 Tom here from Lawrence Systems, and is Zoom secure? Let's dive into a couple of the topics on there and kind of clarify a couple of things about how Zoom works. So if you want to learn more about me and my company, head over to LawrenceSystems.com. If you want to hire short projectors, they hire us button up at the top. If you want to support this channel in other ways, there's some affiliate links down below to get you deals and discounts on products and services we talk about on this channel. Represent Security has the war dialing tool exposes Zoom password problems, and Zoom has actually done a good job of responding and keeping uninvited guests out. And a lot of this has to do with the tyranny of the default. What happens is you leave the default settings as very easy so you can get lots of new users to join. Zoom skyrocketed for having, what I'm gonna say is a pretty good product here for the price. Zoom has a lot more features in a lot of the competitors. It works really well, it works very smooth. They have a lot of extra bells and whistles being able to hold polls during it, being able to share a screen, being able to locally save a copy of the recording. All these features were in the right place at the right time when suddenly everyone decided to work remotely. But those defaults of course came to bite them and they've had to dramatically respond. And a lot of it is because each Zoom meeting conference has assigned a meeting ID of nine to 10, nine to 11 digits. Naturally hackers have figured out a way they can simply guess and automate the guessing of random IDs within this digit space. And that's where war dialing comes in. You're not familiar with war dialing, it's an old term in the hacker community where you just take and incrementally go through numbers to discover what is on them. Back in the early days of phones, it was dialing numbers incrementally until you could figure out what was on each phone number. And logging the results with an automated tool and going back later and picking out the interesting ones and dialing up and figuring out what systems they were attached to. As much fun as that was, it's easy to translate into things like Zoom IDs where you can just go through and guess IDs. And this has led to people just randomly joining your Zoom because of these simple defaults of everyone can just click the link and join and people posting the links publicly. So they have now updated the defaults inside of Zoom and they have some guides here that I'll leave to to dive into how to really lock down and secure Zoom. They've also changed some of the defaults even if you have an existing account and put passwords on it and things like that. And I change mine to one, two, three, four, five, six. But by the way, when you're sharing out a link, you're frequently sharing the password embedded with it. That's one of the options it has. So these securities are helpful, but don't just tweet it out unless you want more people in there. And also they have the option put people in waiting rooms so you can approve who you want in there. So think about some of those things, go over the security settings. They're pretty simple to do here and especially things like setting up a waiting room and how do you want to proceed for letting people in? But the other part is what type of security does Zoom offer? Well, that's what I wanted to dive into. So right here is just nstatmpinatgrep Zoom. What does this mean? Well, we're going to launch Zoom and let's see what IP addresses it connects to. All right, here's some of the IP addresses it connects to and we'll just quickly do a new meeting. All right, and I can't start video because I'm using the video here so it just shows my account. But we can see I generated some traffic and it's going and connecting here. So I'm going to end the meeting for all and I'm going to go ahead and sign out of Zoom and exit. All right, and it just dropped all the connections. So now we go over to Wireshark. And what I did here, well, briefly, here's all those connections I saved. I mean, you can create a query in Wireshark or a filter, I should say not query. And what this does, I just said, hey, take all these IP addresses and filter for these. So I don't get all the traffic, I get just all the Zoom traffic. So I wanted to see all the traffic that's going inside of here and where is it going? So after doing a little bit of diving and the first question is, what about security? Well, let's start there. And I was going through and you can see right here, this is where it's doing the server hello for TLS 1.2. It does do a proper handshake. It goes through, grabs a security certificate, validates it, then starts the encrypted session. So once you're in here, yeah, Zoom is indeed using encryption. So go through and we can see all the encrypted layers. Now it's kind of interesting to me of just how many different IP addresses it connects to. I thought that was kind of interesting. But here and over there, it does have a lot of connections there. The other thing interesting about Zoom is it doesn't seem to have any that I could find peer-to-peer components. So I'd actually forged some of this, had set up a couple demo meetings with, I'm at home, I'm at my office right now and I set them up with my wife at home. And there is no exposure of my public IP address from home into Zoom as far as from my layer here. So Zoom definitely is always brokering through their servers the connection. But that leads to the privacy question a lot of people had, well, what about privacy? Well, they claim in an encryption, but one of the things the way Zoom works is their servers have to be able to see within the video stream. This is how they're able to manage all the participants, manage who's talking, switch screens and everything else. So that does mean, and this is true for most other video systems that do provide transport layer encryption, but they're using the words end to end encryption. They're in the middle of that end. So between me and my wife and the conversation we had over Zoom while I was testing was end to end encrypted, but the middleman was still Zoom. And so that's not too surprising, but it's one of those things when you think about it from a privacy standpoint, Zoom has had to answer a lot of questions lately kind of related to this. What are those questions? Well, has any government entity subpoenaed or asked you for information? Zoom has never really had to address this before because they were a very small company with a small user base. This explosion to a 200 million users all of a sudden using it means there's a lot of questions going, hey, we just had a conversation about something and many companies work remotely realize that they are having these conversations and now a third party is technically involved in all those conversations. So you still really have to think about that because this particular application, you're sending things encrypted from people listening on the line, but any government entity or whoever wanted to tap it or if it's a bad actor were to get with inside of Zoom servers, they do have part of the key. So the key handoff is exchange between Zoom and Zoom servers like the Zoom client on my system and Zoom servers and then exchanged again between people who you're joining your meeting, but Zoom always retains and is part of the transport layer of that. So when it comes to their security and privacy, yes, you are relying on them. So they technically could e-stop, listen in or however you wanna look at that from their standpoint. Now, do they have the time to listen into all 200 million people having conversations on their system right now? Probably not statistically that's difficult, but with automation it does get easier if they wanna look for and keyword things because of voice attacks and things like that. Now, like I said, this is not me hammering on Zoom specifically because most all the applications unless you host it yourself and you're the one in control of the servers, they all do the same thing. Very few of them that I'm aware of at all, actually right now I can't think of any that do group conferencing that the server doesn't handle it. The only couple tools that I've done reviews on before that do have end-to-end encryption as in your end and the end and no one in between would be signal messenger. They're one of the ones that's both open source, very clear about how they handle things and they also don't get in the middle of the connection in terms of being able to see the transport layer of the connection. So overall, I still think Zoom's a pretty good tool to use. I end up using it a lot myself because anytime I'm gonna do a podcast conference call with anyone else pretty much this has become the go-to tool form because of its local recording features, clarity and reliability. So I still think it's a good thing to use but I think you always have to be aware of the settings, aware of the potential default problems that you can have with it and make sure that you have passwords on here so you don't have people randomly jumping in and Zoom by me. So hopefully this makes a little bit of sense and if you have more questions, comments, concerns, let's head over to my forums and we can have a more in-depth discussion where this will be posted as well. All right, thanks. And thank you for making it to the end of the video. If you liked this video, please give it a thumbs up. If you'd like to see more content from the channel hit the subscribe button and hit the bell icon if you'd like YouTube to notify you when new videos come out. If you'd like to hire us head over to laurancesystems.com, fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on. If you wanna carry on the discussion head over to forums.laurancesystems.com where we can carry on the discussion about this video, other videos or other tech topics in general even suggestions for new videos they're accepted right there on our forums which are free. Also if you'd like to help the channel in other ways head over to our affiliate page we have a lot of great tech offers for you and once again, thanks for watching and see you next time.