Zooming into Zoom
When it rains, it pours, and cybercriminals are uncannily attuned to zooming into every misfortune (read: pandemic) to exploit, conquer and persist in their victims’ environments.
Let me explain.
I refer to the mass behaviour change businesses and individuals are undergoing – confined to their homes instead of going to office and from place to place to carry out their usual activities.
One example of what happens, can be read from a Nokia report about strict lockdowns in western Europe. It states, “It comes as little surprise that use of messaging applications and streaming services has increased exponentially in the past two weeks. Indeed, the rates of growth are eye-wateringly high in some cases.”
An earlier article published on EITN also states telco networks are experiencing a surge in Internet usage, between 30 to 50-percent as well as exponential increase in usage of apps like Skype or Zoom, by 300-percent.
As an active practitioner of the WFH movement now, I can say with certainty that 300-percent increase in web conferencing usage is a very conservative figure which will increase at least a few times over, in the near future.
Another way to look at the pandemic crisis is that it’s an opportunity to leverage digital tools, and in some ways accelerate use of digital technologies.
Cybersecurity vendors know this too, and current cautionary measures they extol for businesses and consumers to take, include the following in no particular order:
- Look into your work from home (WFH) policies
- Look into your employees’ device security
- Look into your DNS security
- Look into your VPN security
It is seemingly endless, but you get the idea. Having to currently work from home, previously unused networks have to shake off the dust and rust to handle more Internet traffic from work.
Confined to the house for all 24 hours in a day, I have found myself turning to web-conferencing for work and even non-work purposes. People around me are using it to virtually catch up with friends, and are concocting new ways to carry on with activities they usually do in the physical world – meetings, collaborations, drinks, exercise, pray, etc.
And the one application I found myself, and friends and co-workers repeatedly using because of its convenience, is Zoom.
But like mentioned earlier, when it rains it pours. Security researchers have also tuned into our usage of the web conferencing service and turned their undivided attention towards Zoom.
Dismal security and privacy record
Techcrunch lists a series of discoveries about Zoom that should dim our enthusiasm over it. Here they are in no particular order:
- Contrary to claims, Zoom video calls are not encrypted end-to-end. Zoom responds to this with a blog dated 1 April, here
- At least thousands of emails have been leaked, because of how Zoom treats personal email addresses
- Zoom did not disclose it installed a secret web server on users’ Macs and then failed to remove it when client was uninstalled. Its Mac app, apparently will download itself without any user interaction.
- Zoom wanted researcher who discovered this, to sign an NDA
- Zoom was quietly sending data to Facebook about user and non-user habits, right down to their device model and phone. CEO, Eric Yuan explains via this blog post here.
All of the above point to a non-transparent attitude about Zoom, which intentionally or non-intentionally obfuscates how it works, how it handles sensitive private data, and what it is doing to secure it, if at all.
Due to all the recent attention however, Zoom now appears to be working down the list and addressing these concerns where it can, via blog posts dating from 20 March 2020 onwards. This happens a day after an advocacy group, Access Now, calls for Zoom to release a transparency report about how it handles user data.
All this is well and good for Zoom users, moving forward, if it wasn’t for the two latest zero-day bugs found by a Jamf security researcher, Patrick Wardle.
Sharing the “love” with Windows
The first is a vulnerability that leads to escalation to root privileges. In layman speak, without permission from the Mac user, an attacker can access the operating system, and for example run malware or spyware.
A second bug he discovered, enables an attacker to gain the same access as Zoom, to a user’s mic and webcam.
In case you are thinking Zoom’s vulnerabilities are only disadvantageous for Apple product users, you are sadly mistaken.
Because of the way Zoom chat handles UNC (universal naming convention) links, when a user clicks a link in Zoom chat, Windows will leak the user’s Windows login name and password. When a victim clicks on a link, without realising it they may also be launching malicious programmes on their computer.
There is more information as well as a guide to to work around this, here.
A majority of Zoom’s faux pas at the moment, are potential scenarios that could happen (or are happening quietly!) if Zoom does not fix their threat holes.
Zoom users must adapt, or find alternatives.