Zoom's security is not that bad

by lc3 min read5th Apr 202016 comments


Computer Security
Personal Blog

Disclaimer: just an intern/college student, wrote this at 4:00 A.M.

In the past two days Zoom has been hit with a dozen or so articles for its apparently poor security and steadfast allegiance to the Chinese government. The root of this outcry, or at least the earliest/most specific/most technical articles I can find, appears to be this report by citizen lab and this one by a security researcher. Combing through these and the above, I really only see two real issues cited from the last few months, one of which was patched, and none of which seem particularly severe in terms of real-world impact.

The first problem was a few relatively trivially exploited local privilege escalation vulnerabilities for their MacOS client that were patched shortly after they were published about on a security researcher's blog. This is probably the lowest severity vulnerability that can be written up without being seen as desperate or cheeky by most people in security. Local privilege escalation on an end users' laptop is a vulnerability, yes, but it is almost completely useless. As pervasively cases to the contrary are reported in the media, most attackers with ongoing remote code execution on your laptop are more interested in your credit cards and monero mining capabilities than your microphone and camera.

The second, which to my knowledge has not been fixed, is Zoom's use of ECB mode for encrypting their video communications. This seems like much more of a show of incompetence than the former (I can't remember any other company being called out for this practice in my lifetime), but these cryptographic problems are the kind of "academic" bug that is easier to spot than to exploit. Despite what you were told in your C.S. class, using the ECB cipher mode is not a security vulnerability, if we're supposed to designate security vulnerabilities based on their demonstrated risk to security. An attacker with network access to your zoom traffic can tell, within the same call, when the 128-bit encrypted blocks have matching input blocks. That's not a POC. POC || GTFO.

That's it. Those are the only real security issues I could find, at least within the last year. There was a pretty egregious one regarding a MacOS (something going wrong with that team?) remotely exploitable vulnerability via an installed web server that didn't grant code execution but did allow you to bring someone into a call. It was reported over a year ago, and it doesn't seem to have been exploited in the wild. There was the thing of them lying about providing end to end encrypted communications on their proprietary conferencing app, and while that reflects poorly on Zoom in a character sense, I don't think anyone who actually needs the security of end-to-end-encryption is going to rely on Zoom to speak to other people, and I don't think anyone who thought about it for ten seconds thought they possessed this feature anyways. And then there was the sudden braindamaged outcry about them not using AES-256 instead of AES-128, which is like being mad at someone for using a 32 character random password instead of a 64 character random password, and is a comment that should immediately make you lose any respect for the security awareness of the person saying it.

In addition there were some default chatroom changes that have gotten fixes in the last twenty four hours due to the ongoing dogpiling. One of these was caused by a bug where if you leave a zoom call open to the public, members of the public can join the zoom call. The press has given this practice its own name, "Zoom bombing", and keep calling the people that do it hackers. No one is hacking into these goddamn phone calls. You can scream "security by default" and "users are the weakest link" until you're asking the federal government for respirators, but there's also selection effect to consider in which people who display this level of incompetence in protecting their data also tend to value it less. I have yet to see reports of trade secrets leaked by people who fail to password protect their zoom session - only a dozen or so repeat stories of trolls spamming the N-word, which is a tragedy because such foul language never happens elsewhere on the internet.

The biggest problem the media seems to have with Zoom though, the one that makes me froth at the mouth in its hysterical stupidity, is its ties to China. Some of these news sites - which I cannot look at without disabling 4/5 of my privacy extensions - news sites which are, in terms of bandwidth or requests, 90% analytics/ads/malware and 10% content - are apparently concerned that their weekly standups are being sent along wires that flow through Chinese borders. Let me tell you personally: China has your phone calls. More importantly, American spy agencies have your internet browsing habits and your phone calls. Through the magic of the internet, with or without cooperation from the companies themselves, any computation you do not take great, impractical pain to secure from nation state adversaries is going to end up in the hands of nation state adversaries. Remarkably, this includes China, even when the company is not physically located in China or does not hire Chinese employees. The agency you should be most concerned about spying on you is the one that polices the country you live in. Especially if you literally live in the worlds' foremost surveillance state.

I'm not saying that Zoom hasn't probably handled application security poorly, or that China spying on you isn't bad, or that "I wouldn't run things differently if I were in charge", etc. etc. But security is a trade-off, and Zoom is a startup that through this point has quite reasonably focused on growth and features over hiring the best security/bughunting staff. Zoom doesn't run a cryptocurrency exchange. They don't build internet connected pacemakers. They're a chat app that allows you to talk to grandma over the internet instead of giving her a respiratory disease. The class action lawsuits being thrown this company for giving data to Facebook (curiously driven, I assume, partly by people who regularly voluntarily give data to Facebook) strikes me as panic-driven and honestly xenophobic. Somehow I doubt all of the people suddenly concerned with internet privacy will quit Windows, Gmail, or Snapchat, but of course, when the prospect is a Chinese company having your data, we all have to make sacrifices.

Computer Security1
Personal Blog