Bach Seat

Updated 12/01/2020 – Zoom has agreed to settle allegations (PDF) made by the US Federal Trade Commission (FTC) that it “engaged in a series of deceptive and unfair practices that undermined the security of its users.” Among the charges were that Zoom misled users by:

• Touting that it offered “end-to-end, 256-bit encryption” to secure users’ communications, when in fact it provided a lower level of security.
• Saying that recorded meetings that were stored on the company’s cloud storage were encrypted immediately after the meeting ended, which was untrue in some cases
• Compromising the security of some users when it secretly installed a hidden web server on Macs.

The settlement does not require Zoom to admit fault or pay a fine – So they got away with it.

—

Updated 05/01/2020 – Zoom made a big splash when CEO Eric Yuan claimed the video conferencing firm had surpassed 300 million daily Zoom meeting users last week. That’s impressive growth in the face of security and privacy holes documented on the Bach Seat and around the Intertubes.

Well in a Zoom tradition they “back-tracked” that announcement, just like they back-tracked their definition of “end-to-end encryption.” Zoom artificially inflated the number of users by counting meeting participants as “users” and “people.” 

Daily meeting participants can be counted multiple times – if you have four Zoom meetings in a day then you’re counted four times. SVCOnline explains that by calling meeting participants “daily users” makes Zoom usage seem larger than it is. The term most companies use to measure service usage is a daily active user (DAU). A DAU is counted once per day. 

—

Updated 04/08/2020 -Zoom now faces four lawsuits over its security and privacy practices. Today,  Google has banned employees from using Zoom, joining NASA, SpaceX, NYC schools, Clark County (Las Vegas) schools. the governments of Germany and Taiwan as well as Apple.

—

Updated 04/07/2020 – Reports of a new blow to Zoom’s security cred’s researchers have discovered up to 15,000 private Zoom recordings exposed online. Many of them were apparently stored in Amazon Web Services (AWS) S3 buckets without passwords.

—

Zoom has taken off. Thanks to the global COVID-19 lock-down Zoom’s (ZM) stock has surged over 250% on the NASDAQ since October 2019. Zoom’s video conferencing platform daily usage has exploded from 10 million in December 2019 to more than 200 million in March 2020.

After its stock price run-up and exploitation of the COVID-19 pandemic Zoom has come under intense scrutiny. The FBI issued a warning about using Zoom. The New York Attorney General’s office sent a letter to Zoom about its practices. Security professionals have found a disturbing list of flaws on Zoom. Here is a brief list of the risks you take when using Zoom.

Zoom Risks

Phishing – Security firm Check Point Software says criminals are waging phishing campaigns with Zoom-related themes as a lure. The phishing emails that Check Point has observed spoof Zoom login pages and attempt to get victims to input their credentials. The Zoom credentials are then harvested by the attackers. Also, Check Point has also uncovered malicious files with names that include “zoom” in the title. 

Phony end-to-end encryption – Zoom uses misleading advertising to claim that its meetings use “end-to-end encryption,” according to The Intercept. Zoom uses the term end-to-end encryption” incorrectly. Zoom admitted their definitions of “end-to-end” and of “endpoint” are different from everyone else’s. A spokesperson told The Intercept, “When we use the phrase ‘End to End … it is in reference to the connection being encrypted from Zoom endpoint to Zoom endpoint.“

Unlike Apple, Zoom’s data is only encrypted when it travels back and forth from an end-user to a Zoom server. Your data is decrypted at the Zoom server. Zoom (or TLA) can see and hear whatever is going on in its meetings. Zoom Chief Product Officer Oded Gal wrote:

We recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.

The Intercept concludes that Zoom doesn’t decrypt user transmissions — but it could.

Zoom bombing – Zoom bombing occurs when a third party interrupts or takes over a video conference. Anyone can “bomb” a public Zoom meeting. All they need is the meeting number. Attackers can use the file-share to post shocking images or make annoying sounds in the audio. The host of the Zoom meeting can kick out troublemakers, but they can come right back with new user IDs The FBI issued a warning about zoom bombing.

To prevent Zoom bombing do not share Zoom meeting numbers with anyone but the intended participants. Also require participants to use a password to log into the meeting.

Windows password stealing – Bleeping Computer reports that malicious users can use the Zoom side chats to post a Universal Naming Convention (UNC) link that points to a remote server. From there the victim’s Windows computer will try to reach out to the hacker’s remote server specified in the path. From there the PC will automatically try to log in with the user’s Windows username and password. The attacker could capture the password “hash” and decrypt it, giving them access to the Zoom user’s Windows account.

Windows malware injection – The same flaw allows a hacker to insert a UNC path to a remote executable malicious file into a Zoom meeting. If a Zoom user running Windows clicks on it, the computer will try to load and run the malicious software. The victim will be prompted to authorize the software to run, which will stop some hacking attempts but not all.

Apple iOS profile sharing – Zoom sends iOS user profiles to Facebook. This is done with the “log in with Facebook” feature in the iPhone and iPad Zoom apps. After Motherboard exposed the practice, Zoom said it hadn’t been aware of the profile-sharing. Zoom’s initial response was to blame the social network’s software development kit used in the Zoom software. CNet concludes that Zoom shares enough personal data that it qualifies as selling your data. 

Malware-like behavior on Macs – Zoom was caught using hacker-like methods to bypass normal macOS security. It was thought this flaw had been fixed. But security researcher Felix Seele noticed that Zoom installed itself on his Mac without the usual user authorization.

The application is installed without the user giving his final consent and a highly misleading prompt is used to gain root privileges. The same tricks that are being used by macOS malware.

A backdoor for Mac malware – Patrick Wardle, a former NSA hacker and now principal security researcher at Jamf said in a blog post that Zoom used a discontinued installation process. The deprecated process could allow malware to add malicious code to “escalate privileges.” This would allow an attacker to gain total control over the machine without knowing the administrator’s password. 

Zoom privacy issues

CSO Online reports that he demonstrated the backdoor. He installed a malicious script into the Zoom Mac client. This could give any piece of malware access to the Mac’s webcam and microphone. It would turn any Mac with Zoom into a spying device.

Leaks of email addresses and profile photos – Zoom automatically puts everyone sharing the same email domain into a “company” folder where they can see each other’s information. If you are not a user of large webmail clients like Gmail, Yahoo, Hotmail, or Outlook.com, you could end up in a “company” with dozens of strangers.

Sharing of personal data with advertisers – Privacy experts for Consumer Reports reviewed Zoom’s privacy policy and found that it gave Zoom the right to use Zoom users’ personal data and to share it with third-party marketers. In a blog, Aparna Bawa, Zoom’s chief legal officer, claimed “we do not sell your personal data.” The lawyer definitely concluded, “We are not changing any of our practices.” But we don’t know the details of Zoom’s business dealings with third-party advertisers.

Cloud snitching – For paid subscribers, Zoom’s cloud recording feature can be a problem waiting to happen.  Mashable points out that any time Zoom is used, your person-to-person chat messages are saved and could be sent to your boss by any authorized user. CNet notes that Zoom administrators can limit the recording’s accessibility by IP addresses – but this is not enabled by default.

Tattle-tale attention-tracking feature – Zoom’s attention-tracking feature allows the meeting host to monitor if you are paying attention to their PowerPoint deck. The Zoom desktop client or mobile app alerts the host if any attendees go more than 30 seconds without Zoom being in focus on their screen.

rb-

I agree with those who are calling Zoom’s development processes lazy  As you can see  – Zoom’s software development process creates a huge attack surface.

Tom’s Guide is tracking the status of Zoom’s problems.  So is  Zoom safe to use?  – That is your call. – You need to make an informed decision and patch your Zoom software.

You should be suspicious of “free” products. As in the case of Google and Facebook, you are the product for Zoom. They are monetizing you. Follow the money.

Eric Yuan, the founder, and CEO of Zoom is profiting by using your info. His personal wealth has increased 112% to $7.57 billion in the past three months, as the use of Zoom skyrockets amid the pandemic. While the other 99%f the world braces for a global recession.

How does he get all of that money on free software?

 

Stay safe out there!

Related article

• YouTube profits from videos promoting unproven Covid-19 treatments (The Guardian)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.