Zoom freezing development to fix security & privacy flaws

Posted:
in General Discussion
Popular video conferencing app Zoom has come under fire for numerous security flaws in the last few days, and has now issued a public apology plus a plan of action for resolving the issues.

Zoom freezing development to fix security & privacy flaws


The announcement came in a blog post released to Zoom's website on April 1 and attempts to mitigate some of the bad press the company has received over the last two weeks.

The blog post serves a few purposes. The first is to act as a repository to previously acknowledged issues, citing that the company has been working to fix security issues as they arise. The announcement also explains what the company has been working on, including an extensive section on Zoom's role in elementary and secondary classrooms.

The second purpose of the blog is to outline the company's plan of action for addressing ongoing issues. The Zoom team is giving themselves 90 days to fix existing problems.

In those 90 days, Zoom is enacting a feature freeze -- no further development will happen on Zoom products until security issues have been resolved. They plan on bolstering their security features through a variety of means, including white-box penetration tests and expanding current bug-testing procedures.

Zoom will begin meeting with third-party experts, as well as Zoom users, to "understand and ensure the security of all of our new consumer use cases." They plan on preparing a transparency report to handle requests for data, records, and content. The company plans on hosting a weekly webinar to provide security updates to Zoom users.

"We are actively investigating and working to address these issues," A Zoom representative told AppleInsider in an email. "We are in the process of updating our installer to address one issue and will be updating our client to mitigate the microphone and camera issue."

The most recent flurry of complaints started when it was discovered that the company was sending user data to Facebook without their permission. Zoom notified Facebook when the iOS app was opened, what device a user was using, what carrier they're on, and what city and time zone they're connecting from. The data also included a unique advertiser tag, connected to a user's device, that companies use to target advertisements.

Zoom had publicly told news outlets that the information had been anonymized, but understood why users were upset. The company removed the app's ability to send data to Facebook in an update pushed out on March 27.

Shortly after, security experts found that Zoom was able to install itself on Macs by working around Apple's security features. It was concurrently discovered that the company had claimed the service offered end-to-end encryption but did not possess those features.

On April 1, it was discovered that a flaw in Zoom's software allows a local user or piece of malware to piggyback on Zoom's camera and microphone permissions. An attacker can inject malicious code into Zoom's process space and "inherit" camera and microphone permissions, allowing them to hijack them without a user's knowledge.

In 2019, a security researcher found a zero-day vulnerability in the app that could have allowed malicious websites to activate and view a Mac webcam without user knowledge.

Comments

  • Reply 1 of 13
    neilmneilm Posts: 985member
    And those are just the (numerous) Zoom security failings on Apple's platform.

    There's a different, and arguably worse, problem on Windows that allows an attacker to steal user credentials using Zoom.
    netmagewatto_cobra
  • Reply 2 of 13
    Now that people are actually using it what with the quarantine all the security flaws are coming to fore.
    watto_cobra
  • Reply 3 of 13
    Here is a direct link to the twin blog post from yesterday that focuses on the question of encryption:

    https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/

    The two bolded sections are as follows:
    "To be clear, in a meeting where all of the participants are using Zoom clients, and the meeting is not being recorded, we encrypt all video, audio, screen sharing, and chat content at the sending client, and do not decrypt it at any point before it reaches the receiving clients."

    "Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes, nor do we have means to insert our employees or others into meetings without being reflected in the participant list."
    So don't record your meeting if you don't want Zoom to decrypt it midstream. If I'm parsing this correctly, it reads: "There is a back door, but we don't use it. Unless you want to record your meeting."
    edited April 2020
  • Reply 4 of 13
    nikon1nikon1 Posts: 18member
    And will Zoom actually “fix” the security issues or just “dodge & weave” like FaceCrook does?  I sincerely have my doubts that this program / service would ever be trustworthy enough without serious expert reviews.  It seems to me to be as shady as Zuckerberg and his apologizing for all the privacy issues In FaceCrook that “we weren’t as clear as we thought.  We’re sorry, we’ll clean this up.”
    Ofercat52watto_cobra
  • Reply 5 of 13
    linkmanlinkman Posts: 1,035member
    Someone at my wife's school had a big problem when they attempted to use Zoom the first time for class online recently. One of the students (with malicious intent) published the meeting ID a few days earlier on some social media platform inviting anyone to crash the meeting and it snowballed -- something like 1000 undesirables joined the meeting and were extremely disruptive. The teacher had to end the meeting and that classroom session was effectively cancelled.

    That event was not so much a Zoom security failure but an overall design point that is missing. I imagine what is needed are unique user invites -- the unique ID can only be used by a single Zoom userid. It would be additional overhead for the meeting organizer but it would enhance meeting confidentiality. I can't think of any other decent solutions that don't require something like VPN access which would be tough to get working for a diverse set of middle/high school students that use a variety of devices. Any other ideas out there?
    tenthousandthingsmrmacgeekwatto_cobra
  • Reply 6 of 13
    indiekidukindiekiduk Posts: 381member
    Here is a direct link to the twin blog post from yesterday that focuses on the question of encryption:

    https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/


    They are still not admitting that despite it being encrypted they can decrypt it if they wanted to, ridiculous.
    watto_cobra
  • Reply 7 of 13
    netmagenetmage Posts: 314member
    How do you know that recording doesn’t change the encryption endpoint to the recording point so it has two end to middle to end encryption paths for each stream to allow recording, but has one end to end encryption path for unrecorded calls?
    watto_cobra
  • Reply 8 of 13
    MplsPMplsP Posts: 3,911member
    Here is a direct link to the twin blog post from yesterday that focuses on the question of encryption:

    https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/

    The two bolded sections are as follows:
    "To be clear, in a meeting where all of the participants are using Zoom clients, and the meeting is not being recorded, we encrypt all video, audio, screen sharing, and chat content at the sending client, and do not decrypt it at any point before it reaches the receiving clients."

    "Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes, nor do we have means to insert our employees or others into meetings without being reflected in the participant list."
    So don't record your meeting if you don't want Zoom to decrypt it midstream. If I'm parsing this correctly, it reads: "There is a back door, but we don't use it. Unless you want to record your meeting."
    Where do you see that?
    edited April 2020
  • Reply 9 of 13
    DAalsethDAalseth Posts: 2,783member
    I'll use zoom, once they go a full year or more without anyone finding any security holes, creepy behaviour, or connections with data stealing groups. When nobody can find a way to party crash a meeting, or otherwise mess with my conversation. They do that then I might trust them. MIGHT.
    watto_cobra
  • Reply 10 of 13
    lowededwookielowededwookie Posts: 1,143member
    I guess people will only see the negative because that’s all they want to see.

    what I see is a brilliant service that was largely obscure for a long time suddenly being thrust into the limelight because of a global situation that quickly got out of hand.

    What I see here is a company who is admitting to having made mistakes and then trying their hardest to fix those problems. Did FB got into feature lock to fix sec issues? No it didn’t and yet here is a public notice saying that it is. Sure, scrutiny must remain but at least this service seems to be genuinely trying. Straight away that makes them more trustworthy than others.

    I do love this service. We use it for church and seeing hundreds of people, some who normally can only connect through a Voip connection, all while being at home is encouraging. I’ve never seen conferencing like this even in the 18 or so years when I was working in IT.

    There are going to be issues with this level of rise in users but it’s what they do when they get found that matters and already they are far ahead of the game.
  • Reply 11 of 13
    MplsP said:
    Here is a direct link to the twin blog post from yesterday that focuses on the question of encryption:

    https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/

    The two bolded sections are as follows:
    "To be clear, in a meeting where all of the participants are using Zoom clients, and the meeting is not being recorded, we encrypt all video, audio, screen sharing, and chat content at the sending client, and do not decrypt it at any point before it reaches the receiving clients."

    "Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes, nor do we have means to insert our employees or others into meetings without being reflected in the participant list."
    So don't record your meeting if you don't want Zoom to decrypt it midstream. If I'm parsing this correctly, it reads: "There is a back door, but we don't use it. Unless you want to record your meeting."
    Where do you see that?
    I could be wrong, but it's about what they are not saying:

    I'm reading "we ... do not decrypt ..." instead of "we ... can not decrypt ..." 
    I'm deducing that they can and do decrypt midstream if the meeting is being recorded.
    Thus, I'm also reading "... has never built ..." as "... could build ..."

    Contrast this to Apple's position on encryption when the FBI comes knocking. 
    edited April 2020 watto_cobra
  • Reply 12 of 13
    MplsPMplsP Posts: 3,911member
    MplsP said:
    Here is a direct link to the twin blog post from yesterday that focuses on the question of encryption:

    https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/

    The two bolded sections are as follows:
    "To be clear, in a meeting where all of the participants are using Zoom clients, and the meeting is not being recorded, we encrypt all video, audio, screen sharing, and chat content at the sending client, and do not decrypt it at any point before it reaches the receiving clients."

    "Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes, nor do we have means to insert our employees or others into meetings without being reflected in the participant list."
    So don't record your meeting if you don't want Zoom to decrypt it midstream. If I'm parsing this correctly, it reads: "There is a back door, but we don't use it. Unless you want to record your meeting."
    Where do you see that?
    I could be wrong, but it's about what they are not saying:

    I'm reading "we ... do not decrypt ..." instead of "we ... can not decrypt ..." 
    I'm deducing that they can and do decrypt midstream if the meeting is being recorded.
    Thus, I'm also reading "... has never built ..." as "... could build ..."

    Contrast this to Apple's position on encryption when the FBI comes knocking. 
    Well, technically Apple (or any other company) could build a back door, too. Even when the FBI filed suit a few years ago they didn't argue that they couldn't. 

    People don't think about it, but unless it's done at the host's computer, the ability to record and store the meeting would require description of the stream. 


  • Reply 13 of 13
    SpamSandwichSpamSandwich Posts: 33,407member
    I like FaceTime.
    watto_cobra
Sign In or Register to comment.