Zoom/Microsoft Teams — Major Security Concerns Comparison Report
10 years ago, Skype was the go-to video conferencing application that wasn’t exclusively used for meetings or interviews. There was a time when Skype was used by the average user to connect with their family and friends. Skype connected people living across different continents and gave them the ability to have an “audio-visual” conversation. Eventually, other companies followed suit and from 2011–2013, there was a spike in the number of video-calling applications. As smartphones became advanced, developers were determined to make video calling a necessary feature. Fast forward to 2020, video calling is an indispensable commodity. In the era of quarantine (at the time of writing), video calling is hailed as a blessing from the “technology gods” and besides connecting people, it has also allowed businesses to function.
Zoom and Microsoft Teams
Zoom’s popularity shot up due to the virus. Everyone has been thanking the team behind Zoom for this innovative and important piece of technology. The same goes for Microsoft Teams. Zoom and Microsoft Teams has allowed businesses to explore the idea of true remote work, given their features and even if life goes back to normal after the virus subsides, their usage won’t.
While Zoom gained mainstream popularity due to the onset of corona virus, it was already being used by at least half a dozen Fortune 500 companies in 2019. Microsoft Teams also has the same story to it. Microsoft had tie-ups with businesses as well as universities, so it was popular in its own right.
But these services, while popular, do suffer from serious security issues that are worth talking about. That’s what this report addresses. The report compares the security concerns that Zoom and Microsoft Teams raise and looks at some of the recommendations that could potentially safeguard their users from these issues.
What Can the Statistics Tell Us?
Zoom, invariably, benefited from the spread of corona virus. Its usage spiked in March 2020, with daily meeting participants averaging between 200–250 million. It touched 300 million in April. The same happened for Microsoft Teams as well, with Microsoft attributing the usage of Teams for a 775% increase in the usage of its cloud services.
While the rise of Zoom’s usage has been remarkable, it is worth noting that majority of it comes from free users. So, even if Zoom is the preferred platform of choice, its still not pulling in much revenue. On the other hand, a subscription of Microsoft’s Office 365 includes access to Microsoft Teams. Hence, it becomes easier for users to use Teams since Office 365 is a pre-requisite for all kinds of work. But that doesn’t take away from the fact that Zoom is ahead in terms of its users and Microsoft Teams is right on its tails.
Also, Skype is owned by Microsoft and is bundled with Office 365 and every Windows based device. Thus, it is safe to say that Microsoft has a better presence in the market.
But How Do They Technically Work?
Traditional Video Calling applications utilize a form of technology known as VoIP (Voice over Internet Protocol). What VoIP does is that it converts audio signals into digital data, which is then transmitted over the internet. This should put things into perspective as to why a strong internet connection is required when one tends to a call made online. A bad connection breaks the signals and has to do the process all over again, which also results in lags or call drops altogether.
With respect to Zoom and Microsoft, they are built on the same foundation. Video and audio inputs from the respective audio-video devices convert the received digital data for the user. With the right application optimization, the digital data is further broken down for quick transmission and seamless viewing across the screens of the users.
However, this leaves out a major feature of both the platforms. Have you wondered how are these applications able to share your screens? This works by an interaction between the host systems. The host systems (computers or phones) communicate with one another and the screen presenter host communicates what’s on this screen to the target host. This information flies via the internet and that’s why it asks for a unique pin to the target user’s system so that the information successfully reaches it. Also, it also compresses the data and by understanding the important changes that need to be shared and minimizes the bandwidth usage. Bear in mind that all information packets that fly over the internet are encrypted (with SSH or 128-bit advanced encryption standard).
Feature Breakdown
At their core, both Teams and Zoom are telecommunications applications. Their features overlap with one another, which is also responsible for the competition among them. As for availability, both the platforms are available for use on smartphones (Android and iOS) as well as Windows and MacOS devices.
Just like any other application, there are pros and cons of using either. Since Teams is a product of Microsoft, it is thought to be more secure than Zoom and the integration with Office 365 makes it extremely attractive, especially for businesses and employees. Zoom, however, has a clean and simple UI and its freemium based model is better than Microsoft Team’s. Hence, if you’re looking for a platform that boosts your work efficiency, Teams might be better suited. However, Zoom would be attractive to those not willing to spend so much and have no problem navigating around without the Office 365 integration.
Let’s Talk About Security First!
The terms “Privacy” and “Online Security” matter more than ever post 2018. Unless you have been living in a bubble since 2018, you would have taken steps to ensure that your data is protected. But after reading through the lines above, you might be wondering — “why is 2018 so important?” It is because 2018 marked the year when the whole Facebook-Cambridge Analytics scandal went down.
The whole scandal pulled off the lid on how companies like Facebook misusing user data for the benefit of running ads. Advertisements fetch revenue for these websites offering free memberships, with every click that you make fetching them revenue from the advertiser. The advertisers need data to curate ads according to items that you have been looking for. This still remains to be the case and is unlikely to change. With respect to Zoom and Teams, however, there are other threats that need to be discussed.
While data breach is a common concern among every application in use, spying is the other end of the spectrum. Since these applications utilize video-audio input, users are in close proximity to being spied down, even when these cameras aren’t in use. Sensing people’s paranoia, major notebook manufacturers like HP and Lenovo designed a video camera lock on their notebooks, which gives users the option to physically block the video camera when not in use.
Zoom has been riddled with security issues, especially since its usage rate spiked up. The clout around its security issues led numerous authorities to forbid its use in their institutions and in some cases, countries. Until its security concerns came to light, Zoom’s privacy policy gave it explicit permission to do whatever it wanted with its user’s data. Also, its clean, easy-to-use UI also makes it susceptible to invasion by uninvited agents. Lastly, there have also been reports of Zoom being vulnerable to Foreign Surveillance.
Microsoft Teams isn’t any safe either. First off, its owned by Microsoft, the behemoth that controls majority of computing devices in the world. A group of independent developers also noticed a flaw that exploits Microsoft Teams’ users, if left unattended. Also, there are certain password cracking methods that Teams hasn’t addressed (at the time of writing) that warrants concern.
How do Zoom and MS Teams fare, Security Wise?
Now that we’ve touched upon the security issues, let’s evaluate both of them closely.
Zoom
At this point, Zoom’s security issues have been uncovered by every major outlet. The team behind Zoom or ever Microsoft teams couldn’t have fathomed a situation such as the corona virus wreaking havoc across the world. The silver lining for them was an unexpected increase in their usage, which is where the security issues are deep rooted.
Zoom doesn’t have the kind of resources that Teams has, given it’s the brainchild of one of the largest tech companies in the world. Thus, the people working behind it, especially on security, have a lot more to deal with. Malware-embedded installers are extremely common across the realm of the internet. Harmless, legit looking programs can infect a system with malware that can easily go unnoticed as it tends to run in the background, sucking up resources from the system. Zoom does tend to have a history with it. These malware infected installers accomplish diverse tasks such as mining cryptocurrency as well as breaking into the target’s system to provide unrestricted remote access. This also explains how foreign hackers are able to maximize their “attack-rate” as these installers act as malware carriers. This incident eventually made Standard Chartered take notice and it became the first major bank to ban the use of Zoom over its cyber security woes.
The corona virus also created unemployment, with more job seekers desperately looking for a source of income to support themselves. Their vulnerability gave rise to Phishing scams, which were carried out via Zoom Video Call Invites. These invites were disguised as potential networking opportunities with prospective employers and forced the attendees to disclose their confidential information. Hacking has a come a long way and appearances matter. So, this particular phishing scam was perfectly executed to the “T” as the hackers took a lot of time in developing fake web pages that looked the same as a legit web page, of a legit company.
One would expect Zoom to be encrypted, given the intimate nature with which it is used. Unfortunately, that isn’t the case. While Zoom makes some claims over its encryption prowess, that is far from the truth. Zoom uses TLS encryption for its meetings. This is the same encryption standard that is used by servers to secure the HTTPS sites (its used for secure communication on the internet). Therefore, the connection between the Zoom application running on any device and Zoom’s servers is secure. Even if someone were spying on a user’s Wi-FI won’t be able to see their communication with others. The only exception in this case is the Internet provider itself, who potentially has access to anything that their subscriber does on the internet. It is worth noting that Zoom chat, however, is well-encrypted. But Zoom’s isn’t solely a chat application, is it?
Advertisers also make matters worse for Zoom’s security framework (if any). It explicitly shares data with its advertisers and since majority of its users are on the free plan, it turns to ads to earn revenue. It harvests personal data, all for the sake of earning money, and essentially, feeds off of it. This personal data will be used across the internet and encroaches upon the little privacy that the users have.
Zoom has a meeting ID which the host generates. Once generated, anyone who has the ID can join it. That is also easily hack-able, as there are ways to figure out the code using zWarDial. This method creates random or sequential numbers that further searches for meetings happening across the platform. Once the correct ID is generated, hackers can join those meetings, with the attendees being completely oblivious to it.
Zoom also reported issues with its File-Sharing system, wherein the system took over the mic and camera on macOS. While this was fixed later on, it doesn’t take away from the fact that this could also spill over to other devices and has the ability to infect files. Fake Zoom sites also sprung up during the corona virus pandemic, with over 70 fake Zoom sites reported to have captured personal information.
Microsoft Teams
Microsoft Teams isn’t nearly perfect when it comes to security. The first concern comes in the form of Data Residency. Data that Microsoft collects via Teams is stored on the SharePoint site of every user. This data is further store in Azure, the cloud services platform owned by Microsoft. The data that is generated, irrespective of type on Teams, is converted to data that is compatible to be stored in the Azure directory. This raises concerns about how exactly Microsoft is handling user data. Also, once a user has created any form of data on Teams, migrating to any other service would be difficult since data is stored in a form that is compatible with Azure.
The same situation is applicable in the eDiscovery industry as well, an industry which Office 365 has silently disrupted. By becoming more eDiscovery friendly, it enticed users to permanently switch to Office 365 for all their needs. Which implies that Teams has to be the preferred communication channels. This is due to the fact that migrating data outside this environment requires a steep learning curve and is flat out, time consuming.
In December 2019, Microsoft revealed that it had encountered a security breach of its customer support database which predominantly affected Teams and harvested sensitive information from the platform. A similar incident was reported in April 2020 wherein an “Evil Gif” stole data from various groups. This only affected the desktop and browser versions of Teams and this flaw exposed that Microsoft’s method of handling authentication tokens for image files had issues. The tokens were handled by a server, which could easily be hijacked, making way for hackers to orchestrate their attacks.
Similar to Zoom, the rise of Microsoft Teams also resulted in a host of fake, genuine-looking Microsoft Team login pages. These login pages have been consistently used to extract passwords and since they appear to be genuine, they also ask for a sum of money to get more Office 365 features. As of May 1, 2020, researchers reported that over 50,000 users had been victims of this attack.
Hence, most of Microsoft Teams’ woes relate to the subdomains that it uses. The issue of granting authentication tokens (“authtokens”) exposed that Microsoft needs to work out how it grants authentication to users and it starts by identifying breaches in the first place. CyberArk managed to expose the authentication aspects that Microsoft had completely neglected. To be fair, they did act upon it as soon as it was reported. It just makes one wonder whether the framework is still susceptible to it or not.
What Should Be Done?
For starters, users could and should practice good internet habits. Good internet habits in this context refer to being cautious about the kind of links that one opens. But it all starts with realizing that the user may not be as wary of security practices as they should be. For majority of users who are average technology literates, they tend to skip out on a lot of aspects of their own online security. They rely on the providers to protect them from attacks, which in theory, is justified. Since the teams behind Zoom and Microsoft Teams are providing a free service, with ads to these users, they need to make money as well. Once ads come into the equation, it’s not rocket science to figure out that a major portion of the user’s privacy is gone, unless they pay to get it back. But that’s when the concept of Data comes into the equation. Going back to the Facebook-Cambridge Analytics breach, Facebook had made its users aware of the fact that it earned revenue from advertisements but people felt betrayed when they realized that Cambridge Analytics had been misusing their data to sell to advertisers. Even if an independent team of developers comes up with a similar application, it will need to make money to survive. Donations would potentially not cover it and running ads becomes the only option to bring in the revenue. It’s a standard practice across internet-based media businesses but the transparency over data use is what will set them apart. Zoom and Microsoft Teams need that transparency to establish some bragging rights over their platforms in terms of security.
So, as an online user, you need to embrace the fact that if you are going to be online, the internet will learn that knowledge and store it within its framework. So, does that mean you should stop accessing the internet altogether? Of course not! That won’t be any fun, would it?
If users are going to use the internet, they need to be up to date with issues that surround the platforms that they use. User interaction forms the core of any online service, so it’s the user’s responsibility to observe caution and be aware of how the dynamic world of the internet works, even if they aren’t as tech-savvy as they should be. The argument here is that since they are using the internet so intimately, it’s the least they can do to protect their online identity. So here is a PSA — pay attention to the kind of permissions that applications are asking from you before blindly granting them. Some of them wouldn’t be justified and if you feel that way, deny the request right away, even if the application is as legit as Facebook!
With respect to Zoom and Microsoft Teams, their developers do need to step up and protect their users from the security vulnerabilities that come with using them. Corporate affairs are dependent on these platforms in the COVID-19 era and will be the same moving forward. COVID-19 gave rise to a bunch of fake news that pushed the wrong buttons with people (People believing 5G deployment caused COVID-19) and that also happened with both Zoom and Teams. A common issue between them was of fake, malware-infested installers stealing people’s data and both the companies need to focus on assigning the right online moderators who are skilled at dealing with an issue of this magnitude. Online moderators manage the content of their platforms and since these installers are the gateway to some confidential conversations, moderators will help curb these installers. This also means that users need to observe caution while downloading the installers and should only download it from reliable sources, such as the main website of the application itself. Differentiating it might be a tough task and that’s where moderator intervention will ease things off.
The next solution has more to do with the issue of unwanted individuals spying in meetings. Zoom and Teams have an issue with this, and they need to curb this altogether. Irrespective of whether someone is using the free version or the paid, privacy is a basic right and needs to be respected. It also ties into the authentication issue that Microsoft Teams reported and having a team that is focused on solving these issues, especially with peak traffic, is imperative moving forward. Since traffic will only increase moving forward, they need to hire the right kind of people who are competent enough to handle the pressure it will bring along with it.
Picture a scenario. You have been trying to find a job at a time when there are no jobs in the economy. You get a mail from a prospective employer that they are interested in you and would like to arrange a Zoom or Teams interview. They send you a link to join and you do it, since your career is riding on it. Once you access the link, you realize that it was a scam and a ransomware attack orchestrated on you. What do you do? This unfortunate experience is pretty common among these platforms, to prey on the desperate, and it pays off for the attackers. Therefore, it is imperative that communications are encrypted, and links are verified by the server.
Here is an overview of the recommendations that should be adopted, along with the pros and cons that can potentially follow suit after adopting them: -
Alternative Providers
The good thing about technology is that users will always have options. No company has ever created the perfect product that a user did not complain about and that’s how the competition thrives. Don’t like Xbox? You can choose between getting a PlayStation, Nintendo, or a PC. Feel iOS is too restricted? There’s Android. If you also happen to be among the minority that does not like either? Nokia still sells the classic Nokia 3310. So, you will always have options, even if your choice qualifies as an Unpopular Opinion.
The same goes for the battle between Zoom and Microsoft Teams. There are alternatives and they are also worth checking out. Here are some of them detailed below along with their principal features: -
1. Google Meet
Google Meet has been in the market since 2017. It was initially launched as the enterprise sibling of Hangouts, which later ended up absorbing Hangouts itself. Google meet offers nifty features that make it worthy of checking out, especially since your life heavily revolves around google.
2. Skype
The “OG” video conferencing application that paved the way for Zoom and Teams to enter the market still remains a popular choice among many users. Skype isn’t just an ordinary service, it’s a cultural phenomenon. It made video conferencing possible at a time when it wasn’t and for the longest time, people would refer to video calling as Skype. “Let’s Skype” became the in-thing before others sprang onto the scene.
3. Cisco Webex Meetings
A popular choice among a host of Fortune 500 companies, Cisco Webex Meetings has been a mainstay in the business world. Its USP is that it is secure, with users having full autonomy over their sessions.
4. TeamViewer
TeamViewer has been a trusted end-to-use remote access software that allows users to share their screens with one another. It is extremely popular among product/support diagnosticians as it gives them the ability to diagnose issues with a user’s product from their own workspace.
Final Thoughts
Now that you have a bit more knowledge about Zoom and Microsoft Teams as well as the alternatives, you would be in a better position to decide which service is actually for you. Security issues will always surround any technology that users prefer to use and being ahead of the curve will always be beneficial to them. Being technologically educated should be treated as a pre-requisite before using anything because it helps evaluate the alternatives as well as the use-case.
It is the responsibility of the companies behind these applications to objectively evaluate their security practices. If they themselves are compromised, the conversation of practicing good internet habits dies down right away, which will be an ultimate travesty. Over the past 3 years, if you’ve read any article that has the word “Data” in it, they would have reminded you how important it is and the market behind it. But the questions that you need to raise should be about the governance of this “Data” or “Big Data” since that seems to be the buzzword that “average joes” have been losing sleep over.
As noted earlier, these services will take center stage in the post-COVID19 world. Applications include hiring, collaborating and pretty much every meeting that businesses will engage in. Therefore, they hold the ability to build businesses as well as destroy them and that is why their data collection policies need to change. While keeping it free does get more users, it comes at the cost of them giving up their data to advertisers. Perhaps, making it mandatory to pay for these services could help alleviate these problems. Also, paying for it will put the pressure on the developers to work on security because they will be accountable for it. What do you Think? Which service do you prefer the most? Sound off in the comments below!