The Zoom Privacy Backlash Is Only Getting Started

[Karlston]

The Zoom Privacy Backlash Is Only Getting Started

A class action lawsuit. Rampant zoombombing. And as of today, two new zero-day vulnerabilities.

Even before the pandemic, Zoom had a reputation for prioritizing ease of use over security and privacy.Photographer: Kena Betancur/Getty Images

 

The popular video conferencing application Zoom has been having A Moment during the Covid-19 pandemic. But it's not all positive. As many people's professional and social lives move completely online, Zoom use has exploded. But with this boom has come added scrutiny from security and privacy researchers—and they keep finding more problems, including two fresh zero day vulnerabilities revealed Wednesday morning.

 

The debate has underscored the inherent tension of balancing mainstream needs with robust security. Go too far in either direction, and valid criticism awaits.

 

"Zoom has never been known as the most hardcore secure and private service, and there have certainly been some critical vulnerabilities, but in many cases there aren't a lot of other options," says security researcher Kenn White. "It's absolutely fair to put public pressure on Zoom to make things safer for regular users. But I wouldn't tell people 'don't use Zoom.' It's like everyone is driving a 1989 Geo and security folks are worrying about the air flow in a Ferrari."

 

Zoom isn't the only video conferencing option, but displaced businesses, schools, and organizations have coalesced around it amid widespread shelter in place orders. It's free to use, has an intuitive interface, and can accommodate group video chats for up to 100 people. There's a lot to like. By contrast, Skype's group video chat feature only supports 50 participants for free, and live streaming options like Facebook Live don't have the immediacy and interactivity of putting everyone in a digital room together. Google offers multiple video chat options—maybe too many, if you're looking for one simple solution.

 

At the same time, recent findings about Zoom's security and privacy failings have been legitimately concerning. Zoom's iOS app was quietly—and the company says accidentally—sending data to Facebook without notifying users, even if they had no Facebook account. The service pushed a fix late last week. Zoom also updated its privacy policy over the weekend after a report revealed that the old terms would have allowed the company to collect user information, including meeting content, and analyze it for targeted advertising or other marketing. And users have been creeped out by Zoom's attention tracking-feature, which lets the meeting host know if an attendee hasn't had the Zoom window in their screen's foreground for 30 seconds.

 

During the pandemic, a type of online abuse known as Zoombombing, in which trolls abuse Zoom's default screen-sharing settings to take over meetings—often with racist messages or pornography—has also spiked. Zoom offers tools to protect against that sort of assault, specifically the option to password-protect your meeting, add a waiting room for pre-vetting attendees, and limit screen-sharing. Some paid and free speciality versions of the service, like Zoom for Education, also have different screen sharing defaults. But in general the service doesn't highlight these options in a way that would make them intuitive to enable.

 

"It's as though, in suddenly shifting from the office to work from home, we didn't so much move the conference room into our kitchens as into the middle of the public square," says Riana Pfefferkorn, associate director of surveillance and cybersecurity at Stanford's Center for Internet and Society. "Enterprise platforms are now seeing the same abuse problems that we've long been used to seeing on Twitter, YouTube, Reddit, etc. Those platforms were inherently designed to let strangers contact other strangers—and yet they had to tack on anti-abuse features after-the-fact, too."

 

Perhaps most jarring of all, the service has a security feature that it falsely described as being "end-to-end encrypted." Turning on the setting does strengthen the encryption on your video calls, but does not afford them the protection of being completely encrypted at all times in transit. Achieving full end-to-end encryption in group video calling is difficult; Apple memorably spent years finding a way to implement it for FaceTime. And for a service that can support so many streams on each call, it was always unlikely that Zoom had actually achieved this protection, despite its marketing claims.

 

Zoom did not return a request for comment from WIRED about how it is handling this deluge of security and privacy findings in its product.

 

All of this compounds with the fact that even before the pandemic, Zoom had a reputation for prioritizing ease of use over security and privacy. Notably, a researcher revealed flaws last summer about how Zoom seamlessly joined users into call links and shared their camera feeds without an initial check to let users confirm they wanted to launch the app. That means attackers could have crafted Zoom links that instantly gave them access to a user's video feed—and everything going on around them—with one click. The research also built on previous Zoom vulnerability findings.

 

Zoom's gaffes have also started to invite even more potentially consequential scrutiny. The company is facing a class action lawsuit over the data its iOS app sent to Facebook. And the office of New York attorney general Letitia James sent a letter to the company on Monday about its mounting punch list. "While Zoom has remediated specific reported security vulnerabilities, we would like to understand whether Zoom has undertaken a broader review of its security practices," the attorney general's office wrote.

 

Given this track record and all the commotion about Zoom security in the last few weeks, macOS security researcher Patrick Wardle says he recently got interested in poking at the Mac desktop Zoom app. Today he is disclosing two new security flaws he found during that brief analysis.

 

"Zoom, while great from a usability point of view, clearly hasn’t been designed with security in mind," Wardle says. "I saw some researchers tweeting about strange Zoom behavior and literally within 10 seconds of looking at it myself I was just like aw, man. Granted I research this stuff, so I know what to look for. But Zoom has just had so many missteps, and that’s very indicative of a product that has not been adequately audited from a security point of view."

 

Wardle's findings pose limited risk to users in practice, because they would first require the presence of malware on a target device. One attack focuses on a Zoom installation flow that still relies on a now-retired application programming interface from Apple. The company deprecated the API because of security concerns, but Wardle says that he sometimes still sees products using it as a lazy workaround. An attacker who has infected a victim device with malware, but hasn't yet achieved full access, could exploit Zoom's insecure install settings to gain root privileges.

 

The other vulnerability Wardle found is more significant, though still only a local access bug. macOS offers a feature called "hardened runtime" that lets the operating system act as a sort of bouncer while programs are running and prevent code injections or other manipulations that are typically malicious. Developers can choose to add exemptions for third-party plugins if they want to have that additional functionality from an external source, but Wardle notes that such exceptions are typically a last resort, because they undermine the whole premise of "hardened runtime." Yet Zoom's macOS application has such an exemption for third-party libraries, meaning malware running on a victim's system could inject code into Zoom that's trusted and essentially link the two applications—allowing the malware to piggyback on Zoom's legitimate microphone and video access and start listening in on a victim or watching through their webcam whenever the malware wants.

 

Though it doesn't look like researchers will stop finding flaws in Zoom any time soon, the most important takeaway for regular users is simply to think carefully about their security and privacy needs for each call they make. Zoom's security is likely sufficient for most people's general communications, but there are more protected group video chat options—like those offered by WhatsApp, FaceTime, and particularly Signal—that could be a better fit for sensitive gatherings.

 

"The reality is that companies are going to have mistakes in their software," says Jonathan Leitschuh, a security researcher who found the webcam hijacking flaws in Zoom last summer. "The more criticism of a platform, the more secure it’s hopefully going to be. So hopefully Zoom is taking the information that they’re gaining and actually acting on it. But if you need to be secure and secret I would not recommend you have those conversations over Zoom. Use a platform that’s built for the level of security you need."

 

 

Source: The Zoom Privacy Backlash Is Only Getting Started (Wired)

[Karlston]

Zoom faces a privacy and security backlash as it surges in popularity

The pressure mounts as Zoom risks becoming a victim of its own success

 

Zoom has exploded in popularity as people turn to video calling software amid the ongoing coronavirus pandemic. The moment of huge growth has seen Zoom rocket to the top of iOS and Android app stores as people gather around it for yoga classes, school lessons, and virtual nights out. Even the UK government has been holding daily cabinet meetings over Zoom.

 

With all this extra attention, Zoom is now facing a huge privacy and security backlash as security experts, privacy advocates, lawmakers, and even the FBI warn that Zoom’s default settings aren’t secure enough. Zoom now risks becoming a victim of its own success.

 

Zoom has battled security and privacy concerns before. Apple was forced to step in and silently remove Zoom software from Macs last year after a serious security vulnerability let websites hijack Mac cameras. In recent weeks, scrutiny over Zoom’s security practices has intensified, with a lot of the concern focused on its default settings and the mechanisms that make the app so easy to use.

 

Each Zoom call has a randomly generated ID number between 9 and 11 digits long that’s used by participants to gain access to a meeting. Researchers have found that these meeting IDs are easy to guess and even brute forceable, allowing anyone to get into meetings.

 

 

Part of this ease of use has led to the “Zoombombing” phenomenon, where pranksters join Zoom calls and broadcast porn or shock videos. At fault here are Zoom’s default settings which don’t encourage a password to be set for meetings, and allow any participants to share their screen. Zoom adjusted these default settings for education accounts last week, “in an effort to increase security and privacy for meetings.” For everyone else, you’ll need to tweak your Zoom settings to ensure this never happens.

 

Zoombombing was the first of many recent Zoom security and privacy concerns, though. Zoom was forced to update its iOS app last week to remove code that sent device data to Facebook. Zoom then had to rewrite parts of its privacy policy after it was discovered that users were susceptible to their personal information being used to target ads. User information is also reportedly being leaked because of an issue with how Zoom groups contacts.

 

Perhaps the most damning issue came to light yesterday. While Zoom still states on its website that you can “secure a meeting with end-to-end encryption,” the company was forced to admit it’s actually misleading people. “It is not possible to enable E2E encryption for Zoom video meetings,” said a Zoom spokesperson in a statement to The Intercept, after the publication revealed Zoom is actually using transport encryption rather than end-to-end encryption.

 

Privacy advocates have also raised issues over an attendee tracking feature that lets meeting hosts track whether participants have their Zoom app in view on a PC or whether it’s simply in the background. A digital rights advocacy group also called on Zoom to release a transparency report last month, to share the number of requests from law enforcement and governments for user data. Zoom has only said the company is considering the request, and has not yet published a transparency report.

 

Security researchers and privacy advocates aren’t the only groups raising concerns over Zoom. The FBI is warning schools about the dangers of Zoom’s default settings for Zoombombings, and reports suggest the UK’s Ministry of Defence has banned Zoom while it investigates “security implications.” The office of New York’s attorney general also sent a letter to Zoom this week requesting to hear “whether Zoom has undertaken a broader review of its security practices” in light of recent concerns.

 

Zoom hasn’t responded in detail to the more recent concerns, but last week Zoom CEO Eric S. Yuan said the company was reviewing its practices in relation to the Facebook privacy issues. “We sincerely apologize for the concern this has caused, and remain firmly committed to the protection of our users’ privacy,” said Yuan. “We are reviewing our process and protocols for implementing these features in the future to ensure this does not happen again.”

 

Zoom video calls.

Getty Images/iStockphoto

Zoom is now facing lawsuits that allege the company is illegally disclosing personal information to third parties. Two lawsuits were filed earlier this week in California, and one is seeking damages on behalf of Zoom users for alleged violations of California’s Consumer Privacy Act.

 

As security researchers and privacy advocates continue to dig into Zoom’s software and practices, there are signs more issues will need to be addressed. Some are now discovering just how Zoom works around OS restrictions by using “the same tricks that are being used by macOS malware” to get its software on Macs. “To join a meeting from a Mac is not easy, that is why this method is used by Zoom and others,” says Zoom CEO Eric S. Yuan in a Twitter response to the concerns. “Your point is well taken and we will continue to improve.”

 

Ultimately, Zoom is feeling the effects of a rare moment for the app. The video conferencing app was never designed for the myriad of ways consumers are now using it. Zoom doesn’t require an account, it’s free for 40-minute meetings, and it’s reliable. The barriers to entry are so low, and the coronavirus pandemic so unusual, that Zoom is suddenly in the spotlight as a crucial tool for many.

 

Zoom may well be forced to tighten up the very parts of its app that make it so appealing for consumers and businesses alike in the coming months. The company now faces some tough decisions on how to better balance its default settings, user privacy, and ultimately its ease of use. Zoom’s appeal has been its simple approach to video conferencing, but that crucial ingredient now threatens to be its downfall unless it gets a firm grip on the growing concerns.

 

 

Source: Zoom faces a privacy and security backlash as it surges in popularity (The Verge)