The ‘Zoombombing’ Saga Is Just Beginning — And The Heroic Open Source Video Conferencing Alternatives
By Cristian Duque
April 22, 2020
Zoom found itself as the instant savior, and immediately after, the villain, in our new working and learning arrangements. If found itself pray of the short-lived optimism of the markets —achieving a $35 billion capitalization, on paper as valuable as Xiaomi, Activision or Nissan— after becoming synonymous with virtual classrooms and meetings. Numerous concerns and cybersecurity risks have cropped up. But are they merited?
This article was first published by LMSPulse.
What are the accusations?
Indiscriminate collection of private data
The free version of Zoom is being used to collect unreasonable amounts of personal user information. Security researcher and policy analyst Bruce Schneier pointed out that the user policy entitled Zoom to use this information for basically any kind of commercial purpose, including selling it to third parties. On top of it, the Facebook app used to collect all sorts of information about the computer and telemetry data. Before the software was updated, this would happen whether the user had a Facebook account or not. (This still happens if the user hasn’t updated Zoom recently.) Similar data collection and sharing is known with LinkedIn and Windows applications. Some users have also reporting stumbling upon lots of personal information from other users from the app, with little effort.
Zoom changed the policies on March 29, along with a series of blog posts and public statements. The changes clarify that there is no personal data selling at this point, but it is still being collected.
‘Zoombombing’: Strangers showing up in the middle of online classroom
Related convenience, as well to the lax security practices, malicious actors are able to try and find access to Zoom rooms and meetings where anyone with the link can join, speak and share their screen. You could even get ahold of “zWarDial,” an app that tries to guess unsecure Zoom rooms at random with a reported 4% success rate. Developed by “white hat” researchers (aka good guys), it allowed to collect key data about the meeting and in some cases personal information supplied by the host.
The level of trolling and abuse this feature allows has only human imagination at the limit. More serious argument deem this a boon for industrial espionage operations which make the China connections —see below— all the more worrisome.
Zoom’s initial reaction was deflection. It framed the sharing of Zoom links on social media akin to sharing a password with the world. Upon further pressure and journalistic denounces, it made some UI updates.
To sum up: “Zoom is not suited for secrets.”
Malwar-y: Governments and Federal Agents denounce, discourage, disable Zoom
Zoom had to change some some of its functionality after concerns over too invasive practices that attempted to supersede the user’s deliberate permission. This included the installation process on Mac computers, considered for many “too smooth for comfort” —or plain shady— and access to information from other apps, like in the case of contacts and calendar data mentioned earlier.
Do Zoom engineers even know what encryption means?
There are glaring loopholes in the Zoom application itself, some benign, some downright dangerous.
- Zoom’s official statements (PDF) on the encryption protocols used do not match those obtained by researchers. Zoom’s actual protocols are nearly obsolete. Seems anecdotal, but it can also allude to “bad security decisions, sloppy coding mistakes, and random software vulnerabilities.”
- Zoom’s security holes can and have been taken advantage of by malicious actors, which can collect personal information and even record using the user’s camera, without their knowledge, let alone permission.
- It previously claimed to feature end-to-end encryption, meaning not even Zoom engineers could access the content being transmitted. But if that were true, it means even if an actor manages to grab private recordings —which has been documented, repeatedly—, the content itself could not be accessed. Evidence shows this is not the case.
- Here are more details on Zoom’s encryption issues by a Columbia C.S. Professor. And as a bonus, let Tux illustrate why Zoom’s ECB encryption is so faulty.
The company has promised to upgrade the security, and appears to have done so. Research is not conclusive.
The China situation, and the unknown unknowns
Not meaning to get political, so take it for what it’s worth: Zoom operates a team of over 700 engineers in the country (under 3 different company names), known for the invasive online surveillance practices of its government. It has admitted to have rerouted traffic through the country, which surprises given the “Great Firewall,” and furthering suspicion, to date unproven, of cooperation with Beijing officials. Zoom Founder and CEO, Eric S. Yuan, is a Chinese American, born and raised in the Shandong Province.
As of this writing, several agencies, governments and security researchers continue to look into Zoom’s issues. New and unexpected ones are likely to arise. How damning are they? They have proven to cause at least some dismay for users, local bans and a class action lawsuit in the U.S. is on the works. Are they exclusive to Zoom? In all likelihood, they are not. Schneier again: “Zoom is a security and privacy disaster, but until now had managed to avoid public accountability because it was relatively obscure. Now that it’s in the spotlight, it’s all coming out.” (Not that researchers were not onto Zoom earlier.) In other words, whoever becomes Zoom’s heir is likely to be the next target of scrutiny, and new loopholes or even “privacy disasters” should surprise no one.
Personal protection measures against Zoom-like apps
Aside from the glaring loopholes, the issue of online security always touches on the “company V the user” conundrum. There is an unavoidable trade-off between a hassle-free user experience and security measures. Zoom has been proactive enough to produce all kinds of guides and instructional content for best security practices. Will these be acceptable for users? Impossible to say for now.
As for the common practices you should consider, on Zoom or most live meeting apps, here are some of the most common, varying on the amount of hassle involved and effectiveness. Note that these will help with the “Zoombombing” but might do little with the rest of the issues, known and unknown.
- Consider disabling screen sharing, microphone access and chat by default.
- Require passwords. (Note that it is very likely that someone at Zoom still gets to access those.)
- Require user sign-ups. (Might provide an unreasonable amount of personal data to Zoom and third parties.)
- Use “waiting areas” to verify who can join a room and in which capacity. (Zoom’s own “Waiting Room,” however, seems vulnerable.)
- Disable “Join before host”
- Disable chat windows
- Some apps offer personal rooms as well as general-purpose, often temporary rooms. Whenever possible, go for the latter.
- If all else fails, complain about it loudly. (@Zoom_US)
Open source, ‘Zoombombing’-free alternatives
Admittedly, these alternatives may not feel as comfortable as Zoom. Which by now you might have come to appreciate as a good thing. Furthermore, you are able to install them on your own server and make sure your data isn’t hosted in someone else’s computer. You may even be able to find them as “open containers.”
Get your own server or the apps, which offer more or less the same level of features as Zoom, with what it’s perhaps it’s “killer feature”: End-to-end encryption. Furthermore, it does not require any form of user ID. While its cloud service collects general performance data (“Crashlytics”), the server-based comes without any form of analytics features or libraries.
A browser-based, fairly simple and lightweight solution built with security in mind. A Moodle plugin is available.
An open elearning favorite that needs little introduction. Install it on your server and connect it with your LMS.
This article was first published by LMSPulse.
Featured Image: Visuals, Unsplash.