{"id":148,"date":"2020-04-08T15:59:25","date_gmt":"2020-04-08T15:59:25","guid":{"rendered":"http:\/\/scaine.net\/kb\/?p=148"},"modified":"2020-05-21T12:58:12","modified_gmt":"2020-05-21T12:58:12","slug":"zoom-in-the-media-spotlight","status":"publish","type":"post","link":"http:\/\/scaine.net\/kb\/the-internet\/zoom-in-the-media-spotlight\/","title":{"rendered":"Zoom in the media spotlight"},"content":{"rendered":"

At the start of the year, Zoom stock was worth $60 on the NASDAQ, before shooting up to $160 during the first week of COVID-19. However, since then, a constant string of allegations regarding the security and privacy of the product has pushed its value down significantly. Zoom stock is currently sitting at $115 down around $30 on April 7th.<\/p>\n

What happened? Let\u2019s break it down. In short, Zoom has suffered:\"\"<\/p>\n

    \n
  1. A poor reputation for taking advantage of Apple\u2019s OSX installer process (twice!)<\/li>\n
  2. A Facebook data leak in its iOS app.<\/li>\n
  3. An allegation that Zoom \u201cleaks your files\u201d on to the internet<\/li>\n
  4. Zoom Bombing which I covered here.<\/li>\n
  5. A misrepresentation of how a Zoom call is encrypted.<\/li>\n
  6. A number of zero-day vulnerabilities that attack the Zoom client.<\/li>\n
  7. A privacy blow when recorded Zoom conferences were found on an open Amazon server<\/li>\n
  8. Outrage that Zoom has a feature that the media dubbed \u201cboss tracking\u201d.<\/li>\n
  9. Calls which may have been routed through China.<\/li>\n<\/ol>\n

    So why would you use this software, assuming alternatives like MS Teams, Cisco Webex or Google Meet exist? Well, I\u2019ll go into the detail of each of these issues below, but in summary, the vast bulk of these headline-grabbing issues are common to other video conferencing platforms or internet-connected services. Basically, Zoom is in the media spotlight right now, so that\u2019s what gets the clicks. Zoom Bombing is probably the biggest issue unique to its platform, but that’s trivially fixed by adding a password to your meeting invites – indeed, if you’re using the free version, that’s now the default behaviour anyway.<\/p>\n

    If I were wearing my cynical hat (and in truth, I rarely take it off), I\u2019d suggest that the media reaction is fuelled by a combination of clickbait and competitive bitterness that the new kid on the block has taken off so spectacularly. I suspect that some of those competitors might be feeling a touch resentful at the moment, and doing everything in their power to tip the balance back to their own products.<\/p>\n

    It\u2019s definitely amusing to see press releases from those competitors as they scramble to launch services and features which emulate the Zoom model, but presumably (hopefully!) without the snafus that Zoom have run into. For example, Microsoft Skype is now launching a video service \u201cSkype Meet\u201d which is largely identical to Zoom\u2019s model of clientless delivery. Similarly, Google has extended \u201cHangouts Meet\u201d for all GSuite users, and even privacy expert, The TorProject has chimed in to lend its support to open source wunderkid, Jitsi.<\/p>\n

    I suppose the biggest issue on the list is arguably the China connection. You can read about this in detail, below, but given the obviously negative reaction this would garner, and how simple it is for security experts to detect, I genuinely believe that this was just an easily corrected mistake in the midst of massive upscaling to meet demand in that region.<\/p>\n

    Zoom has definitely made some mistakes and sure, they could have done better before now. But this is what happens when a young (well, youngish) company is thrown into the spotlight like this. Ultimately we shouldn’t judge a company by how many allegations and issues are raised against it, but instead by its response to those allegations and issues.<\/p>\n

    And in Zoom’s case, it’s done pretty well to respond positively to nearly every one of them.<\/p>\n

    I’ll continue to use Zoom for the foreseeable future, but I’m not a Zoom apologist. If, in future, allegations are made that aren’t addressed, or which point to an underlying shift in culture at the company, I’ll be happy to change my tune and look for alternatives.<\/p>\n

    But until I’m forced to do so, I’m very happy to continue to use Zoom.<\/p>\n

     <\/p>\n

    Here\u2019s the full breakdown for those interested.<\/p>\n

    A poor reputation for taking advantage of Apple\u2019s OSX installer process (twice!)<\/i><\/b><\/p>\n

    In order to make their installer as convenient as possible, Zoom used the preinstall facility of OSX to make its installer look like a regular system update. This isn\u2019t a great look, as it feels disingenuous to pass a third party app off as a system update. It does make the install process significantly simpler however, and it looks like Zoom is standing by its decision to use this method. Perhaps Apple will address the issue in future OSX updates and I suspect they might have to, since it\u2019s likely that other applications will follow this model if it\u2019s left unchecked.<\/p>\n

    A Facebook data leak in its iOS app.<\/i><\/b><\/p>\n

    If you used Facebook to login to the iOS Zoom app, unsurprisingly, Facebook were able to glean telemetry from the iPhone in question, things like the model you\u2019re using, its screen size, storage space and rough location data. It was probably uninteresting to them, since, as a Facebook user, you probably also had the Facebook app on your phone anyway which was already reporting that kind of data, in even greater detail.<\/p>\n

    However, this was also true of the iOS app if you didn\u2019t<\/em> login with Facebook. Or even have a Facebook account at all. Which is clearly a privacy issue and obviously not cool.<\/p>\n

    However, this was traced to Facebook itself, not Zoom. Indeed, after being notified of the behaviour, Zoom pulled the Facebook SDK (software development kit) features from Zoom within a day or so. As far as I know, Facebook haven\u2019t responded to the situation, despite Zoom now facing a civil lawsuit<\/a> over the integration.<\/p>\n

    An allegation that Zoom \u201cleaks your files\u201d on to the internet<\/i><\/b><\/p>\n

    Zoom automatically turned file paths (called UNC paths) into clickable links as a convenience feature. However, if a malicious user in your conference sent you an internet-based file path to their own server, and you clicked on it<\/i>, it\u2019s conceivable that they might be able to capture a hash of your password when your computer attempted to open the file.<\/p>\n

    What they\u2019re meant to do with that hash is anyone\u2019s guess, however. They\u2019d need access to your network in order to make use of it and frankly, if that\u2019s possible, you have bigger things to worry about than Zoom turning paths into links. Also, there was never any chance that Zoom was \u201cleaking your files\u201d. This was a shockingly spurious “vulnerability” with little to no impact generally.<\/p>\n

    And all of this leads me to wonder why you’re inviting people you don’t trust into your conference, then blindly clicking links that they send you… so this gets my first official eye-roll of the day.<\/p>\n

    However, regardless, Zoom disabled the functionality to appease the masses. It\u2019s also led to some security researchers suggesting that Internet Service Providers world-wide should \u201cstep up\u201d and finally ban UNC paths over the internet, so some good might actually come of this frankly pathetic attempt at clickbait.<\/p>\n

    Zoom Bombing<\/i><\/b><\/p>\n

    This is where hackers join random conferences by guessing the 9 or 10 digit Zoom conference ID, then stream inappropriate or shocking content to the audience. It\u2019s trivially bypassed by adding a password to your meeting, or through the use of the web interface to enable the Waiting Room feature. Zoom enabled passwords by default for all free accounts to combat this behaviour. This will remain an issue for Zoom as long as it courts the \u201cconvenience\u201d model of setting up a video conference. Their model was to emulate a phone call as closely as possible, so Zoom IDs are nowhere near as complex as the invites you see generated by competitors like Teams, GotoMeeting, or Webex.<\/p>\n

    A misrepresentation of how a Zoom call is encrypted<\/i><\/b><\/p>\n

    Oh boy. This\u2019ll take some explaining! In fact, it\u2019s practically a blog post in its own right. Long story short though, Zoom were in the wrong here and I\u2019m glad they fixed it so quickly. But as you\u2019ll discover, end-to-end encryption isn\u2019t something that other video conferencing tools do either. Now admittedly, they also don\u2019t try to pretend that they do, like Zoom did. But it turns out that end-to-end encryption is hard. Really hard.<\/p>\n

    End-to-end encryption, sometimes referred to as E2EE, is where the caller and recipient share a secret key at the start of the call, then use that to encrypt all the video\/voice thereafter. How do they share a key over a public channel? Lots and lots of mathematics, much of it based on the Diffie-Hellman key exchange protocol, a thing called double ratchet hashing and a lot of work by Open Whisper Systems (the guys who make Whatsapp alternative, Signal) to bring it all together.<\/p>\n

    It\u2019s a powerful privacy tool for 1-2-1 meetings. As you\u2019d expect it\u2019s extremely challenging to do end-to-end encryption for multi-party conferences. And to be clear, Zoom conferences are not end-to-end encrypted. They encrypt the call to Zoom, then they encrypt again from Zoom to the recipient. But that makes them a \u201cmiddle man\u201d in any conference and that\u2019s how they offer features like conference recording and Skype bridges.<\/p>\n

    It\u2019s also a huge bandwidth saver, because unless you trust a third party to act as a bridge, every additional recipient on an end-to-end encrypted multi-party video call is sending and receiving that video to\/from each recipient<\/i> on the call! It’s a mesh – it doesn\u2019t scale.<\/p>\n

    Back to Zoom. So what went wrong? Well, it looks like the marketing team got carried away. Until recently, if you hovered your mouse over the little \u2018i\u2019 button at the top-left of a Zoom call, it claimed \u201cThis call is end-to-end encrypted\u201d. Now though, it claims \u201cyour client connection is encrypted\u201d, which is a more reasonable claim, given their model.<\/p>\n

    In fact, pretty much nearly all video conferencing tools use this approach. Cisco Webex appears<\/em> to offer multi-party end-to-end encryption, but I suspect not since their blog<\/a> claims that this will ensure that \u201cmedia streams are encrypted during sessions between Webex apps and the Webex cloud\u201d… which is exactly how Zoom deliver their version of encryption. That’s not “end-to-end encryption”.<\/p>\n

    So end-to-end encryption is difficult and it doesn\u2019t scale. That might be why none of the major players support it. Skype doesn\u2019t. Jitsi doesn\u2019t. Teams doesn\u2019t. Slack doesn\u2019t. Signal doesn\u2019t. Hangouts Meet doesn\u2019t.<\/p>\n

    Funnily enough, consumer products like Facebook\u2019s WhatsApp, Apple\u2019s Facetime and Google\u2019s Duo all support end-to-end encryption! So how do they do it, when the enterprise clearly can\u2019t? Very simply, they can do the encryption more easily because they control the platform. They also actually bridge the video to avoid the bandwidth issues, but thanks to the mathematics behind the encryption, they can\u2019t view or modify it. Well, actually that\u2019s not true \u2013 they technically could<\/i> view\/modify it, but only by acting maliciously against their own userbase. Given that these companies thrive on trust, it\u2019s unlikely to be an issue.<\/p>\n

    And trust is key. What do you mean, you don’t trust Facebook…? You all use WhatsApp, don’t you? Or Instagram? If so, you trust Facebook.<\/p>\n

    What\u2019s interesting about this Zoom headline (and really, all the other hyped headlines) is that the goal appears to be to attack that trust. Perhaps the damage has already been done? Time will tell. Certainly a huge number of schools and universities have already banned the use of Zoom in what I can only describe as an ignorant knee jerk. Certainly, I’d love to hear the specific unaddressed issues they have with Zoom and why they think any of the alternatives are better.<\/p>\n

    \"\"<\/p>\n

    A number of zero-day vulnerabilities that attack the Zoom client<\/i><\/b><\/p>\n

    A zero-day vulnerability is one for which no patch exists. When a security researcher finds one, they are meant to follow \u201cresponsible disclosure\u201d \u2013 they tell the affected company about the vulnerability and agree a deadline for a fix. In both cases, the researchers in question did not follow responsible disclosure, and went public immediately. Admirably, Zoom managed to patch both vulnerabilities within two days.<\/p>\n

    I have no respect for a \u201csecurity professional\u201d who doesn\u2019t follow responsible disclosure. This was a simple attack on Zoom for (misguided) exposure, nothing more.<\/p>\n

    The vulnerabilities themselves were also pretty low impact. Both required that you were already an admin on the targeted Mac in question. And if you’re an admin on the Mac, then… well, attacking the Zoom client is probably pretty low on your list of priorities.<\/p>\n

    A privacy blow when recorded Zoom conferences were found on an open Amazon server<\/i><\/b><\/p>\n

    Zoom has the ability to record conferences. It turns out, you can even specify where they\u2019re stored.<\/p>\n

    In the case of this appalling headline, a customer of Zoom\u2019s decided to configure the service to store the recordings on an unsecured Amazon Web Services \u201cS3 bucket\u201d, a form of storage in Amazon\u2019s cloud. Because the recordings use an easy-to-identify scheme for naming recorded videos, security researches scoured the net for public examples and found this customer\u2019s exposed S3 bucket, full of recordings.<\/p>\n

    Obviously, this isn\u2019t Zoom\u2019s fault. If you\u2019re going to use cloud services, it\u2019s up to you to secure them properly. But again, the media spin on this was that it was Zoom\u2019s fault(!) for using an easy to identify naming convention\u2026<\/p>\n

    \"\"<\/p>\n

    By this point, my eyes are swivelling pretty hard at the obvious media hype machine looking for clicks by victimising the by-now-incredibly-popular Zoom.<\/p>\n

    Outrage that Zoom has a feature that the media dubbed \u201cboss tracking\u201d<\/i><\/b><\/p>\n

    This is a feature that notified the Zoom host if someone clicks away from the Zoom meeting window during a screen share. It\u2019s handy for presenters to know what percentage of their audience is perceived to be \u201cpaying attention\u201d. Frankly, there\u2019s about a hundred reasons why you\u2019d click away from a screen share, so this was a pretty useless feature anyway, in my opinion.<\/p>\n

    Frankly, I find it incredible that this made headlines and highlights the absolute frenzy that the media have whipped themselves into over this. It\u2019s even more incredible that Zoom responded so quickly by disabling and removing the feature on April 2nd<\/sup>.<\/p>\n

    Calls routed through China<\/em><\/strong><\/p>\n

    During normal operations, Zoom clients will attempt to connect to a series of primary datacentres chosen by perceived location (based on the client\u2019s IP address). If primary servers are under load, Zoom have configured their client to try less-than-optimal servers instead. However, country-based geo-fencing should still be in operation even under extreme load, which should ensure that you always choose a server from a datacentre in your country.<\/p>\n

    An issue arose when in February and as a result of a massive surge in Chinese demand, Zoom added multiple new servers to their Chinese datacentre estate but some of the new China servers were not properly blacklisted for ex-China use in their global balancing algorithm. As a result, some of those servers broke geo-fencing under heavy load and were allocated US-based calls. In effect, those US-only calls were routed via the Telstra-owned infrastructure in Beijing.<\/p>\n

    Zoom acted quickly to remove the servers from the global configuration, but Toronto-based University think-tank Citizen Lab had already published its findings.<\/p>\n

    It’s not a great look, particularly for the enterprise customers, but it’s hard to believe that this was done intentionally. Zoom is a global organisation and it’s unlikely that they can rely on China customers alone if something like were to happen again.<\/p>\n

     <\/p>\n

     <\/p>\n","protected":false},"excerpt":{"rendered":"

    At the start of the year, Zoom stock was worth $60 on the NASDAQ, before shooting up to $160 during the first week of COVID-19. However, since then, a constant string of allegations regarding the security and privacy of the product has pushed its value down significantly. Zoom stock is currently sitting at $115 down […]<\/p>\n","protected":false},"author":1,"featured_media":155,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_expiration-date-status":"saved","_expiration-date":0,"_expiration-date-type":"","_expiration-date-categories":[],"_expiration-date-options":[]},"categories":[3],"tags":[36,33,35,23,34],"_links":{"self":[{"href":"http:\/\/scaine.net\/kb\/wp-json\/wp\/v2\/posts\/148"}],"collection":[{"href":"http:\/\/scaine.net\/kb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/scaine.net\/kb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/scaine.net\/kb\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/scaine.net\/kb\/wp-json\/wp\/v2\/comments?post=148"}],"version-history":[{"count":10,"href":"http:\/\/scaine.net\/kb\/wp-json\/wp\/v2\/posts\/148\/revisions"}],"predecessor-version":[{"id":163,"href":"http:\/\/scaine.net\/kb\/wp-json\/wp\/v2\/posts\/148\/revisions\/163"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/scaine.net\/kb\/wp-json\/wp\/v2\/media\/155"}],"wp:attachment":[{"href":"http:\/\/scaine.net\/kb\/wp-json\/wp\/v2\/media?parent=148"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/scaine.net\/kb\/wp-json\/wp\/v2\/categories?post=148"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/scaine.net\/kb\/wp-json\/wp\/v2\/tags?post=148"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}