1. Blog
  2. COVID-19
  3. In-depth product analysis – Zoom & Microsoft Teams

In-depth product analysis – Zoom & Microsoft Teams

This is the second post in a series of blogs examining the security of various Video Conferencing products for business. In this post we examining Zoom and Microsoft Teams. Posts still to come over the next few days will dive into Cisco Webex, Cisco Webex Teams, Google Meet, Bluejeans, Skype for Business, Tixeo, Jitsi Meet & BigBlueButton.

To read about our approach to this analysis, understand the target security model we applied or see a side-by-side comparison of the products reviewed please visit our first post from this series.

If you’re interested in the detail from Zoom or Teams, please read on.

Zoom

Zoom Video Communications is a company based in San Jose, California. The business has been enjoying great success since its creation in 2011, but sales have apparently rocketed with the COVID-19 epidemic. Zoom attempts to differentiate itself with excellent service quality and thus relies on its SaaS model exclusively. Zoom is used as collaborative audio and video solution for users (licensed) of meeting rooms, which allows working internally with colleagues as well as externally with partners, with an innovative interactive interface.

Since the beginning of the COVID-19 pandemic and the implementation of self-isolation measures around the globe, the use of Zoom has grown exponentially (+535%, in the United States alone). Several vulnerabilities and breaches, under the spotlights, have undermined security and trust in the company. Whilst these concerns are warranted, we feel that there has also been a fair amount of hyperbole involved, which was part of our motivation for writing this report.

Zoom 5.0 was released on April 27, 2020 and now supports AES 256-bit GCM encryption. This will be enforced across the board starting May 30th, 2020 meaning only Zoom clients on version 5.0 or later will then be able to join meetings.

In-meeting security controls are now grouped together under the Security icon on the host meeting menu bar. These controls allow the host to enable or disable the ability for participants to: Screen share, Chat or Rename themselves. Hosts can also “Report a User” to Zoom’s Trust & Safety team, enable the Waiting Room feature whilst already in a meeting, lock the meeting once all attendees have joined to prevent unwanted guests and remove any participants which will then prevent that individual from rejoining the meeting.

Additional safeguards have now been implemented; these include:

  • Waiting Room enabled by default.
  • Complex eleven-digit unique meeting IDs are now in place. IDs are also removed from the content sharing window to prevent accidental sharing of meeting information.
  • Meeting passwords are now more complex and enabled by default for most customers. For administered accounts, account admins now have the ability to define password complexity requirements.
  • Meeting Registration & Meeting Authentication allows you to have participants register with their email, name and other details or to enable pre-set profiles to restrict access to authenticated users or from specific email domains respectively.
  • All cloud recordings are encrypted with complex passwords on by default.
  • Audio Watermarks allow Zoom to help identify who recorded a meeting if it is shared without permission.
  • Screen Share Watermarks superimposes a participant’s email address onto shared content in the even a screenshot is taken.
  • Hosts can now select which data center regions they would like their in-meeting traffic to use when scheduling a meeting, and participants can see which data center they are connected to.

Features

The application allows screen sharing to collaborate and share notes, visible to all the participants. You can send messages to all participants with one click. Also, recording conferences on-device or in the cloud is possible.

Zoom integrates with “Personal Information Manager” (PIM) applications like Microsoft Outlook and runs on mobile phones (iOS and Android) or on touch screens to allow as many integrations as possible. It connects to numerous audio and video endpoints. To create and manage a meeting, installing a ‘thick’ (executable) client or a mobile application under Windows, Linux, Android or iOS is necessary. We found installing the product under GNU / Linux to be tricky, however. Attending or scheduling a meeting can also be done through a browser.

Zoom also provides integration with several conferencing hardware solutions for cameras, microphones and screens, via partnerships with selected vendors.

Zoom, unlike many solutions presented here, uses proprietary technology and does not use generally accepted WebRTC standards. WebRTC is an interface allowing communication in real-time online. This standard allows browsers to support voice or data sharing directly from the browser, thereby eliminating specific software or extensions to be set up.

We found Zoom to be a very functional and easy-to-use tool, which has probably contributed to its meteoric rise. It’s available for a wide majority of platforms, including a browser, and does not require specific changes to corporate platforms or networks due to its SaaS operational model. Integration with main email and calendar applications such as Microsoft Outlook or Google Suite is smooth. Zoom also offers accessibility features for all participants, for example by enabling subtitles via Rest APIs. Zoom’s widescale adoption also makes it an attractive choice for businesses wanting to connect with others outside their own organization.

Results table

Encryption
Uses an appropriate encryption algorithm Fully GCM with AES 256 since v5. Not fully proven in production.
Uses a strong encryption key Fully AES-GCM with 256-bit keys
Data is encrypted in transit under normal use Fully However, the encryption keys for each meeting are generated by Zoom’s servers
Data stays encrypted on provider servers Partially Provided that meetings aren’t being recorded.

See https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/

Voice, Video and Text are all encrypted Fully See https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/
File transfers & session recordings are encrypted Fully See https://zoom.us/docs/doc/Zoom-Security-White-Paper.pdf
Vendor technically can’t decrypt the data at any point, even under regulatory pressure (full E2EE) No Expected in future with Keybase integration.

But see https://blog.zoom.us/wordpress/2020/05/07/zoom-acquires-keybase-and-announces-goal-of-developing-the-most-broadly-used-enterprise-end-to-end-encryption-offering/

Encryption implementation has withstood scrutiny over time No v4 encryption was criticized, but Zoom points out there has never actually been a reported compromise of their encryption. v5 encryption only fully active from end May. Zoom is planning to publish a detailed draft cryptographic design on May 22
Authentication
Administrators can define password security policies Fully For administered accounts, account admins now have the ability to define password complexity

See https://blog.zoom.us/wordpress/2020/04/22/zoom-hits-milestone-on-90-day-security-plan-releases-zoom-5-0/

Supports MFA as default Partially 2FA does not apply to the Zoom Desktop Client or Mobile App

See https://support.zoom.us/hc/en-us/articles/360038247071-Setting-up-and-using-two-factor-authentication

Can integrate with Active Directory or similar Fully See https://support.zoom.us/hc/en-us/articles/201363023-SSO-with-Active-Directory
Can integrate with SSO solutions via SAML or similar Fully See https://support.zoom.us/hc/en-us/articles/201363023-SSO-with-Active-Directory
Offers RBAC Fully See https://support.zoom.us/hc/en-us/articles/115001078646-Role-Based-Access-Control
Allows passwords to be set for meetings Fully See https://support.zoom.us/hc/en-us/articles/360033559832-Meeting-and-webinar-passwords
Allows meeting password security policies to be set Fully See https://blog.zoom.us/wordpress/2020/04/14/enhanced-password-capabilities-for-zoom-meetings-webinars-cloud-recordings/
Jurisdiction
Headquarters address USA San Jose, California, U.S.
The vendor cannot technically access any data without the client’s consent No Expected in future with Keybase integration.

See https://blog.zoom.us/wordpress/2020/05/07/zoom-acquires-keybase-and-announces-goal-of-developing-the-most-broadly-used-enterprise-end-to-end-encryption-offering/

A full on-prem version is available for users who don’t want to trust the vendor Partially User and meeting metadata are still managed in the Zoom public cloud.

See https://support.zoom.us/hc/en-us/articles/360034064852-Zoom-On-Premise-Deployment

For SaaS modes of deployment, the client can select which countries or political regions data is stored or processed in Partially The feature exists but the number of regions is limited, e.g. with no provisions for the UK, Russia or any African areas. Possible ‘regions’ for provisioning are USA, Canada, Europe (NL, GER) and China
Complies with appropriate security certifications (e.g. ISO27002 or BSI C5) No See https://zoom.us/docs/en-us/privacy-and-security.html
Complies with appropriate privacy standards (e.g. FERPA or GDPR). Fully
  • SOC 2 (Type II)
  • FedRAMP (Moderate)
  • TrusARC
  • GDPR, CCPA, COPPA, FERPA and HIPAA Compliant (with BAA)
  • Privacy Shield Certified (EU/US, Swiss/US, Data Privacy Practices)See zoom.us/privacy.
Provides a transparency report that details information related to requests for data, records, or content. No In progress.

See https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/

Security Management
Offers other forms of access control to meetings, e.g. waiting rooms, lockout, banning etc. Fully
Allows granular control over in-meeting actions like screen sharing, file transfer, remote control. Fully
Offers clear central control over all security settings Fully
Allows for monitoring and maintenance of endpoint software versions Partially An administrator can review client software versions, but 3rd party tools would be required to enforce an update.
Provides compliance features like eDiscovery & Legal Hold No Not as far as we can tell.
Auditing and Reporting Partially See https://support.zoom.us/hc/en-us/articles/201363213-Getting-Started-with-Reports

and https://support.zoom.us/hc/en-us/articles/360032748331-Operation-Logs

Additional content security controls like DLP, watermarking, etc. Partially
  • Single, visible security settings icon
  • Remove participants
  • Report a user
  • Screenshot watermarking
  • Audio watermarking
  • Share specific applications
  • Information Barriers
Vulnerability Management
Percentage of NVD 2019 0.02
Percentage of NVD 2020 0.08
Vendor discloses which vulnerabilities have been addressed Partially Zoom addresses several vulnerabilities on its site, but we could not find comments to all of them.
Vendor runs a bug bounty Partially A revamp of the program is in progress as of April 15

See https://blog.zoom.us/wordpress/2020/04/15/luta-security-katie-moussouris-zoom-bug-bounty/

Encryption

The solution is available exclusively as SaaS (or hybrid cloud), so customers need to be comfortable with trusting Zoom to protect the infrastructure and respect their data. In hybrid cloud mode, user and meeting metadata are managed on the public cloud, whilst video, voice and data sharing go through the on-premise Zoom meeting connector.

Zoom had previously suggested that its communications were end-to-end encrypted, but closer examination has revealed that this is not strictly speaking the case (using our definition above)[1]. Moreover, Citizen Lab reported that Zoom communications are encrypted using the AES-128 and not the AES-256 previously indicated by Zoom[2]. More problematic for some users, the Zoom AES-128 encryption keys could have been transmitted to third parties, possibly in China.

Zoom has however responded forcefully to address these and other issues and the new 5.0 update, includes upgraded encryption. The new ‘Galois Counter Mode’ (GCM)[3] encryption will use the 256-bit ‘Advanced Encryption Standard’ (AES) algorithm[4], which is considered to be standard, reasonable and appropriate for applications of this kind. A thorough evaluation of Zoom’s implementation of this algorithm is beyond the scope of this review, but it would be fair to assert that Zoom has put the primary historic concerns about its encryption to bed with this update.

Apparently in order to bolster their encryption capabilities, Zoom has announced the acquisition of Keybase. Keybase currently delivers an end-to-end encrypted secure messaging and file sharing platform. Zoom has stated that the acquisition is a key step in their “attempt to accomplish the creation of a truly private video communications platform that can scale to hundreds of millions of participants, while also having the flexibility to support Zoom’s wide variety of uses”. Whilst it is not clear to us at this stage what Zoom’s strategy for this acquisition is, it would appear that the technology would position Zoom very strongly to provide full end-to-end encryption based on proven public key encryption methods at some point in the future.

Authentication

Zoom administrators can enable two-factor authentication using Google Authenticator, Microsoft Authenticator or FreeOTP[5].

According to their website, Zoom single sign-on (SSO) is based on the Security Assertion Markup Language (SAML 2.0[6]). Zoom acts as the Service Provider (SP) and offers automatic user provisioning. You do not need to register as a user in Zoom. It can also work with other Service Providers such as PingOne, Okta, Azure, Centrify, Shibboleth, Gluu, G Suite/Google Apps and OneLogin. Zoom can additionally work with Microsoft’s ADFS 2.0[7] SAML implementation.

Zoom actually offers a native 2FA implementation via various ‘One Time Pin’ applications for mobile, but these are only enforced for authentication to the web interface, i.e. not for joining meetings via the mobile or desktop applications. However the SSO various platforms supported would allow enhanced features like push-to-mobile for strong authentication for all elements of the Zoom ecosystem.

Until recently instant Zoom meetings didn’t enforce a password, meaning that anyone who got the meeting ID could join the ongoing meeting sometimes with funny tricks sometimes with more unethical behavior, but this issue appears to have been addressed by a series of new features culminating in the release of Zoom v5.

It has also been disclosed that Zoom settings would add the same domain email address to a sole directory, which in some cases people using a personal email address could be added to a pool of contacts they know nothing about, sharing their personal information such as email address and photo. As of 18 April Zoom has stated that users will no longer be able to search by full name for contacts with the same domain if they are not on the same account or organization. We believe this change mitigates the issue above.

Regulations and Jurisdiction

Zoom Inc is a registered U.S. company, but media reports have suggested that it is tightly integrated with several Chinese businesses, employs developers in China and indeed has accidentally routed some traffic through servers in China for a small subset of their users. This caused concern and outcry for users and businesses who believed Zoom to fall wholly under US jurisdiction[8].

However, Zoom does have an option under its advanced settings for paid accounts that allow users to opt-out of certain data center regions. Any number of regions can be deselected, except the region from which the account was provisioned. According to Zoom’s site “Datacenter regions selections apply only for meeting and webinar traffic. The selections do not impact the location of data at rest. Datacenter region selections also do not apply to Zoom Phone or related features”[9].

Another feature promoted on Zoom’s website is worth noting. Zoom “Meeting Connector” is a hybrid cloud deployment method, which allows a customer to deploy a Zoom multimedia router (software) within the customer’s internal network. According to their site: “User and meeting metadata are managed in Zoom communications infrastructure, but the meeting itself is hosted in the customer’s internal network. All real-time meeting traffic including audio, video, and data sharing go through the company’s internal network”.

Zoom claims adherence to privacy standards like HIPAA and GDPR and asserts that its policies are designed to reflect their compliance with the requirements of the Children’s Online Privacy Protection Act (COPPA), the Federal Education Rights and Privacy Act (FERPA), the California Consumer Privacy Act (CCPA), and other applicable laws. That appears to be mostly by virtue of the fact that it doesn’t collect the relevant data or obtain user consent before doing so.

Security Features and Management

Zoom offers role-based access control which enables an account to have additional user roles. User roles can have a set of permissions that allows access only to the settings pages a user needs to view or edit.

Zoom’s ‘Admin Management’ portal appears very similar to the advanced settings page a user would work with, but with the added ability to define settings for various subsets of users. An administrator can not only set defaults for these settings but can also opt to ‘lock’ a setting so that it can’t be overwritten by an individual user. Our experience of the interface showed it to be fast, simple and intuitive once properly installed.

The portal also allows admins to view the software versions running for different users, but there doesn’t appear to be a way to centrally manage the client software. According to the Zoom site, “the Desktop Client can be mass configured for Windows in 3 different ways: via the MSI installer for both configuration and installation, an Active Directory administrative template utilizing Group Policy for configuration, or via registry keys for configuration”[10].

Vulnerability and Exploit history

The NIST National Vulnerability Database records six vulnerabilities for Zoom since the beginning of 2019:

Year Reported NVD Total Percentage
2019 3 17,308 0.02%
2020 6 7,519 0.08%

 

Several of the vulnerabilities counted above would be considered ‘serious’, but at least two are being disputed by Zoom.

The recent vulnerabilities and breaches have attracted a lot of attention and apparently undermined trust in the technology. Here’s a brief summary:

  • Zoom, by apparently misunderstanding the Facebook Software Development Kit (SDK), shared data of iOS users with Facebook for a certain time. Fortunately, these data transfers were stopped after being reported[11].
  • Citizen Lab reported an issue in which Zoom would automatically send a live video stream of the meeting, as well as the meeting’s decryption key, to all users in a meeting’s waiting room[12].
  • Zoom allows you to automatically generate address directories: People working in the same company can group directories. However, there were concerns because Zoom did the same with personal email addresses such as Gmail, exposing hundreds of thousands of email addresses to other third parties[13].
  • A previous version of Zoom for MacOS installed a secret web server, which was not removed when the application was uninstalled. This issue was eventually addressed after some public outcry[14].

However, Zoom seems to understand these security issues and has been aggressively taking necessary measures to address these issues and patch vulnerabilities as soon as possible. The new 5.0 update addresses all the security vulnerabilities known to us at the time of writing, as summarized in the table below.

 

Topic Source Disclosure Date Resolution date Resolution Description/Link
Attention tracking https://www.vice.com/en_us/article/qjdnmm/working-from-home-zoom-tells-your-boss-if-youre-not-paying-attention 16th March 2020 1st April 2020 Remove feature https://blog.zoom.us/wordpress/2020/04/01/amessage-to-our-users/
Zoom Bombing https://techcrunch.com/2020/03/17/zoombombing/ 17th March 2020 20th March 2020 Best security practices https://blog.zoom.us/wordpress/2020/03/20/keepuninvited-guests-out-of-your-zoom-event/
Facebook SDK https://www.vice.com/en_us/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-donthave-a-facebook-account 26th March 2020 27th March 2020 Remove FB SDK https://blog.zoom.us/wordpress/2020/03/27/zoom-use-of-facebook-sdk-in-ios-client/
End to End encryption https://theintercept.com/2020/03/31/zoom-meeting-encryption/ 31st March 2020 1st April 2020 Clarification about Zoom encryption https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/
Microsoft UNC Links https://www.bleepingcomputer.com/news/security/zoom-lets-attackers-steal-windows-credentials-run-programs-via-unc-links/ 31st March 2020 1st April 2020 Software update https://blog.zoom.us/wordpress/2020/04/01/amessage-to-our-users/
Mac Local Privilege https://www.vmray.com/cyber-security-blog/zoom-macos-installer-analysis-good-apps-behaving-badly/ 1st April 2020 1st April 2020 Software update https://blog.zoom.us/wordpress/2020/04/01/amessage-to-our-users/
Routing Data to China https://theintercept.com/2020/04/03/zooms-encryption-is-not-suited-for-secrets-and-has-surprising-links-to-china-researchers-discover/ 3rd April 2020 3rd April 2020 Configuration check https://blog.zoom.us/wordpress/2020/04/03/response-to-research-from-university-of-torontos-citizen-lab/

Sources

[1] https://theintercept.com/2020/03/31/zoom-meeting-encryption/
[2] https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/
[3] https://link.springer.com/referenceworkentry/10.1007%2F978-1-4419-5906-5_451
[4] https://www.itpro.co.uk/security/29671/what-is-aes-encryption
[5] https://support.zoom.us/hc/en-us/articles/360038247071-Setting-up-and-using-two-factor-authentication
[6] https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
[7] https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc786469(v=ws.10)
[8] https://www.cnbc.com/2020/04/15/nancy-pelosi-calls-zoom-a-chinese-entity.html
[9] https://support.zoom.us/hc/en-us/articles/360042411451-Selecting-data-center-regions-for-hosted-meetings-and-webinars
[10]https://support.zoom.us/hc/en-us/articles/201362163-Mass-Installation-and-Configuration-for-Windows
[11] https://betanews.com/2020/03/28/zoom-data-sharing-update/
[12] https://citizenlab.ca/2020/04/zooms-waiting-room-vulnerability/
[13] https://digitalguardian.com/blog/zooms-privacy-problems-snowball-two-zero-days-uncovered
[14] https://www.theverge.com/2019/7/8/20687014/zoom-security-flaw-video-conference-websites-hijack-mac-cameras


Microsoft Teams

Microsoft Teams is a proprietary collaborative communication application, operating only in SaaS mode, officially launched by Microsoft in November 2016. The service can be integrated with Microsoft Office 365 suite and Skype for Business. It is also expected to replace Skype, which will be abandoned in July 2021. The solution allows collaborative work (co-publishing and storage of documents, access to e-mails and an instant messaging system, etc.), thus offering far beyond the traditional features of video conferencing systems. Teams also offers extensions that can be integrated into products other than Microsoft.

Microsoft Teams has been available in a free version, limited to 300 members, since July 13, 2018, although some features of Office 365 are missing. The solution now claims more than 44 million active users with an exponential acceleration since the beginning of the massive pandemic-driven teleworking migration in many countries.

Features

The solution is available on most Microsoft Windows, MacOS, Android, iOS and GNU / Linux distributions. The product is completely usable via a browser, with no need to install a client. However, the optional rich client or a fully supported browser (like Microsoft Edge based on Chromium or Chrome itself) is required to access advanced features like content sharing, control of shared content, and background[1].

A free version exists for SMEs (up to 300 users) although it offers very limited functionality. We feel that the solution might be a bit heavy for very basic or occasional needs.

Results table

Encryption
Uses an appropriate encryption algorithm Fully All cipher suites supported by Office 365 use algorithms acceptable under FIPS 140-2. Office 365 inherits FIPS validations from Windows.
Uses a strong encryption key Fully AES-GCM with 256-bit keys

See https://docs.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel

Data is encrypted in transit under normal use Fully See https://docs.microsoft.com/en-us/microsoftteams/teams-security-guide
Data stays encrypted in transit on provider servers Unclear We couldn’t clarify this from publicly available information.

See https://docs.microsoft.com/en-us/microsoftteams/teams-security-guide

Voice, Video and Text are all encrypted Fully See https://docs.microsoft.com/en-us/microsoft-365/compliance/encryption?view=o365-worldwide
File transfers & session recordings are encrypted Fully See https://docs.microsoft.com/en-us/microsoft-365/compliance/encryption?view=o365-worldwide
Vendor technically can’t decrypt the data at any point, even under regulatory pressure (full E2EE) Partially A feature called Service Encryption allows for your organization to supply the root keys and control the ability of Microsoft to process your data.
Encryption implementation has withstood scrutiny over time Fully
Authentication
Administrators can define password security policies Fully
Supports MFA as default Fully
Can integrate with Active Directory or similar Fully
Can integrate with SSO solutions via SAML or similar Fully
Offers RBAC Fully
Allows passwords to be set for meetings No See https://docs.microsoft.com/en-us/microsoftteams/meeting-policies-in-teams
Allows meeting password security policies to be set No
Jurisdiction
Headquarters address USA One Microsoft Way, Redmond, Washington, U.S.A
The vendor cannot technically access any data without the client’s consent Partially A feature called Service Encryption allows for your organization to supply the root keys and control the ability of Microsoft to process your data.
A full on-prem version is available for users who don’t want to trust the vendor No
For SaaS modes of deployment, the client can select which countries or political regions data is stored or processed in Fully See https://docs.microsoft.com/en-us/microsoftteams/location-of-data-in-teams
Complies with appropriate security certifications (e.g. ISO27002 or BSI C5) Fully See https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-iso-27001?view=o365-worldwide

and https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-c5-germany?view=o365-worldwide

Complies with appropriate privacy standards (e.g. FERPA or GDPR) Fully
  • SSAE16
  • SOC 1 and SOC 2
  • HIPAA
  • EU Model Clauses (EUMC)
Provides a transparency report that details information related to requests for data, records, or content. Fully See https://www.microsoft.com/en-us/corporate-responsibility/law-enforcement-requests-report
Security Management
Offers other forms of access control to meetings, e.g. waiting rooms, lockout, banning etc. Partially Waiting room
Allows granular control over in-meeting actions like screen sharing, file transfer, remote control. Fully See https://docs.microsoft.com/en-us/microsoftteams/meeting-policies-in-teams#meeting-policy-settings—general
Offers clear central control over all security settings Fully See https://docs.microsoft.com/en-us/microsoftteams/manage-teams-skypeforbusiness-admin-center
Allows for monitoring and maintenance of endpoint software versions Fully Via Microsoft Endpoint Configuration Manager, MSI, GPO or other Microsoft tools.
Provides compliance features like eDiscovery & Legal Hold Fully See https://docs.microsoft.com/en-us/microsoftteams/security-compliance-overview
Auditing and Reporting Fully See https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide
Additional content security controls like DLP, watermarking, etc. Fully
  • Advanced Threat Protection
  • Safe Links
  • Safe Attachments
  • Information Barriers
  • Communications Compliance
  • Data Loss Prevention
  • Share specific applications
Vulnerability Management
Percentage of NVD 2019 0.01
Percentage of NVD 2020 0.00
Vendor discloses which vulnerabilities have been addressed Partially
Vendor runs a bug bounty Fully See https://www.microsoft.com/en-us/msrc/bounty-microsoft-cloud?rtc=1

Encryption

Teams uses Transport Layer Security (TLS), and mutual TLS (MTLS) which encrypt instant message traffic. Point-to-point audio, video, and application sharing streams are encrypted using Secure Real-Time Transport Protocol (SRTP)[2]. Files are stored in SharePoint and secured by SharePoint encryption. Notes are managed via OneNote and protected by OneNote encryption, also hosted on a SharePoint. Microsoft asserts that with Microsoft O365 data is encrypted in transit and at rest.

Network communications are encrypted. All Teams servers must use certificates and implement technologies like Oauth, TLS or SRTP plus 256-bit encryption. Communications are encrypted from users to Teams servers, meaning they are not encrypted end-to-end[3].

Teams requires all servers to contain at least one Certificate Revocation List distribution point for purposes of verifying that a certificate has not been revoked since the time it was issued.

Microsoft O365 offers an added layer of encryption at the application level called ‘service encryption’, which covers data from Exchange Online, Skype for Business, SharePoint Online, OneDrive for Business, and Teams files[4].

According to Microsoft Tech Community contributor ‘Alexwall’[5], “Microsoft retains an availability key, which means that Microsoft could access all customer data. The lack of encryption of Teams messages, as well as the existence of an availability key for all services, would be a concern for a customer that wants 100% security”[6].

The mobile client supports App Protection Policies from Microsoft InTune that would ensure that its content is encrypted on the mobile endpoint device[7].

Authentication

Authentication is based on Office 365 with Microsoft Azure in particular. Microsoft Teams desktop clients for Windows and Mac support ‘modern authentication’ which brings sign-in based on the Azure Active Directory Authentication Library (ADAL) to Microsoft Office client applications across platforms[8]. Microsoft Teams supports all the identity models that are available with Office 365 and has a comprehensive set of tools for provisioning and managing identities, all tied in with existing Active Directory or Azure implementations.

Multi-Factor authentication is supported with any Microsoft 365 or Office 365 plan that includes Microsoft Teams, with support for phone calls, text, One Time Pin or Mobile App Notification as second factors. Users also benefit from the additional security controls provided by Microsoft across its O365 range of services.

Jurisdiction & Regulation

Teams is categorized by Microsoft as a ‘Tier D’ compliant application, which means it adheres to ISO 27001, ISO 27018, SSAE16 SOC 1 and SOC 2, HIPAA, and the EU Model Clauses (EUMC). Teams is also German government BSI Cloud Security Alliance compliant.

For new customers only, data in Teams resides in the geographic region associated with the customer’s Office 365 organization. Currently, Teams supports the Australia, Canada, France, Germany, India, Japan, South Africa, South Korea, Switzerland (which includes Liechtenstein), the United Arab Emirates, United Kingdom, Americas, APAC, and EMEA regions[9]. We were not able to determine whether this also applies to voice, video and text communications.

However, Teams is a SaaS solution delivered by Microsoft, which falls under the jurisdiction of the United States government. Encryption keys are owned by Microsoft by default and is therefore technically able to decrypt your data. This may be of concern to clients operating outside the U.S.A.

Security Features and Management

Microsoft Teams is supported separately as a cloud app in Azure Active Directory conditional access policies. Conditional access policies that are set for the Microsoft Teams cloud application apply to Microsoft Teams when a user signs in.

As a component of Microsoft 365, Teams benefits from a comprehensive and granular set of centralized security and compliance management tools well suited to the enterprise, especially if Microsoft AD or Azure are already in use.

Microsoft 365, with all its inter-connected applications is highly sophisticated and complex, however. We feel that without the required skill and appropriate care, the average organization is more likely to suffer a breach due to an accidental leak or misconfiguration than as a result of the technical interception of data by an adversary or Microsoft themselves.

Vulnerability & Exploit History

There is one vulnerability recorded for Microsoft Teams specifically in the NIST National Vulnerability Database in the period from the start of 2019 to the time of writing, but there has been a number recorded for associated products like Skype, Skype for Business and SharePoint.

Year Reported NVD Total Percentage
2019 1 17,308 0.01%
2020 0 7,545 0.00%

On April 28, 2020 Researchers at Cyb0rArk created a proof-of-concept (PoC) attack that involves an inside attacker getting a victim to view a malicious GIF that allows an attacker to take over the victim’s Teams account. They reported two insecure subdomains to Microsoft, which resolved the issue in under a month. Using the bug, an attacker could gain access to an organizations’ Teams accounts by making Teams API calls, which allows one to read and send messages, create groups and add and remove users.

Generally, although there is little data with which to assess this product’s security heritage, it would be fair to argue that Microsoft has robust processes and has developed a strong reputation in this regard.


1: Video killed the conferencing star
2: In-depth product analysis – Zoom & Microsoft Teams
3: Let’s examine Cisco Webex – A visionary player
4: Google Meet and BlueJeans – Re-engineered platforms for secure meetings
5: Tixeo and BigBlueButton
6: A closer look at Skype for business and Jitsi Meet


Sources

[1] https://docs.microsoft.com/en-gb/MicrosoftTeams/get-clients
[2] https://en.wikipedia.org/wiki/Secure_Real-time_Transport_Protocol
[3] https://docs.microsoft.com/en-us/microsoftteams/teams-security-guide
[4] https://docs.microsoft.com/en-us/microsoft-365/compliance/office-365-service-encryption?view=o365-worldwide
[5] https://techcommunity.microsoft.com/t5/user/viewprofilepage/user-id/555109
[6] https://techcommunity.microsoft.com/t5/microsoft-teams/end-to-end-encryption-with-microsoft-teams/m-p/804842
[7] https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy
[8] https://docs.microsoft.com/en-us/MicrosoftTeams/identify-models-authentication
[9] https://docs.microsoft.com/en-us/microsoftteams/location-of-data-in-teams

Authors

Head of Security Research

Charl van der Walt

Technical thought leader, spokesman and figurehead for Orange Cyberdefense world-wide, leading and managing the OCD Security Research Center – a specialist security research unit. We identify, track, analyze, communicate and act upon significant developments in the security landscape.

Senior Consultant Cybersecurity

Quentin Aguesse

Graduated from a French Business School, Quentin is now senior consultant at Orange Cyberdefense operating from Casablanca (Morocco). With nearly 10 years of experience, Quentin has specialized in risk assessment, disaster recovery planning, as well as cybersecurity awareness.

Consultant Cybersecurity

Jérôme Mauvais

As a specialist in regulatory compliance, Jérôme Mauvais is a security consultant for Orange Cyberdefense. Highly invested in the protection of personal data, Jérôme has also been remarked all along with his career for his great capacities of knowledge transmission.

Lead Security Researcher (MSIS Labs)

Carl Morris

Carl has over 20 years’ experience working within IT, covering the whole breadth of the IT infrastructure, with a primary focus and interest on the security-related solutions. This has been followed by a decade working in MSSP’s, the latest of which being at SecureData for over 7 years. Initially as an Escalation Engineer followed by moving into Professional Services then to the Managed Threat Detection team as a Senior Security Analyst before moving into the Labs team as a Lead Security Researcher.


Share