Security and Privacy Implications of Zoom - Schneier on Security:
Over the past few weeks, Zoom's use has exploded since it became the video conferencing platform of choice in today's COVID-19 world. (My own university, Harvard, uses it for all of its classes. Boris Johnson had a cabinet meeting over Zoom.) Over that same period, the company has been exposed for having both lousy privacy and lousy security. My goal here is to summarize all of the problems and talk about solutions and workarounds.
In general, Zoom's problems fall into three broad buckets: (1) bad privacy practices, (2) bad security practices, and (3) bad user configurations.
Privacy first: Zoom spies on its users for personal profit. It seems to have cleaned this up somewhat since everyone started paying attention, but it still does it.
Now security: Zoom's security is at best sloppy, and malicious at worst. Motherboard reported that Zoom's iPhone app was sending user data to Facebook, even if the user didn't have a Facebook account. Zoom removed the feature, but its response should worry you about its sloppy coding practices in general:
"We originally implemented the 'Login with Facebook' feature using the Facebook SDK in order to provide our users with another convenient way to access our platform. However, we were recently made aware that the Facebook SDK was collecting unnecessary device data," Zoom told Motherboard in a statement on Friday.
Finally, bad user configuration. Zoom has a lot of options. The defaults aren't great, and if you don't configure your meetings right you're leaving yourself open to all sort of mischief.
Zoom is a security and privacy disaster, but until now had managed to avoid public accountability because it was relatively obscure. Now that it's in the spotlight, it's all coming out. (Their 4/1 response to all of this is here.) On 4/2, the company said it would freeze all feature development and focus on security and privacy. Let's see if that's anything more than a PR move.
Previously:
(2020-04-02) Elon Musk's SpaceX Bans Zoom over Privacy Concerns
(2020-03-28) Now That Everyone's Using Zoom, Here Are Some Privacy Risks You Need to Watch Out For
(2020-03-27) School Quits Video Calls After Naked Man ‘Guessed’ the Meeting Link
(2020-03-23) Work from Home Pwn2Own Hackers Make $130,000 in 48 Hours from Windows 10 Exploits
(2020-03-21) Homeschooling Resources
(2020-03-14) Student Privacy Laws Still Apply if Coronavirus Just Closed Your School
Related Stories
Student privacy laws still apply if coronavirus just closed your school:
Hundreds of colleges and universities are suddenly shutting their doors and making a rapid switch to distance learning in an effort to slow the spread of novel coronavirus disease. Likewise, hundreds of K-12 districts nationwide have either already followed suit or are likely to in the coming days.
[...] Even when all of the immediate logistical and technical needs have been triaged and handled, though, there remains another complicating factor. While the United States doesn't have all that much in the way of privacy legislation, we do, in fact, have a law protecting some student educational data. It's called the Family Educational Rights and Privacy Act, or FERPA.
FERPA applies to both written and digital student records. For students under age 18, the provisions about what may (or must) be shared or not shared apply to their parents or guardians. Once a student turns 18, the protections transfer to them directly. The provisions also apply directly to any student enrolled in a college, even if that student is not yet 18 (such as in community college dual-enrollment programs for high school juniors and seniors).
The act prohibits "improper disclosure" to third parties of personally identifiable information (PII) derived from student records. Schools are not prohibited from allowing vendors access to information for the purpose of providing services—you can use third-party digital tools for administrative and educational purposes without being in violation of the law. But the school may then be held responsible if the vendors then do shady things with student data.
[...] Software platforms allowing videoconferencing, recording, and screen sharing have all seen a massive spike in use in recent weeks. Microsoft, Google, Slack, and Zoom are all offering discounts or extra features to businesses, groups, and individuals to help with the everything from home era in which we (hopefully temporarily) find ourselves. Not all of those tools, many of which are designed for enterprise use, are necessarily going to be compliant with educational regulations.
[...] In 2013, a group of students sued Google over its "creepy" data-mining from Google Apps for Education tools. Google ended the practice in 2014, only to be sued again in 2016 by a group of current and former university students alleging their data was collected and retained from their Google academic accounts in violation of the Electronic Communications Privacy Act.
Some local schoolboards have already rolled out full remote learning curricula, starting Monday (seems to me there have been plans in the works for years to make something like this happen this fast.) Others appear flat-footed and clueless. We did some homeschooling with our kids a couple of years ago, and the one website that really clicked with us was (shameless plug) https://ixl.com .
I know we had a Soylent story just over a week ago asking for alternatives to the ubiquitous (and well deserved first place recommendation) Khan. Now that it's a little less abstract, and looking more certain that the kids won't be returning to physical school buildings until the fall... what do you look for in online learning services?
Our criteria were: easy for the kids to self-learn the material as presented, easy to track progress and identify areas where extra instruction might help, clear documentation of subjects covered and relative mastery of each, easy for kids to self-select appropriate subject areas to study, reasonable cost.
Khan certainly presents material clearly, and the cost can't be beat, but we found IXL to be superior in the other areas, and when you think about the tremendous number of hours invested by you and your kids in the learning system, the cost isn't really significant ($20/month for one, $24 for two).
Has anybody else taken a serious plunge into online learning and found something "better than Khan" for your purposes?
[Ed. addition follows. --martyb]
See our previous story: Student Privacy Laws Still Apply if Coronavirus Just Closed Your School and take a close look at future provider's security and privacy practices. From the article linked to in the previous story https://arstechnica.com/tech-policy/2020/03/watch-out-for-privacy-pitfalls-if-your-school-is-suddenly-online-only/:
Work From Home Hackers Make $130,000 In 48 Hours From Windows 10 Exploits:
Those of you who follow my reporting may already be familiar with Pwn2Own, a series of hacking events that test some of the most talented hackers across the world. These elite security researchers have been trying to exploit popular software, hardware and services since 2007 in exchange for the kudos. And money. Lots of money. In November 2019, during the Pwn2Own Tokyo event, a total of $315,000 (£270,300), including one hacking group which earned $80,000 (£68,500) for hacking the Samsung Galaxy S10. Twice. That hacking group was Team Fluoroacetate, Amat Cama and Richard Zhu, who ended up earning a total of $195,000 (£167,000) and the coveted "Master of Pwn" title by the time the event was over. It looked like these master hackers wouldn't be able to defend that title as coronavirus travel restrictions, and fear of infection, threatened to cancel the Pwn2Own 2020 event taking place at the CanSecWest cybersecurity conference in Vancouver, Canada.
They need not have worried, as the event went virtual for the first time. This involved the various hackers submitting exploits in advance to the Pwn2Own organizers, who then ran that code during a Zoom live stream involving all the participants. The Zero Day Initiative that runs the Pwn2Own event said: "The world right now is a tumultuous place full of uncertainty. It is communities, such as the security research community and the incident response community, that we can rely on during these trying times. We are so appreciative of all those who helped the event come together and succeed."
The work from home hackers from Team Fluoroacetate certainly succeeded, winning the Master of Pwn title once again, along with that $130,000 bounty. While the full details of how they exploited Windows 10 and Adobe Reader will not be made public for 90 days to allow the vendors to produce security patches, I can tell you what they did in broad terms.
For the curious, here is Wikipedia's entry on sodium fluoroacetate, a poisonous substance with no known antidote.
School quits video calls after naked man 'guessed' the meeting link – TechCrunch:
A school in Norway has stopped using popular video conferencing service Whereby after a naked man apparently "guessed" the link to a video lesson.
According to Norwegian state broadcaster NRK, the man exposed himself in front of several young children over the video call. The theory, according to the report, is that the man guessed the meeting ID and joined the video call.
One expert quoted in the story said some are "looking" for links.
Last year security researchers told TechCrunch that malicious users could access and listen in to Zoom and Webex video meetings by cycling through different permutations of meeting IDs in bulk. The researchers said the flaw worked because many meetings were not protected by a passcode.
Now that everyone's using Zoom, here are some privacy risks you need to watch out for:
Now that you've finished choosing your custom Zoom background, mercifully sparing your fellow workers-from-home the sight of a growing pile of gym socks behind your desk, you might think you've got a handle on the conference call software du jour. Unfortunately, there are a few other data security considerations to make if you want to hide your dirty laundry.
Privacy experts have previously expressed concerns about Zoom: In 2019, the video-conferencing software experienced both a webcam hacking scandal, and a bug that allowed snooping users to potentially join video meetings they hadn't been invited to. This month, the Electronic Frontier Foundation cautioned users working from home about the software's onboard privacy features.
[...]Here are some of the privacy vulnerabilities in Zoom that you should watch out for while working remotely.
[...] Tattle-Tale
Whether you're using Zoom's desktop client or mobile app, a meeting host can enable a built-in option which alerts them if any attendees go more than 30 seconds without Zoom being in focus on their screen.
Elon Musk's SpaceX bans Zoom over privacy concerns-memo
[...] In an email dated March 28, SpaceX told employees that all access to Zoom had been disabled with immediate effect.
"We understand that many of us were using this tool for conferences and meeting support," SpaceX said in the message. "Please use email, text or phone as alternate means of communication."
[...] NASA, one of SpaceX's biggest customers, also prohibits its employees from using Zoom, said Stephanie Schierholz, a spokeswoman for the U.S. space agency.
The Federal Bureau of Investigation's Boston office on Monday issued a warning about Zoom, telling users not to make meetings on the site public or share links widely after it received two reports of unidentified individuals invading school sessions, a phenomenon known as "zoombombing."
Also consider that one way to claim to have "end to end encryption" is to simply re-define the term. Zoom Meetings Aren't End-to-End Encrypted, Despite Misleading Marketing:
Zoom, the video conferencing service whose use has spiked amid the Covid-19 pandemic, claims to implement end-to-end encryption, widely understood as the most private form of internet communication, protecting conversations from all outside parties. In fact, Zoom is using its own definition of the term, one that lets Zoom itself access unencrypted video and audio from meetings.
With millions of people around the world working from home in order to slow the spread of the coronavirus, business is booming for Zoom, bringing more attention on the company and its privacy practices, including a policy, later updated, that seemed to give the company permission to mine messages and files shared during meetings for the purpose of ad targeting.
Zoom admits data got routed through China - Business Insider:
In a statement late Friday, Zoom CEO Eric Yuan admitted to mistakenly routing calls via China.
"In our urgency to come to the aid of people around the world during this unprecedented pandemic, we added server capacity and deployed it quickly — starting in China, where the outbreak began," Yuan said. "In that process, we failed to fully implement our usual geo-fencing best practices. As a result, it is possible certain meetings were allowed to connect to systems in China, where they should not have been able to connect."
He did not say how many users were affected.
During spells of heavy traffic, the video-conferencing service shifts traffic to the nearest data center with the largest available capacity – but Zoom's data centers in China aren't supposed to be used to reroute non-Chinese users' calls.
This is largely due to privacy concerns: China does not enforce strict data privacy laws and could conceivably demand that Zoom decrypt the contents of encrypted calls.
Separately, researchers at the University of Toronto also found Zoom's encryption used keys issued via servers in China, even when call participants were outside of China.
[...] Zoom has faced multiple high-profile security issues in recent weeks as it struggles to cope with an unprecedented surge in traffic and new users.
Zoom did not immediately respond to Business Insider's request for comment and clarification.
(Score: 4, Funny) by Anonymous Coward on Saturday April 04 2020, @04:00PM (1 child)
Wait until the next release of systemd which has videoconferencing built in. Poettering's already got the audio driver written.
(Score: 0) by Anonymous Coward on Sunday April 05 2020, @02:26AM
Oh yeah, I can't wait, systemd - Now featuring GNU/LINUX
(Score: 0) by Anonymous Coward on Saturday April 04 2020, @04:00PM
The concepts were too old, they died of COVID infection.
(Score: 4, Interesting) by gtomorrow on Saturday April 04 2020, @04:04PM (14 children)
...how can this Zoom app (which honestly I'd never even heard of until this global quarantine) can "come out of nowhere"* and have so many active users while "nobody" uses Signal, which has the same functions and has security built in?! Even Whatsapp would be better than Zoom. For Pete's sake, even Skype!
* Yes, I know, Zoom exists since 2011
(Score: 1, Insightful) by Anonymous Coward on Saturday April 04 2020, @04:43PM
They bought lots of media coverage. Then toilet paper effect happens. Now they pay price for lying.
(Score: -1, Troll) by Anonymous Coward on Saturday April 04 2020, @04:46PM (3 children)
It's a Khazar Jew spy tool. Zoom paid the Jewish media to promote it and now Mossad gets to view everything done on it.
(Score: 0) by Anonymous Coward on Saturday April 04 2020, @04:52PM (1 child)
SoylentNews is Jewish media?
(Score: 0) by Anonymous Coward on Saturday April 04 2020, @10:24PM
SoylentJews
(Score: -1, Flamebait) by Ethanol-fueled on Saturday April 04 2020, @10:47PM
It's a Chink spy tool.
Khazar Jews already get everything direct from the NSA and the "management engines" of your computers.
(Score: 3, Interesting) by Anonymous Coward on Saturday April 04 2020, @06:25PM (5 children)
Neither Skype not Signal were designed for large (20+) conference calls, I don't know if it even works.
Signal also requires you to have a phone number (and not sure you can use it on your desktop at all for video calls), so it seems entirely useless for this use-case, I have no idea why you would claim it has the same features?
(Score: 2) by gtomorrow on Saturday April 04 2020, @07:42PM (2 children)
I stand corrected. I wasn't aware of its en masse privacy-rape capability. Signal/Whatsapp/Skype all handle ~4-6 participants if I'm not mistaken.
(Score: 2) by Grishnakh on Sunday April 05 2020, @02:24AM (1 child)
4-6 participants is useless when you're trying to do a department-wide conference call, or any other large group activity.
(Score: 2) by gtomorrow on Sunday April 05 2020, @09:08AM
Yeah...I get it. Easy, killer.
(Score: 2) by dw861 on Monday April 06 2020, @01:03AM (1 child)
For what it is worth, Skype will support 50 people on its group calls. Only half that of Zoom.
https://www.skype.com/en/features/group-video-chat/ [skype.com]
Frustratingly, Zoom is now being used for things that, until quite recently, simply happened on the phone. I don't understand this. Possibly some people are simply that starved for visual human contact.
(Score: 0) by Anonymous Coward on Monday April 06 2020, @08:11PM
It is because bosses don't trust the workers. When they are on the phone, the employee can have them on speakerphone and muted and do whatever they like. With the webcam, the boss can be better assured you are actually paying attention.
(Score: 1, Informative) by Anonymous Coward on Saturday April 04 2020, @07:41PM
They've slowly took over because back when they started, they really did do most things better. Then it was just the network effect of people recommending it over the alternatives. In addition, they heavily invested in the educational space. This means all the new graduates got used to Zoom and brought it to their new jobs. Now that many companies are required to use some sort of teleconference software, its no real surprise they chose this one.
(Score: 0) by Anonymous Coward on Sunday April 05 2020, @02:05AM (1 child)
Signal does not run on Desktop. They have a Linux/Mac/Windows client, but it requires installing on a smartphone first, and any use of the software requires confirming a phone number. It's totally unusable for me.
I'm looking for free/open source software that can do low-latency high-framerate screen sharing. But Signal is not it.
(Score: 2) by gtomorrow on Sunday April 05 2020, @09:15AM
...and then you say...
🤔 Lay off the "controlled substances" when posting. In regards to requiring a phone number, well, you decide what's right for you. Then again, Google/Apple/Facebook/Ebay/Paypal/ad infinitum is busting my chops continually for a phone number too.
I'm looking for a tool that will merge two pieces of metal via an intense heat. But a hammer is not it.
(Score: -1, Redundant) by Anonymous Coward on Saturday April 04 2020, @04:04PM
Who gives a shit? Many, and probably most, of us here have never heard of this software before covid.
Stop feeding into news meme cycles. Cover something more interesting. Or... just don't post anything if there are no good stories.
(Score: 0) by Anonymous Coward on Saturday April 04 2020, @04:09PM
China is asshole! [theintercept.com]
(Score: 1, Insightful) by Anonymous Coward on Saturday April 04 2020, @07:01PM (4 children)
Don't use non-free proprietary user-subjugating software. Sure, they could improve the security of the software against outside actors, but when you use proprietary software, the developers are your masters. It's possible for them to change the software at any time to add more malicious functionality or simply refuse to fix existing malicious functionality, and all you can do is stop using, which everyone should do anyway.
(Score: 2) by gtomorrow on Saturday April 04 2020, @07:44PM
-1 Preaching to the choir
(Score: 2) by MostCynical on Saturday April 04 2020, @08:08PM
People wil use whatever is easiest, or whatever their friends are using, so long as it isn't too difficult.
People are 1. Lazy and 2. Herd-like
if there is something "better" out there, what is it?
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by Grishnakh on Sunday April 05 2020, @02:27AM (1 child)
Free software is great if it's actually available as a workable alternative. But for some functions, Free alternatives simply do not exist, and I'm pretty sure this is one of them. Generally speaking, any service that requires software running on a heavy-duty server connected to the internet with a fat pipe is not going to have any kind of Free alternative: it isn't just the software you need, you need the hardware infrastructure as well, and no one's going to run all that stuff for free.
(Score: 0) by Anonymous Coward on Sunday April 05 2020, @02:55AM
To me, freedom is a must. If no suitable Free Software exists for some task, then I still won't use proprietary software.
But even when Free Software exists to fulfill some purpose, people complain that it doesn't have enough "features," which is how you know they're completely missing the point. This is one of those cases.
Schools in particular should never use proprietary software, since it's completely antithetical to independence and education, which are values that schools should promote.
Unnecessary. They could charge for the use of their hardware itself, even if the software is Free Software.
Though, doing too much of your computing on someone else's computers has other obvious issues.
(Score: 3, Informative) by arubaro on Saturday April 04 2020, @10:44PM (1 child)
i am a professor at an university without a big budget. My colleagues and me have tried some alternatives, but almost all are using zoom at this moment.
the reasons? lack of better alternatives.
For example, moodle has a built in option for teleconferences (a nice one in fact, with several option good for teaching), but... you need a decent bandwidth form the university, that we lack
(you need to support some thousand student watching at the same time different courses). that was the main tool we used, until now.
jitsi meet have some features, but not as many as zoom.
also zoom is free as in beer (at least for 99 or less students attending the course), if you don't mind to stop the class every 40min, and take a break is not so a bad thing.
and finally: zoom is easy to use, meaning that someone without computer background can easily share screen, manage students speaking, etc...
the quarantine has taken lots of institutions of guard, and IT departments (if they had), had to offer a quick solution easy to use.
if someone has an alternative, lot of us are willing to try,
(Score: 4, Interesting) by bzipitidoo on Saturday April 04 2020, @11:21PM
That's a bit deflating. I've just been tasked with finding video conferencing that works, is secure, available on many platforms, and easy to use. My tentative searches haven't turned up anything other than a whole lot of questions. There are a couple dozen. Whether any of them are good enough is hard to say. Meanwhile, they made a snap decision to run with VSee, and instantly ran into problems. Acts wonky. You think you've logged in, and then, when the browser finishes loading, you see only the login page again. In browsers, VSee uses Flash. Yuck.
Multicasting is part of IPv4, but I understand it's uncommon. I don't know which platforms have that in their IP stack. Without broadcasting capability at the network level, video conferencing with many participants is more technically challenging. Also, the codecs are pretty important. Should use Opus for the audio. AV1 might be a good choice for the video, if it wasn't so relatively new. It may be that there is no really good video conferencing solution, because the underlying tech isn't there.
(Score: 2) by Snotnose on Sunday April 05 2020, @12:32AM
they advertise end to end encryption. Turns out it's encrypted from you to their servers, where it's decrypted and stored. Then re-encrypted to send to the other party.
IMHO, if that isn't criminal behavior, then it should at least be enough that anyone in their right mind runs like hell from it.
When the dust settled America realized it was saved by a porn star.