Every Zoom Security and Privacy Flaw So Far
TidBITS contacted Zoom for its insights about how it has handled security and privacy issues, but the company didn’t reply. As I finished this article and in a few days that followed, however, Zoom publicly responded to disclosures of new security problems. The first response, unlike most previous ones, was a blog post with an apology and a full explanation. A subsequent post laid out the company’s plans for how it will improve its software and its culture around security and privacy. It’s a glimmer of hope for the future. A third responded to a privacy group’s investigation into the company’s weak choices in encryption algorithms and in routing some meeting traffic through China for non-Chinese participants. The rapid response and general frankness was in stark contrast to earlier behavior.
In this article, I walk through the many software, security, and privacy issues Zoom has encountered and its response to each.
This is really thorough.
See also: Hacker News (2, 3, 4).
We recently ran a roundup of some of the free videoconferencing apps available, including Zoom. Since so many questions have come up about Zoom’s security, we’ve decided to run the roundup again, this time excluding Zoom and adding other apps that you can use instead.
[…]
There are a number of apps we have not included, such as Facebook, WhatsApp, and FaceTime, that allow you to do video chats; they either require that all participants be members (Facebook, WhatsApp) or that you use a specific type of device (FaceTime, which is Apple-only). The following list includes more generalized applications that allow you to participate without having to actually register for the app (unless you’re the host).
It’s right to more heavily scrutinize Zoom as it plays a pivotal role in our self-isolated current state of affairs. But what are the alternatives? Fleishman compiled those, too, but even he acknowledged at the time that it “has emerged as the clear winner for large groups”. Competing options can be pricey — particularly for underfunded organizations like charities and schools. Most of these tools are also designed for businesses; they may not work as well as Zoom in a classroom context. It is critically important that Zoom gets this right, or security professionals are going to increasingly recommend that it be avoided entirely.
Pranav Dixit (via Hacker News):
Last week, Google sent an email to employees whose work laptops had the Zoom app installed that cited its “security vulnerabilities” and warned that the videoconferencing software on employee laptops would stop working starting this week.
Previously:
- Zoom Installation
- Zoom Meetings Aren’t End-to-End Encrypted
- Zoom Attention Tracking and Facebook
- Zoom Vulnerabilities
Update (2020-04-15): Ben Matasar (via Eric Blair):
Problems with Zoom:
- don’t always take security and privacy as seriously as I’d like
- privacy features aren’t very discoverableProblems with alternatives to Zoom:
- hearing people
- seeing people
- connecting to calls
George Snow has posted some AppleScripts for adding and removing permissions for the camera and mic. He uses FastScripts to override Command-Q in Zoom so that he can quit the app and prevent it from recording anything with a single command.
Update (2020-04-23): Natasha Singer and Nicole Perlroth (Hacker News, Slashdot):
One year ago, two Australian hackers found themselves on an eight-hour flight to Singapore to attend a live hacking competition sponsored by Dropbox. At 30,000 feet, with nothing but a slow internet connection, they decided to get a head start by hacking Zoom, a videoconferencing service that they knew was used by many Dropbox employees. The hackers soon uncovered a major security vulnerability in Zoom’s software that could have allowed attackers to covertly control certain users’ Mac computers. It was precisely the type of bug that security engineers at Dropbox had come to dread from Zoom, according to three former Dropbox engineers.
[…]
The former Dropbox engineers, however, say Zoom’s current woes can be traced back two years or more, and they argue that the company’s failure to overhaul its security practices back then put its business clients at risk. Dropbox grew so concerned that vulnerabilities in the videoconferencing system might compromise its own corporate security that the file-hosting giant took on the unusual step of policing Zoom’s security practices itself, according to the former engineers, who spoke on the condition of anonymity because they were not authorized to publicly discuss their work. As part of a novel security assessment program for its vendors and partners, Dropbox in 2018 began privately offering rewards to top hackers to find holes in Zoom’s software code and that of a few other companies.
Zoom is an interesting case study in the various ways that software can fail. The Zoom team has had to learn a lot of lessons quickly, including the pitfalls of reusing components, figuring out how to make security engineering improvements to their SDLC and DevOps processes, and the need for a CISO leadership team.
In this article I want to walk you through some of the issues that were recently publicized. I’ll break them into categories to understand the mistakes made and the subsequent decisions that were necessary. There has been a bit of a pile-on with security professionals each taking their turn to tell Zoom how they could have done better. Some of the issues that were uncovered are truly concerning, while others are natural tradeoffs between security and usability. In some cases, Zoom was actually following best practices (like reusing components), but got bitten anyway.
See also: Lessons for Zoom from Chatroulette, the original live video site.
