Popular Video Conferencing App 'Zoom' is Rife with Security Bugs and Maybe Infiltration by Chinese Communist Party
Chris R writes:
Saw this article today in the press and wonder if you knew, or could shed more light on it, Due to the lockdown in countries, Zoom as you are aware is becoming extremely popular with businesses for conference calling.
Keep up the excellent work with the Sigma FE 105mm f/1.4 DG HSM Art, could you show some more f1.4 images and bokeh.
MPG: my information has been that most Zoom engineers are Chinese nationals, and that Zoom routes traffic through Chinese mainland servers. As such, I would never have used it as the foregoing is a guarantee that the Chinese Communicate Part (CCP) has monitoring systems in place for intellectual property theft.
See TidBits: Every Zoom Security and Privacy Flaw So Far, and What You Can Do to Protect Yourself for an excellent summary of flaws with Zoom.
In my view, this guarantees spying by the CCP (Chinese Communist Party), if only because of the lack of end-to-end encryption, even forgetting that Chinese nationals can be imprisoned or worse if they do not follow the direction of their CCP handlers.
To be clear: my view is that The Guardian is NOT a source I generally trust for balanced reporting, with a pronounced polititical bias leading to no effort spared to avoid discussing both sides of an issue. So in what follows, I expect any counter-evidence to be omitted. Still, it's hard to get around all the security references in this particular article.
The Guardian: ‘Zoom is malware’: why experts worry about the video conferencing platform
In the last month, there was a 535% rise in daily traffic to the Zoom US download page, according to an analysis from the analytics firm SimilarWeb. Its app for iPhone has been the most downloaded app in the country for weeks, according to the mobile app market research firm Sensor Tower. Even politicians and other high-profile figures, including the British prime minister, Boris Johnson, and the former US federal reserve chair Alan Greenspan, use it for conferencing as they work from home.
And on Thursday, the company announced it would freeze all new feature development and shift all engineering resources on to security and safety issues that have been called to attention in recent weeks. Here’s what you need to know about the challenges with Zoom:
‘Zoom bombing’ on the rise
On 30 March, the FBI announced it was investigating increased cases of video hijacking, also known as “Zoom-bombing”, in which hackers infiltrate video meetings, often shouting racial slurs or threats. Zoom meetings can be accessed by a short number-based URL, which can easily be generated and guessed by hackers, a January report from the security firm Checkpoint found. Zoom has released guidelines in recent days about how to prevent unwanted guests from crashing video meetings and a spokesman told the Guardian it had also been working to educate its users on protections through blogposts and webinars.
No end-to-end encryption
Zoom has falsely advertised itself as using end-to-end encryption, a system that secures communication so that it can only be read by the users involved, a report from the Intercept found. Zoom confirmed in a blogpost on Wednesday that end-to-end encryption was not currently possible on the platform and apologized for the “confusion” it caused by “incorrectly” suggesting the opposite.
A number of security flaws affecting Zoom have been reported in the past and as recently as this week. In 2019, it was revealed Zoom had quietly installed a hidden web server on user devices that could allow the user to be added to a call without their permission. And a bug discovered this week would enable hackers to take over a Zoom user’s Mac, including tapping into the webcam and hacking the microphone.
The company said on Thursday it had issued a release to fix the Mac issue, but the number of security issues with Zoom in the past make it as bad as malicious software, said Arvind Narayanan, an associate computer science professor at Princeton University. “Let’s make this simple,” he said. “Zoom is malware.”
In-app surveillance measures Zoom has been criticized for its “attention tracking” feature, which allows a host to see if a user clicks away from a Zoom window for 30 seconds or more. This feature would allow employers to check if employees are really tuned into a work meeting or if students are really watching a classroom presentation remotely.
Selling user data
A report from Motherboard found Zoom sends data from users of its iOS app to Facebook for advertising purposes, even if the user does not have a Facebook account.
MPG: the claims made by the Guardian article make Zoom looks like it ought to avoided by anyone in their right mind. Assuming these claims are accurate, trust has been forever damaged—these are not honest mistakes and they go beyond incompetence to by-design. Therefore, here in 2020, Zoom deserves the corporate death penalty, to be banned outright as a national security threat.
Jeff K writes:
It's possible that you've seen these links on Zoom, they'll just confirm what you already know about the app:
The hidden web server issue was our last straw in 2019, but many corporates would not abandon the app, but that's changing now and they are dumping Zoom.
MPG: Bruce Schneier is an expert and I recommend his assessment as a go-to source.