NYC schools pull the plug on Zoom following FBI warning
Despite efforts to ramp up security measures, video conferencing software provider Zoom is finding itself banned from education departments and major corporations like SpaceX.
New York City's Department of Education has banned teachers from using the popular video conferencing tool, Zoom, to teach students remotely during the COVID-19 outbreak. Originally, teachers preferred using the platform as its minimal setup and simple design means both teachers and students have fewer issues using it compared to other conferencing platforms.
However, with the rise in "zoombombing" incidents, educators are beginning to worry for the safety of teachers and students alike.
"Zoombombing" occurs when a bad actor takes control of a Zoom conference call. Many times, the hijacker will remain silent and merely observe the calls. Other times, they use it as a platform to harass viewers, posting shocking images and using hate speech. According to Business Insider, incidents were reported to have happened in online classes, corporate gatherings, and even a virtual Alcoholics Anonymous meeting.
The FBI issued multiple public warnings about the Zoombombing. It ultimately made a public statement on their website, about using the software.
Schools aren't the only ones banning Zoom, either. On March 28, Elon Musk's SpaceX banned the program, instructing employees to use email, text, or phone calls as alternative methods for communication. Additionally, the Australian Ministry of Defense has also banned any use of the software.
Zoom announced on April 2 that they would be entering a 90-day development freeze as it sought to address privacy concerns. They plan on bolstering their security features through a variety of means, including white-box penetration tests and expanding current bug-testing procedures.
Zoom will begin meeting with third-party experts, as well as Zoom users, to "understand and ensure the security of all of our new consumer use cases." The company plans on preparing a transparency report to handle requests for data, records, and content. The company will also host a weekly webinar to provide security updates to Zoom users.
The most recent flurry of complaints started when it was discovered that the company was sending user data to Facebook without their permission. Zoom notified Facebook when the iOS app was opened, what device a user was using, what carrier they're on, and what city and time zone they're connecting from. The data also included a unique advertiser tag, connected to a user's device, that companies use to target advertisements.
Zoom had publicly told news outlets that the information had been anonymized, but understood why users were upset. The company removed the app's ability to send data to Facebook in an update pushed out on March 27.
Shortly after, security experts found that Zoom was able to install itself on Macs by working around Apple's security features. It was concurrently discovered that the company had claimed the service offered end-to-end encryption but did not possess those features.
On April 1, it was discovered that a flaw in Zoom's software allows a local user or piece of malware to piggyback on Zoom's camera and microphone permissions. An attacker can inject malicious code into Zoom's process space and "inherit" camera and microphone permissions, allowing them to hijack them without a user's knowledge.
New York City's Department of Education has banned teachers from using the popular video conferencing tool, Zoom, to teach students remotely during the COVID-19 outbreak. Originally, teachers preferred using the platform as its minimal setup and simple design means both teachers and students have fewer issues using it compared to other conferencing platforms.
However, with the rise in "zoombombing" incidents, educators are beginning to worry for the safety of teachers and students alike.
"Zoombombing" occurs when a bad actor takes control of a Zoom conference call. Many times, the hijacker will remain silent and merely observe the calls. Other times, they use it as a platform to harass viewers, posting shocking images and using hate speech. According to Business Insider, incidents were reported to have happened in online classes, corporate gatherings, and even a virtual Alcoholics Anonymous meeting.
The FBI issued multiple public warnings about the Zoombombing. It ultimately made a public statement on their website, about using the software.
#FBI warns of Teleconferencing and Online Classroom Hijacking during #COVID19 pandemic. Find out how to report and protect against teleconference hijacking threats here: https://t.co/jmMxyZZqMv pic.twitter.com/Y3h9bVZG30
-- FBI Boston (@FBIBoston)
Schools aren't the only ones banning Zoom, either. On March 28, Elon Musk's SpaceX banned the program, instructing employees to use email, text, or phone calls as alternative methods for communication. Additionally, the Australian Ministry of Defense has also banned any use of the software.
Zoom announced on April 2 that they would be entering a 90-day development freeze as it sought to address privacy concerns. They plan on bolstering their security features through a variety of means, including white-box penetration tests and expanding current bug-testing procedures.
Zoom will begin meeting with third-party experts, as well as Zoom users, to "understand and ensure the security of all of our new consumer use cases." The company plans on preparing a transparency report to handle requests for data, records, and content. The company will also host a weekly webinar to provide security updates to Zoom users.
The most recent flurry of complaints started when it was discovered that the company was sending user data to Facebook without their permission. Zoom notified Facebook when the iOS app was opened, what device a user was using, what carrier they're on, and what city and time zone they're connecting from. The data also included a unique advertiser tag, connected to a user's device, that companies use to target advertisements.
Zoom had publicly told news outlets that the information had been anonymized, but understood why users were upset. The company removed the app's ability to send data to Facebook in an update pushed out on March 27.
Shortly after, security experts found that Zoom was able to install itself on Macs by working around Apple's security features. It was concurrently discovered that the company had claimed the service offered end-to-end encryption but did not possess those features.
On April 1, it was discovered that a flaw in Zoom's software allows a local user or piece of malware to piggyback on Zoom's camera and microphone permissions. An attacker can inject malicious code into Zoom's process space and "inherit" camera and microphone permissions, allowing them to hijack them without a user's knowledge.
Comments
https://daringfireball.net/linked/2020/04/04/schneier-zoom
https://daringfireball.net/linked/2020/04/03/zoom-china
https://daringfireball.net/linked/2020/04/03/zoom-recorded-videos
In this case, it sounds like the company is going to take active measures to clean up their security act, even though it is retroactive and they've been grossly negligent up to this point. Truth be told, they are in the presense of many other companies and ISVs who have committed similar and worse offenses, and many others who haven't yet been outed because their solutions haven't been stressed or scrutinized. This is not an excuse, but it is a warning to others. If you're a software company you'd better heed this lesson because you may be the next one brought under the hammer of shame.
What I find equally disturbing here are the numerous high profile companies and agencies, like Tesla and the Australian Ministry of Defense, who didn't independently verify that a tool that they were relying on for their day to day business operations was actually trustworthy. How many times can we read about yet another software product or service failing miserably before we come to the realization that self-certification or assertions of software quality by the software's maker is simply not to be trusted? There are plenty of examples of software quality standards in (FDA, TUV, and others) regulated industries, safety systems, etc., that could be applied to mission critical and line of business commercial software. Yes, it drives the software costs up. But what's the alternative - buying cheap alternatives that provide low/no guarantees and then complaining that they didn't live up to the meaningless promises from the vendor? I guess you can always fire the CEO to make yourself feel better, but if the damage has already been done that's hollow consolation.
Yes, Zoom has screwed up. But I also think a lot of what's been reported is blown out of proportion.
This is my point. Apple has the greatest opportunity to expand Facetime now.
There is definitely a downside to hackers, even in the nicest sense.
It might be that they were intending on making their money selling their customers out, and now due to their newfound success, they think they have other options?
Yeah, but the more that is coming out, makes it difficult to believe some of it wasn't purposeful. If that is the case, it hasn't been blow out enough.
Well, it isn't free, but a paid service with a (unusually generous) free tier. Skype is free as well. A lot of this kind of software is.
That doesn't mean complaints aren't permitted, though.