Wednesday, April 8, 2020

Let's Make This Simple: Zoom Is Malware

Submitted by Mark Jeftovic, founder of EasyDNS
We've covered Zoom in these pages before.  Back in #AxisOfEasy 104 it turned out that the Zoom installer was installing mini-web servers on your computer, and it wasn't even taking them off when you uninstalled Zoom, leaving your device open to all manner of vulnerability.  It took Apple acting on its own to push out an unscheduled update to fix Zoom's problem before they got to it.
Last week we outlined how Zoom was sending telemetry data about you to Facebook, even if you don't have a Facebook account.
In the intervening week, all sorts of data points and news items came out about the (lack of) privacy issues with Zoom:
  • On April 1st, a (former NSA) hacker released two new Zoom 0-days that enable a hacker with local access to a Zoom session to take over the software to install malware.
  • The next day Krebs on Security reported on the fast spreading "Zoom Bombing" phenomenon where pranksters and miscreants were war dialing Zoom rooms, looking for ones without password protections and crashing the meetings, hurling insults and profanities at the participants.
  • It gets worse, turns out Zoom Bombing is a thing now, so the perpetrators are recording videos of their antics and releasing them on Tik Tok and who knows where else.
  • On the very next day (the cat came back....) it emerged that because of the naming scheme Zoom uses to create the files of video recordings participants make of their sessions, those records were easy to find and access on the web.  
  • Toronto's Citizen Lab reverse engineered the Zoom client and found that they had "rolled their own encryption scheme" and that it's pretty lousy encryption. Their report is here.
  • Arvind Narayanan, a professor of Computer Science at Princeton distilled it down thusly, "Let's make this simple: Zoom is Malware"
All of which has culminated in at least two US states Attorney Generals (so far) launching investigations into Zoom's privacy protections (or lack thereof).
Here at easyDNS we are working to facilitate video conferencing and remote collaboration tools for you and your teams and families.  We're relying on open source tools like Matrix and Jitsi that use peer reviewed, publicly accepted encryption techniques and will seek to put the data under your control and nobody else's.  Watch this space.