Zoom macOS install 'shady,' plus video chats aren't end-to-end encrypted
Video conferencing service Zoom reportedly installs itself on Macs by working around Apple's regular security, and also promotes that it has end-to-end encryption, but demonstrably does not.
Zoom's popularity as a video conferencing tool has soared over the coronavirus
Increased usage of video conferencing app and service Zoom during the coronavirus outbreak is leading to more security issues being uncovered. As well as previously sending user data to Facebook, which it says it has fixed, it has now been accused of two separate security issues.
In one, it is reportedly working around Apple security to be installed, and in another it is purporting end-to-end encryption that it doesn't have.
Twitter user @c1truz_, technical lead for malware tracker VMRay, reports that Zoom's Mac app installer uses preinstallation scripts and allegedly displays a faked macOS system message.
"This is not strictly malicious, but very shady and definitely leaves a bitter aftertaste," continues @c1truz_, "The application is installed without the user giving his [or her] final consent and a highly misleading prompt is used to gain root privileges."
"[These are the] same tricks that are being used by macOS malware," he concludes.
AppleInsider has reached out to Zoom regarding the allegation but has yet to receive comment. Apple has not publicly commented either, but this accusation follows previous issues where Apple forced a macOS update on users in order to remedy a Zoom security problem.
Previously, another security workaround within the Zoom app meant that it was possible for websites to turn on user's cameras without permission. Initially, Zoom defended this as being a deliberate way to make video conferencing easier for users. It then backed down, and said it would remove the feature.
Before it did so, however, Apple intervened and used a forced silent update to macOS, the method by which it typically addresses malware.
Separately, The Intercept alleges that Zoom is claiming to have end-to-end encryption for its video conference calls, but does not.
Rather than truly end to end encryption, where the entire video chat can only be seen by the caller and his or her recipients, Zoom is reportedly doing what's called transport encryption. This makes the connection between the users and Zoom's servers encrypted, but doesn't prevent Zoom itself seeing the calls.
"In fact, Zoom is using its own definition of the term," The Intercept says, "one that lets Zoom itself access unencrypted video and audio from meetings."
A Zoom spokesperson confirmed this to The Intercept, responding that "currently, it is not possible to enable E2E encryption for Zoom video meetings."
"When we use the phrase 'End to End' in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point," the Zoom spokesperson continued.
Zoom's popularity as a video conferencing tool has soared over the coronavirus
Increased usage of video conferencing app and service Zoom during the coronavirus outbreak is leading to more security issues being uncovered. As well as previously sending user data to Facebook, which it says it has fixed, it has now been accused of two separate security issues.
In one, it is reportedly working around Apple security to be installed, and in another it is purporting end-to-end encryption that it doesn't have.
Twitter user @c1truz_, technical lead for malware tracker VMRay, reports that Zoom's Mac app installer uses preinstallation scripts and allegedly displays a faked macOS system message.
Ever wondered how the @zoom_us macOS installer does it's job without you ever clicking install? Turns out they (ab)use preinstallation scripts, manually unpack the app using a bundled 7zip and install it to /Applications if the current user is in the admin group (no root needed). pic.twitter.com/qgQ1XdU11M
-- Felix (@c1truz_)
"This is not strictly malicious, but very shady and definitely leaves a bitter aftertaste," continues @c1truz_, "The application is installed without the user giving his [or her] final consent and a highly misleading prompt is used to gain root privileges."
"[These are the] same tricks that are being used by macOS malware," he concludes.
AppleInsider has reached out to Zoom regarding the allegation but has yet to receive comment. Apple has not publicly commented either, but this accusation follows previous issues where Apple forced a macOS update on users in order to remedy a Zoom security problem.
Previously, another security workaround within the Zoom app meant that it was possible for websites to turn on user's cameras without permission. Initially, Zoom defended this as being a deliberate way to make video conferencing easier for users. It then backed down, and said it would remove the feature.
Before it did so, however, Apple intervened and used a forced silent update to macOS, the method by which it typically addresses malware.
Separately, The Intercept alleges that Zoom is claiming to have end-to-end encryption for its video conference calls, but does not.
Rather than truly end to end encryption, where the entire video chat can only be seen by the caller and his or her recipients, Zoom is reportedly doing what's called transport encryption. This makes the connection between the users and Zoom's servers encrypted, but doesn't prevent Zoom itself seeing the calls.
"In fact, Zoom is using its own definition of the term," The Intercept says, "one that lets Zoom itself access unencrypted video and audio from meetings."
A Zoom spokesperson confirmed this to The Intercept, responding that "currently, it is not possible to enable E2E encryption for Zoom video meetings."
"When we use the phrase 'End to End' in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point," the Zoom spokesperson continued.
Comments
Out of interest, Zoom claim they are FERPA/HIPAA compliant, but does this mean they have separate more secure versions for Education and the medical profession?
As Gruber points out, they don't need to do this. They have a good product with a market winning combination of quality and ease of use. They could simply charge more and reduce the 'free' tier.
Although the version numbers are different if you download the installer from https://www.zoomgov.com/download it looks the same as the 'standard' one from https://zoom.us/download#client_4meeting If there are any differences must be in the code somewhere.
I don't think Zoom understands the kind of weight that is about to come down on it with regard to this false claim of E2E encryption.
Using "end-to-end encryption" to refer to a process that decrypts all the data as it passes through their servers the definition of deceptive business practices, no?
I missed that. Can you please post a link to that statement.
Zoom has a HIPAA compliant healthcare version that anyone in the medical community should be using, obviously. So, if you are you are ok. If you are using the free consumer version for professional work, that is shameful and dangerous.
Zoom for the Mac, which had the security bug and now the malicious installer, is not distributed via the Mac App Store.
Zoom for iOS is better behaved, but still lacks in E2E.
Can anyone who has one of these test them to see if and how they are more secure? I'm in the UK but my understanding is that FERPA/HIPAA compliance is pretty strict. Claiming compliance and then distributing a non-compliant product would have legal all over it.
Can't really say that I trust them but it's suddenly become the go-to product for video conferencing for schools and colleges over here, probably because it's cross platform. Even Boris Johnson and the UK Cabinet are using it......
https://twitter.com/StefSimanowitz/status/1244994273457602561
----
HIPAA Certification
Currently, the agencies that certify health technology – the Office of the National Coordinator for Health Information Technology and the National Institute of Standards and Technology – do “not assume the task of certifying software and off-the-shelf products” (p. 8352 of the Security Rule), nor accredit independent agencies to do HIPAA certifications. Additionally, the HITECH Act only provides for testing and certification of Electronic Health Records (EHR) programs and modules. Thus, as Zoom is not an EHR software or module, our type of technology is not certifiable by these unregulated agencies.
----
For anyone who's ever had to do actual certification testing, this statement is a joke. Zoom self-certified their own supposedly HIPAA certification. Read their document and I'd love to see if someone can actually validate anything Zoom has actually done. From what I've read, their consumer version definitely is not HIPAA complaint and I have to wonder if their complaint version is actually compliant either. The fact their software is not certified as an EHR program makes me wonder why medical institutions are even allowed to use it for private doctor to patient correspondence (my daughter's doctor uses it and now she's worried about talking to them over Zoom instead of in person, which isn't being done because of the virus).
https://zoom.us/docs/doc/Zoom-hipaa.pdf
The above is reassuring, but if you look closely, it all depends on how one defines "end-to-end" ... It just seems to me that if you could get true end-to-end by paying for an account and turning that setting on, they could simply say so. But they're not saying that.
”Zoom is reportedly doing what's called transport encryption. This makes the connection between the users and Zoom's servers encrypted, but doesn't prevent Zoom itself seeing the calls.”
So if you have something private to say or show, don’t use Zoom! For the rest of us, no biggie. And for many meetings, for example helping people meet for church functions now that churches have closed their doors, it’s just fine.