they are also worth checking out. Here are some of them detailed below along with their principal features: -

1. Google Meet

2. Skype

3. Cisco Webex Meetings

4. TeamViewer

Final Thoughts

It is the responsibility of the companies behind these applications to objectively evaluate their security practices. If they themselves are compromised, the conversation of practicing good internet habits dies down right away, which will be an ultimate travesty. Over the past 3 years, if you’ve read any article that has the word “Data” in it, they would have reminded you how important it is and the market behind it. But the questions that you need to raise should be about the governance of this “Data” or “Big Data” since that seems to be the buzzword that “average joes” have been losing sleep over.

As noted earlier, these services will take center stage in the post-COVID19 world. Applications include hiring, collaborating and pretty much every meeting that businesses will engage in. Therefore, they hold the ability to build businesses as well as destroy them and that is why their data collection policies need to change. While keeping it free does get more users, it comes at the cost of them giving up their data to advertisers. Perhaps, making it mandatory to pay for these services could help alleviate these problems. Also, paying for it will put the pressure on the developers to work on security because they will be accountable for it. What do you Think? Which service do you prefer the most? Sound off in the comments below!

--

--

“I am always ready to learn although I do not always like being taught.” — Winston Churchill

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rhett Greenhagen

“I am always ready to learn although I do not always like being taught.” — Winston Churchill