Zoom macOS install 'shady,' plus video chats aren't end-to-end encrypted

Posted:
in General Discussion edited March 2020
Video conferencing service Zoom reportedly installs itself on Macs by working around Apple's regular security, and also promotes that it has end-to-end encryption, but demonstrably does not.

Zoom's popularity as a video conferencing tool has soared over the coronavirus
Zoom's popularity as a video conferencing tool has soared over the coronavirus


Increased usage of video conferencing app and service Zoom during the coronavirus outbreak is leading to more security issues being uncovered. As well as previously sending user data to Facebook, which it says it has fixed, it has now been accused of two separate security issues.

In one, it is reportedly working around Apple security to be installed, and in another it is purporting end-to-end encryption that it doesn't have.

Twitter user @c1truz_, technical lead for malware tracker VMRay, reports that Zoom's Mac app installer uses preinstallation scripts and allegedly displays a faked macOS system message.

Ever wondered how the @zoom_us macOS installer does it's job without you ever clicking install? Turns out they (ab)use preinstallation scripts, manually unpack the app using a bundled 7zip and install it to /Applications if the current user is in the admin group (no root needed). pic.twitter.com/qgQ1XdU11M

-- Felix (@c1truz_)


"This is not strictly malicious, but very shady and definitely leaves a bitter aftertaste," continues @c1truz_, "The application is installed without the user giving his [or her] final consent and a highly misleading prompt is used to gain root privileges."

"[These are the] same tricks that are being used by macOS malware," he concludes.

AppleInsider has reached out to Zoom regarding the allegation but has yet to receive comment. Apple has not publicly commented either, but this accusation follows previous issues where Apple forced a macOS update on users in order to remedy a Zoom security problem.

Previously, another security workaround within the Zoom app meant that it was possible for websites to turn on user's cameras without permission. Initially, Zoom defended this as being a deliberate way to make video conferencing easier for users. It then backed down, and said it would remove the feature.

Before it did so, however, Apple intervened and used a forced silent update to macOS, the method by which it typically addresses malware.

Separately, The Intercept alleges that Zoom is claiming to have end-to-end encryption for its video conference calls, but does not.

Rather than truly end to end encryption, where the entire video chat can only be seen by the caller and his or her recipients, Zoom is reportedly doing what's called transport encryption. This makes the connection between the users and Zoom's servers encrypted, but doesn't prevent Zoom itself seeing the calls.

"In fact, Zoom is using its own definition of the term," The Intercept says, "one that lets Zoom itself access unencrypted video and audio from meetings."

A Zoom spokesperson confirmed this to The Intercept, responding that "currently, it is not possible to enable E2E encryption for Zoom video meetings."

"When we use the phrase 'End to End' in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point," the Zoom spokesperson continued.
«1

Comments

  • Reply 1 of 26
    hexclockhexclock Posts: 921member
    Zoom into the Trash can. 
    razorpitStrangeDaysagilealtitudemacseekermagman1979cornchipiHywatto_cobra
  • Reply 2 of 26
    Gruber also has a piece on this.  

    Out of interest, Zoom claim they are FERPA/HIPAA compliant, but does this mean they have separate more secure versions for Education and the medical profession?
    watto_cobra
  • Reply 3 of 26
    They may have, I know that they have a separate Government version. Zoomgov
    razorpitcornchipwatto_cobra
  • Reply 4 of 26
    Bleh. Installed Zoom on two Macs and iPad last week to “attend” city council meetings. The school bored just put meeting on YouTube instead. I thought the chief side effect was having the ‘70s “Zoom” theme song in my noggin. 
    watto_cobra
  • Reply 5 of 26
    They may have, I know that they have a separate Government version. Zoomgov
    So presumably they can do a more secure version it's just that they prefer to slurp consumer data as a sideline...

    As Gruber points out, they don't need to do this.  They have a good product with a market winning combination of quality and ease of use.  They could simply charge more and reduce the 'free' tier.

    Although the version numbers are different if you download the installer from https://www.zoomgov.com/download it looks the same as the 'standard' one from https://zoom.us/download#client_4meeting  If there are any differences must be in the code somewhere.


    edited March 2020 StrangeDayswatto_cobra
  • Reply 6 of 26
    DAalsethDAalseth Posts: 1,620member
    They may have, I know that they have a separate Government version. Zoomgov
    To be honest at this point I don't care if they have a Zoom CIA/NSA version. I don't trust them, and I won't use them.
    pujones1macseekerjony0watto_cobra
  • Reply 7 of 26
    This is deeply troubling. Zoom is essential in the NYC medical community's response. Extremely sensitive things are being discussed on Zoom daily, and if Zoom has a massive "internal" database of all these meetings that is a huge problem. We all know that there are only two kinds of companies, those that have been hacked and know about it, and those that have been hacked and don't know about it. Many are both. 

    I don't think Zoom understands the kind of weight that is about to come down on it with regard to this false claim of E2E encryption.
    randominternetpersonpujones1StrangeDaysjony0iHywatto_cobra
  • Reply 8 of 26
    Not to be paranoid, but it's hard to believe that Zoom can provide free video conferencing for millions of people daily without any source of revenue to cover those costs.

    Using "end-to-end encryption" to refer to a process that decrypts all the data as it passes through their servers the definition of deceptive business practices, no?
    pujones1razorpitjony0watto_cobra
  • Reply 9 of 26
    revenantrevenant Posts: 616member
    I have to use this for work, and it lives on my work window's machine. I told them I would never need it as I use my Mac--I finally found a use for it. 
    watto_cobra
  • Reply 10 of 26
    Where is Apple on this? Aren’t we guaranteed buys them that anything downloaded through the Apple store is perfectly safe?

  • Reply 11 of 26
    razorpitrazorpit Posts: 1,796member
    They may have, I know that they have a separate Government version. Zoomgov
    Secure for me but not for thee!  ;)
    Where is Apple on this? Aren’t we guaranteed buys them that anything downloaded through the Apple store is perfectly safe?

    I missed that. Can you please post a link to that statement.
    randominternetpersonwatto_cobra
  • Reply 12 of 26
    This is deeply troubling. Zoom is essential in the NYC medical community's response. Extremely sensitive things are being discussed on Zoom daily, and if Zoom has a massive "internal" database of all these meetings that is a huge problem. We all know that there are only two kinds of companies, those that have been hacked and know about it, and those that have been hacked and don't know about it. Many are both. 

    I don't think Zoom understands the kind of weight that is about to come down on it with regard to this false claim of E2E encryption.
    ----
    Zoom has a HIPAA compliant healthcare version that anyone in the medical community should be using, obviously.  So, if you are you are ok.  If you are using the free consumer version for professional work, that is shameful and dangerous.
    edited March 2020 cornchipwatto_cobra
  • Reply 13 of 26
    StrangeDaysStrangeDays Posts: 11,388member
    "When we use the phrase 'End to End' in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point," the Zoom spokesperson continued.
    ...which isn’t what end to end encryption means! What scammers. 
    watto_cobra
  • Reply 14 of 26
    StrangeDaysStrangeDays Posts: 11,388member

    Where is Apple on this? Aren’t we guaranteed buys them that anything downloaded through the Apple store is perfectly safe?
    Zoom for the Mac, which had the security bug and now the malicious installer, is not distributed via the Mac App Store. 

    Zoom for iOS is better behaved, but still lacks in E2E. 
    edited March 2020 watto_cobra
  • Reply 15 of 26
    How do you get hold of one of the (supposedly) more secure FERPA/HIPAA client versions?  It is possible to download and installer from the zoomgov site but there's no clear indication as to whether it is more secure.  The installers look much the same.  Effectively you're relying on the site title 'zoomgov' as an indicator of security.

    Can anyone who has one of these test them to see if and how they are more secure?  I'm in the UK but my understanding is that FERPA/HIPAA compliance is pretty strict. Claiming compliance and then distributing a non-compliant product would have legal all over it.  

    Can't really say that I trust them but it's suddenly become the go-to product for video conferencing for schools and colleges over here, probably because it's cross platform.   Even Boris Johnson and the UK Cabinet are using it......

    https://twitter.com/StefSimanowitz/status/1244994273457602561
    edited March 2020
  • Reply 16 of 26
    sflocalsflocal Posts: 5,653member

    Where is Apple on this? Aren’t we guaranteed buys them that anything downloaded through the Apple store is perfectly safe?
    Zoom for the Mac, which had the security bug and now the malicious installer, is not distributed via the Mac App Store. 

    Zoom for iOS is better behaved, but still lacks in E2E. 
    I suspect Mr. Drive-by one-poster is trolling.
    razorpitcornchipwatto_cobra
  • Reply 17 of 26
    rob53rob53 Posts: 2,558member
    From Zoom's HIPAA certification pdf, https://zoom.us/docs/doc/Zoom-hipaa.pdf.

    ----
    HIPAA Certification

    Currently, the agencies that certify health technology – the Office of the National Coordinator for Health Information Technology and the National Institute of Standards and Technology – do “not assume the task of certifying software and off-the-shelf products” (p. 8352 of the Security Rule), nor accredit independent agencies to do HIPAA certifications. Additionally, the HITECH Act only provides for testing and certification of Electronic Health Records (EHR) programs and modules. Thus, as Zoom is not an EHR software or module, our type of technology is not certifiable by these unregulated agencies.

    ----

    For anyone who's ever had to do actual certification testing, this statement is a joke. Zoom self-certified their own supposedly HIPAA certification. Read their document and I'd love to see if someone can actually validate anything Zoom has actually done. From what I've read, their consumer version definitely is not HIPAA complaint and I have to wonder if their complaint version is actually compliant either. The fact their software is not certified as an EHR program makes me wonder why medical institutions are even allowed to use it for private doctor to patient correspondence (my daughter's doctor uses it and now she's worried about talking to them over Zoom instead of in person, which isn't being done because of the virus).

    tenthousandthingsseneca72watto_cobra
  • Reply 18 of 26
    BittySon said:
    This is deeply troubling. Zoom is essential in the NYC medical community's response. Extremely sensitive things are being discussed on Zoom daily, and if Zoom has a massive "internal" database of all these meetings that is a huge problem. We all know that there are only two kinds of companies, those that have been hacked and know about it, and those that have been hacked and don't know about it. Many are both. 

    I don't think Zoom understands the kind of weight that is about to come down on it with regard to this false claim of E2E encryption.
    ----
    Zoom has a HIPAA compliant healthcare version that anyone in the medical community should be using, obviously.  So, if you are you are ok.  If you are using the free consumer version for professional work, that is shameful and dangerous.
    Yes, but I'm not sure they are okay. We're not talking about the HIPAA Privacy Rule. End-to-end encryption is a basic tenet of the HIPAA Security Rule, but the setting in Zoom is "Require Encryption for 3rd Party Endpoints" -- the wording of that seems suspect -- if you have a HIPAA-compliant account (which are not free, obviously), then that setting is on by default and can't be changed. It can be changed on the account level, but not on the group level or the user level. If the HIPAA Security Rule doesn't specifically prohibit what Zoom has said they are doing (end-to-end doesn't truly mean end-to-end), then it seems like a loophole and I'd like to know more. If there is a way for Zoom (the company) to access the meeting from the inside as it is going on, that's an issue.

    https://zoom.us/docs/doc/Zoom-hipaa.pdf

    The above is reassuring, but if you look closely, it all depends on how one defines "end-to-end" ... It just seems to me that if you could get true end-to-end by paying for an account and turning that setting on, they could simply say so. But they're not saying that.
    edited March 2020 watto_cobra
  • Reply 19 of 26
    sacto joesacto joe Posts: 895member
    Near as I can tell, the only “questionable” issue here is the following:

    Zoom is reportedly doing what's called transport encryption. This makes the connection between the users and Zoom's servers encrypted, but doesn't prevent Zoom itself seeing the calls.”

    So if you have something private to say or show, don’t use Zoom! For the rest of us, no biggie. And for many meetings, for example helping people meet for church functions now that churches have closed their doors, it’s just fine.
    watto_cobra
  • Reply 20 of 26
    Where is Apple on this? Aren’t we guaranteed buys them that anything downloaded through the Apple store is perfectly safe?

    It’s not available through the Mac App Store. The iOS version is sandboxed. Presumably that one is safe.
    edited March 2020 watto_cobra
Sign In or Register to comment.