Last week we took a look at how teleconferencing app Zoom compares to FaceTime, and with more users working from home, and even kids moving to online learning, there’s been a huge uptick in users turning to Zoom as the go-to solution. Zoom has the benefit of already being a de facto standard within many companies, and it has a well-deserved reputation for being ridiculously easy to set up.
Sadly, however, it looks like it may not be all sunshine and roses for the video conferencing app, with several new security and privacy issues coming to light as it comes under more scrutiny from its widespread use.
Last year Zoom experienced a major privacy debacle among Mac users when it was revealed that it had dug deep into the macOS operating system in such a way that users could be vulnerable to video eavesdropping. While Zoom had claimed that it did this to make the process easier for users to jump into video calls, it showed an appalling lack of concern for user privacy and borderline negligence on the part of the company. Especially when uninstalling Zoom didn’t eradicate the traces of the web server it had left behind. It was a serious enough issue that Apple had to step in and take action, so it definitely wasn’t a good look for Zoom.
Still, once that particular issue was resolved, security experts generally gave the app a pass and declared that it was once again safe for Mac users — at least from a technology perspective. On the other hand, some have continued to suggest that caution should be exercised when dealing with a company that, as John Gruber puts it, has “a history of playing fast and loose with privacy and security,” and several recent reports have reinforced Zoom’s apparently cavalier attitude in this regard.
As The Verge points out, Zoom has now been under fire over the past week or two for a plethora of security and privacy issues. While some of these might be relatively minor if taken by themselves, when added all together they don’t inspire any confidence at all in the security of the platform.
Firstly, conference IDs, while randomly generated, are easily guessable by brute-force, which has led to a phenomenon for which the the New York Times coined the term “Zoombombing,” referring to hackers looking for random Zoom conferences to disrupt, leading to such disturbing situations as a naked man interrupting a school video conference of nine-year-old girls.
While it’s possible to prevent Zoombombing by tweaking a few settings, these should arguably be the defaults, and not something that a school teacher should need to do simply to avoid the risk of their video call being interrupted by pedophiles.
Leaking Photos and Addresses
Another report by Motherboard revealed that once again in an effort to be “helpful” without caring too much about privacy, Zoom is also building massive directories of users that aren’t really related to each other in any way.
Since Zoom has always been primarily targeted toward business users, it assumes that everybody on the same email domain, with addresses that end with say “@apple.com” for example, belongs to the same organization and therefore automatically creates a “company directory.” This arguably works great within a business environment, but it doesn’t work so well for personal users who actually don’t belong to the same company, or even now each other at all, but simply share a common email service.
While Zoom makes exceptions for the most obvious email providers like Gmail, Hotmail, Outlook, and Yahoo, it can’t possibly cover all of the bases, and there are a lot of other email services out there, including those email addresses provided by your ISP. The problem is that if you’re using one of those, then anybody else who also has an email address on the same provider gets to see your name, email address, profile photo, and place calls to you.
Not End-to-End Encrypted
Zoom claims that all of your video calls are end-to-end encrypted, but as much as it keeps using that phrase, we don’t think it means what they think it means.
“End-to-end encryption” by definition means that a call is fully encrypted between two final endpoints. In the case of a Zoom call, this should mean between your device and the device(s) of the recipients. As The Intercept has reported, however, Zoom understands the term to mean that the connection is only encrypted from the Zoom client to Zoom’s servers.
In other words, Zoom can still monitor and eavesdrop on all calls travelling through its servers. Granted, this isn’t much different than most video calling services — even FaceTime isn’t end-to-end encrypted — but it’s disingenuous of Zoom to use this term, and misleading marketing at best.
Sneaky Installation Procedures
Zoom also uses a rather shady technique to install the Mac app without any user interaction — or even requiring the user to enter their password.
While Zoom would again insist that this is done to make things easier for the user — you can respond to a video call invitation without only a click or two, even if you don’t already have the Zoom app installed — it leaves a bad taste in the mouths of people who know how dangerous this can be. Besides, Zoom is doing this to literally save the user one or two more clicks and the possibility of needing to type their password, which is something that every Mac user pretty much expects to do when installing any new app these days.
It Gets Worse
Now, as if all of these little things weren’t enough, an ex-NSA hacker has found two new bugs in the Zoom app that can be used to take over a user’s Mac, including tapping into the camera and microphone.
According to TechCrunch, Patrick Wardle, who is now a principle security researcher at Jamf, posted two previously undisclosed flaws on his blog today, in a post with the tongue-in-cheek title The ‘S’ in Zoom, Stands for Security.
In all fairness, unlike last year’s potential for eavesdropping on unanswered calls, these two bugs require somebody to have physical access to your Mac in order to be exploited, but once this has been done, the attacker can then gain remote and persistent access to your Mac, allowing them to later install malware or spyware.
This bug actually piggybacks off of the way that Zoom installs itself, using a method that’s also common to Mac malware. Injecting malicious code into the Zoom installer can easily allow it to take over a computer even if the user only has relatively low-level privileges.
It’s not just Macs that are vulnerable either, as two security researchers also found a totally different bug in Zoom that could be exploited to steal Windows passwords.
Why This Matters
With so many people using Zoom these days, often for more than just casual chit-chat or yoga lessons, the situation is even more disturbing. Consider that there are actually government agencies using Zoom to conduct meetings among some of their highest officials that would otherwise be held in confidential secrecy in person. For example, the UK government has begun holding daily cabinet meetings using Zoom.
Although most of Zoom’s problems are still avoidable in various ways, either by adjusting settings in Zoom or by ensuring that your computer is otherwise secure and you only install Zoom from a trusted source, as we noted earlier the fact that so many of them are appearing reemphasizes the fact that Zoom puts a much higher priority on creating an “easy” user experience than it cares about creating a “safe” one, which means that we can be pretty sure that we’ll be hearing about even more flaws in the coming days until Zoom cleans up its act and starts taking security and privacy more seriously.
If you’re concerned about this, the best option really is to simply avoid using Zoom on your Mac, or even having it installed. While you may not have a choice of which video conferencing software you use with colleagues or teachers, you can still use Zoom on your iPhone or iPad, where it will be considerably more secure thanks to the sandboxing that Apple has built into its iOS operating system. There’s also a web-based version of Zoom that can be used on a Mac, although it lacks some of the features of the full macOS app, it should be fine for simple video conferences.