Zoom freezing development to fix security & privacy flaws
Popular video conferencing app Zoom has come under fire for numerous security flaws in the last few days, and has now issued a public apology plus a plan of action for resolving the issues.
The announcement came in a blog post released to Zoom's website on April 1 and attempts to mitigate some of the bad press the company has received over the last two weeks.
The blog post serves a few purposes. The first is to act as a repository to previously acknowledged issues, citing that the company has been working to fix security issues as they arise. The announcement also explains what the company has been working on, including an extensive section on Zoom's role in elementary and secondary classrooms.
The second purpose of the blog is to outline the company's plan of action for addressing ongoing issues. The Zoom team is giving themselves 90 days to fix existing problems.
In those 90 days, Zoom is enacting a feature freeze -- no further development will happen on Zoom products until security issues have been resolved. They plan on bolstering their security features through a variety of means, including white-box penetration tests and expanding current bug-testing procedures.
Zoom will begin meeting with third-party experts, as well as Zoom users, to "understand and ensure the security of all of our new consumer use cases." They plan on preparing a transparency report to handle requests for data, records, and content. The company plans on hosting a weekly webinar to provide security updates to Zoom users.
"We are actively investigating and working to address these issues," A Zoom representative told AppleInsider in an email. "We are in the process of updating our installer to address one issue and will be updating our client to mitigate the microphone and camera issue."
The most recent flurry of complaints started when it was discovered that the company was sending user data to Facebook without their permission. Zoom notified Facebook when the iOS app was opened, what device a user was using, what carrier they're on, and what city and time zone they're connecting from. The data also included a unique advertiser tag, connected to a user's device, that companies use to target advertisements.
Zoom had publicly told news outlets that the information had been anonymized, but understood why users were upset. The company removed the app's ability to send data to Facebook in an update pushed out on March 27.
Shortly after, security experts found that Zoom was able to install itself on Macs by working around Apple's security features. It was concurrently discovered that the company had claimed the service offered end-to-end encryption but did not possess those features.
On April 1, it was discovered that a flaw in Zoom's software allows a local user or piece of malware to piggyback on Zoom's camera and microphone permissions. An attacker can inject malicious code into Zoom's process space and "inherit" camera and microphone permissions, allowing them to hijack them without a user's knowledge.
In 2019, a security researcher found a zero-day vulnerability in the app that could have allowed malicious websites to activate and view a Mac webcam without user knowledge.
The announcement came in a blog post released to Zoom's website on April 1 and attempts to mitigate some of the bad press the company has received over the last two weeks.
The blog post serves a few purposes. The first is to act as a repository to previously acknowledged issues, citing that the company has been working to fix security issues as they arise. The announcement also explains what the company has been working on, including an extensive section on Zoom's role in elementary and secondary classrooms.
The second purpose of the blog is to outline the company's plan of action for addressing ongoing issues. The Zoom team is giving themselves 90 days to fix existing problems.
In those 90 days, Zoom is enacting a feature freeze -- no further development will happen on Zoom products until security issues have been resolved. They plan on bolstering their security features through a variety of means, including white-box penetration tests and expanding current bug-testing procedures.
Zoom will begin meeting with third-party experts, as well as Zoom users, to "understand and ensure the security of all of our new consumer use cases." They plan on preparing a transparency report to handle requests for data, records, and content. The company plans on hosting a weekly webinar to provide security updates to Zoom users.
"We are actively investigating and working to address these issues," A Zoom representative told AppleInsider in an email. "We are in the process of updating our installer to address one issue and will be updating our client to mitigate the microphone and camera issue."
The most recent flurry of complaints started when it was discovered that the company was sending user data to Facebook without their permission. Zoom notified Facebook when the iOS app was opened, what device a user was using, what carrier they're on, and what city and time zone they're connecting from. The data also included a unique advertiser tag, connected to a user's device, that companies use to target advertisements.
Zoom had publicly told news outlets that the information had been anonymized, but understood why users were upset. The company removed the app's ability to send data to Facebook in an update pushed out on March 27.
Shortly after, security experts found that Zoom was able to install itself on Macs by working around Apple's security features. It was concurrently discovered that the company had claimed the service offered end-to-end encryption but did not possess those features.
On April 1, it was discovered that a flaw in Zoom's software allows a local user or piece of malware to piggyback on Zoom's camera and microphone permissions. An attacker can inject malicious code into Zoom's process space and "inherit" camera and microphone permissions, allowing them to hijack them without a user's knowledge.
In 2019, a security researcher found a zero-day vulnerability in the app that could have allowed malicious websites to activate and view a Mac webcam without user knowledge.
Comments
There's a different, and arguably worse, problem on Windows that allows an attacker to steal user credentials using Zoom.
https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/
The two bolded sections are as follows:
So don't record your meeting if you don't want Zoom to decrypt it midstream. If I'm parsing this correctly, it reads: "There is a back door, but we don't use it. Unless you want to record your meeting."
That event was not so much a Zoom security failure but an overall design point that is missing. I imagine what is needed are unique user invites -- the unique ID can only be used by a single Zoom userid. It would be additional overhead for the meeting organizer but it would enhance meeting confidentiality. I can't think of any other decent solutions that don't require something like VPN access which would be tough to get working for a diverse set of middle/high school students that use a variety of devices. Any other ideas out there?
what I see is a brilliant service that was largely obscure for a long time suddenly being thrust into the limelight because of a global situation that quickly got out of hand.
What I see here is a company who is admitting to having made mistakes and then trying their hardest to fix those problems. Did FB got into feature lock to fix sec issues? No it didn’t and yet here is a public notice saying that it is. Sure, scrutiny must remain but at least this service seems to be genuinely trying. Straight away that makes them more trustworthy than others.
I do love this service. We use it for church and seeing hundreds of people, some who normally can only connect through a Voip connection, all while being at home is encouraging. I’ve never seen conferencing like this even in the 18 or so years when I was working in IT.
There are going to be issues with this level of rise in users but it’s what they do when they get found that matters and already they are far ahead of the game.
I'm reading "we ... do not decrypt ..." instead of "we ... can not decrypt ..."
I'm deducing that they can and do decrypt midstream if the meeting is being recorded.
Thus, I'm also reading "... has never built ..." as "... could build ..."
Contrast this to Apple's position on encryption when the FBI comes knocking.
People don't think about it, but unless it's done at the host's computer, the ability to record and store the meeting would require description of the stream.