At the start of the year, Zoom stock was worth $60 on the NASDAQ, before shooting up to $160 during the first week of COVID-19. However, since then, a constant string of allegations regarding the security and privacy of the product has pushed its value down significantly. Zoom stock is currently sitting at $115 down around $30 on April 7th.
What happened? Let’s break it down. In short, Zoom has suffered:
- A poor reputation for taking advantage of Apple’s OSX installer process (twice!)
- A Facebook data leak in its iOS app.
- An allegation that Zoom “leaks your files” on to the internet
- Zoom Bombing which I covered here.
- A misrepresentation of how a Zoom call is encrypted.
- A number of zero-day vulnerabilities that attack the Zoom client.
- A privacy blow when recorded Zoom conferences were found on an open Amazon server
- Outrage that Zoom has a feature that the media dubbed “boss tracking”.
- Calls which may have been routed through China.
So why would you use this software, assuming alternatives like MS Teams, Cisco Webex or Google Meet exist? Well, I’ll go into the detail of each of these issues below, but in summary, the vast bulk of these headline-grabbing issues are common to other video conferencing platforms or internet-connected services. Basically, Zoom is in the media spotlight right now, so that’s what gets the clicks. Zoom Bombing is probably the biggest issue unique to its platform, but that’s trivially fixed by adding a password to your meeting invites – indeed, if you’re using the free version, that’s now the default behaviour anyway.
If I were wearing my cynical hat (and in truth, I rarely take it off), I’d suggest that the media reaction is fuelled by a combination of clickbait and competitive bitterness that the new kid on the block has taken off so spectacularly. I suspect that some of those competitors might be feeling a touch resentful at the moment, and doing everything in their power to tip the balance back to their own products.
It’s definitely amusing to see press releases from those competitors as they scramble to launch services and features which emulate the Zoom model, but presumably (hopefully!) without the snafus that Zoom have run into. For example, Microsoft Skype is now launching a video service “Skype Meet” which is largely identical to Zoom’s model of clientless delivery. Similarly, Google has extended “Hangouts Meet” for all GSuite users, and even privacy expert, The TorProject has chimed in to lend its support to open source wunderkid, Jitsi.
I suppose the biggest issue on the list is arguably the China connection. You can read about this in detail, below, but given the obviously negative reaction this would garner, and how simple it is for security experts to detect, I genuinely believe that this was just an easily corrected mistake in the midst of massive upscaling to meet demand in that region.
Zoom has definitely made some mistakes and sure, they could have done better before now. But this is what happens when a young (well, youngish) company is thrown into the spotlight like this. Ultimately we shouldn’t judge a company by how many allegations and issues are raised against it, but instead by its response to those allegations and issues.
And in Zoom’s case, it’s done pretty well to respond positively to nearly every one of them.
I’ll continue to use Zoom for the foreseeable future, but I’m not a Zoom apologist. If, in future, allegations are made that aren’t addressed, or which point to an underlying shift in culture at the company, I’ll be happy to change my tune and look for alternatives.
But until I’m forced to do so, I’m very happy to continue to use Zoom.
Here’s the full breakdown for those interested.
A poor reputation for taking advantage of Apple’s OSX installer process (twice!)
In order to make their installer as convenient as possible, Zoom used the preinstall facility of OSX to make its installer look like a regular system update. This isn’t a great look, as it feels disingenuous to pass a third party app off as a system update. It does make the install process significantly simpler however, and it looks like Zoom is standing by its decision to use this method. Perhaps Apple will address the issue in future OSX updates and I suspect they might have to, since it’s likely that other applications will follow this model if it’s left unchecked.
A Facebook data leak in its iOS app.
If you used Facebook to login to the iOS Zoom app, unsurprisingly, Facebook were able to glean telemetry from the iPhone in question, things like the model you’re using, its screen size, storage space and rough location data. It was probably uninteresting to them, since, as a Facebook user, you probably also had the Facebook app on your phone anyway which was already reporting that kind of data, in even greater detail.
However, this was also true of the iOS app if you didn’t login with Facebook. Or even have a Facebook account at all. Which is clearly a privacy issue and obviously not cool.
However, this was traced to Facebook itself, not Zoom. Indeed, after being notified of the behaviour, Zoom pulled the Facebook SDK (software development kit) features from Zoom within a day or so. As far as I know, Facebook haven’t responded to the situation, despite Zoom now facing a civil lawsuit over the integration.
An allegation that Zoom “leaks your files” on to the internet
Zoom automatically turned file paths (called UNC paths) into clickable links as a convenience feature. However, if a malicious user in your conference sent you an internet-based file path to their own server, and you clicked on it, it’s conceivable that they might be able to capture a hash of your password when your computer attempted to open the file.
What they’re meant to do with that hash is anyone’s guess, however. They’d need access to your network in order to make use of it and frankly, if that’s possible, you have bigger things to worry about than Zoom turning paths into links. Also, there was never any chance that Zoom was “leaking your files”. This was a shockingly spurious “vulnerability” with little to no impact generally.
And all of this leads me to wonder why you’re inviting people you don’t trust into your conference, then blindly clicking links that they send you… so this gets my first official eye-roll of the day.
However, regardless, Zoom disabled the functionality to appease the masses. It’s also led to some security researchers suggesting that Internet Service Providers world-wide should “step up” and finally ban UNC paths over the internet, so some good might actually come of this frankly pathetic attempt at clickbait.
Zoom Bombing
This is where hackers join random conferences by guessing the 9 or 10 digit Zoom conference ID, then stream inappropriate or shocking content to the audience. It’s trivially bypassed by adding a password to your meeting, or through the use of the web interface to enable the Waiting Room feature. Zoom enabled passwords by default for all free accounts to combat this behaviour. This will remain an issue for Zoom as long as it courts the “convenience” model of setting up a video conference. Their model was to emulate a phone call as closely as possible, so Zoom IDs are nowhere near as complex as the invites you see generated by competitors like Teams, GotoMeeting, or Webex.
A misrepresentation of how a Zoom call is encrypted
Oh boy. This’ll take some explaining! In fact, it’s practically a blog post in its own right. Long story short though, Zoom were in the wrong here and I’m glad they fixed it so quickly. But as you’ll discover, end-to-end encryption isn’t something that other video conferencing tools do either. Now admittedly, they also don’t try to pretend that they do, like Zoom did. But it turns out that end-to-end encryption is hard. Really hard.
End-to-end encryption, sometimes referred to as E2EE, is where the caller and recipient share a secret key at the start of the call, then use that to encrypt all the video/voice thereafter. How do they share a key over a public channel? Lots and lots of mathematics, much of it based on the Diffie-Hellman key exchange protocol, a thing called double ratchet hashing and a lot of work by Open Whisper Systems (the guys who make Whatsapp alternative, Signal) to bring it all together.
It’s a powerful privacy tool for 1-2-1 meetings. As you’d expect it’s extremely challenging to do end-to-end encryption for multi-party conferences. And to be clear, Zoom conferences are not end-to-end encrypted. They encrypt the call to Zoom, then they encrypt again from Zoom to the recipient. But that makes them a “middle man” in any conference and that’s how they offer features like conference recording and Skype bridges.
It’s also a huge bandwidth saver, because unless you trust a third party to act as a bridge, every additional recipient on an end-to-end encrypted multi-party video call is sending and receiving that video to/from each recipient on the call! It’s a mesh – it doesn’t scale.
Back to Zoom. So what went wrong? Well, it looks like the marketing team got carried away. Until recently, if you hovered your mouse over the little ‘i’ button at the top-left of a Zoom call, it claimed “This call is end-to-end encrypted”. Now though, it claims “your client connection is encrypted”, which is a more reasonable claim, given their model.
In fact, pretty much nearly all video conferencing tools use this approach. Cisco Webex appears to offer multi-party end-to-end encryption, but I suspect not since their blog claims that this will ensure that “media streams are encrypted during sessions between Webex apps and the Webex cloud”… which is exactly how Zoom deliver their version of encryption. That’s not “end-to-end encryption”.
So end-to-end encryption is difficult and it doesn’t scale. That might be why none of the major players support it. Skype doesn’t. Jitsi doesn’t. Teams doesn’t. Slack doesn’t. Signal doesn’t. Hangouts Meet doesn’t.
Funnily enough, consumer products like Facebook’s WhatsApp, Apple’s Facetime and Google’s Duo all support end-to-end encryption! So how do they do it, when the enterprise clearly can’t? Very simply, they can do the encryption more easily because they control the platform. They also actually bridge the video to avoid the bandwidth issues, but thanks to the mathematics behind the encryption, they can’t view or modify it. Well, actually that’s not true – they technically could view/modify it, but only by acting maliciously against their own userbase. Given that these companies thrive on trust, it’s unlikely to be an issue.
And trust is key. What do you mean, you don’t trust Facebook…? You all use WhatsApp, don’t you? Or Instagram? If so, you trust Facebook.
What’s interesting about this Zoom headline (and really, all the other hyped headlines) is that the goal appears to be to attack that trust. Perhaps the damage has already been done? Time will tell. Certainly a huge number of schools and universities have already banned the use of Zoom in what I can only describe as an ignorant knee jerk. Certainly, I’d love to hear the specific unaddressed issues they have with Zoom and why they think any of the alternatives are better.
A number of zero-day vulnerabilities that attack the Zoom client
A zero-day vulnerability is one for which no patch exists. When a security researcher finds one, they are meant to follow “responsible disclosure” – they tell the affected company about the vulnerability and agree a deadline for a fix. In both cases, the researchers in question did not follow responsible disclosure, and went public immediately. Admirably, Zoom managed to patch both vulnerabilities within two days.
I have no respect for a “security professional” who doesn’t follow responsible disclosure. This was a simple attack on Zoom for (misguided) exposure, nothing more.
The vulnerabilities themselves were also pretty low impact. Both required that you were already an admin on the targeted Mac in question. And if you’re an admin on the Mac, then… well, attacking the Zoom client is probably pretty low on your list of priorities.
A privacy blow when recorded Zoom conferences were found on an open Amazon server
Zoom has the ability to record conferences. It turns out, you can even specify where they’re stored.
In the case of this appalling headline, a customer of Zoom’s decided to configure the service to store the recordings on an unsecured Amazon Web Services “S3 bucket”, a form of storage in Amazon’s cloud. Because the recordings use an easy-to-identify scheme for naming recorded videos, security researches scoured the net for public examples and found this customer’s exposed S3 bucket, full of recordings.
Obviously, this isn’t Zoom’s fault. If you’re going to use cloud services, it’s up to you to secure them properly. But again, the media spin on this was that it was Zoom’s fault(!) for using an easy to identify naming convention…
By this point, my eyes are swivelling pretty hard at the obvious media hype machine looking for clicks by victimising the by-now-incredibly-popular Zoom.
Outrage that Zoom has a feature that the media dubbed “boss tracking”
This is a feature that notified the Zoom host if someone clicks away from the Zoom meeting window during a screen share. It’s handy for presenters to know what percentage of their audience is perceived to be “paying attention”. Frankly, there’s about a hundred reasons why you’d click away from a screen share, so this was a pretty useless feature anyway, in my opinion.
Frankly, I find it incredible that this made headlines and highlights the absolute frenzy that the media have whipped themselves into over this. It’s even more incredible that Zoom responded so quickly by disabling and removing the feature on April 2nd.
Calls routed through China
During normal operations, Zoom clients will attempt to connect to a series of primary datacentres chosen by perceived location (based on the client’s IP address). If primary servers are under load, Zoom have configured their client to try less-than-optimal servers instead. However, country-based geo-fencing should still be in operation even under extreme load, which should ensure that you always choose a server from a datacentre in your country.
An issue arose when in February and as a result of a massive surge in Chinese demand, Zoom added multiple new servers to their Chinese datacentre estate but some of the new China servers were not properly blacklisted for ex-China use in their global balancing algorithm. As a result, some of those servers broke geo-fencing under heavy load and were allocated US-based calls. In effect, those US-only calls were routed via the Telstra-owned infrastructure in Beijing.
Zoom acted quickly to remove the servers from the global configuration, but Toronto-based University think-tank Citizen Lab had already published its findings.
It’s not a great look, particularly for the enterprise customers, but it’s hard to believe that this was done intentionally. Zoom is a global organisation and it’s unlikely that they can rely on China customers alone if something like were to happen again.