March 2020 : please note that the first two sections of this article were written in summer 2019 when Zoom's Mac backdoor was first widely reported. The backdoor issue in the first section is no longer applicable; the camera on without consent issue remains. That section remains useful context for understanding Zoom's pattern of behaviour around consent, and for why I continue to advise people, where possible, to uninstall and avoid Zoom on all platforms.
Zoom uses a “shady” technique — one that’s also used by Mac malware — to install the Mac app without user interaction. Wardle found that a local attacker with low-level user privileges. Update 4/2: Zoom has issued an apology for its privacy and security gaffes, patched these two most recent Mac bugs, and laid out a plan for the next 90 days to improve the service.
2 additional sections were added at the end of this article in March 2020 based on reporting on many additional Zoom ethics issues ('Addendum'), and giving advice for alternatives in the context of our pandemic-based mass confinement ('Alternatives').
I have also written a follow-up article with advice on mitigating risk for those that do not have a real choice to move away from Zoom.
Mac Backdoor, Camera on Without Consent
First off, a WARNING: If you are using #Zoom, especially on #Mac, you should immediately uninstall and follow the instructions here to remove the persistent backdoor that they leave on your computer.
Why? As a fundamental part of the working of their product, Zoom added a hack using file sizes of “invisible” images to get around CORS protection in browsers, so they could install a persistent backdoor, silently forcing webcams to broadcast.
This behaviour is indistinguishable from #malware, even if Zoom are supposed to be a legitimate business.
There is no way to explain away what Zoom does as an innocent mistake, nor as normal #InfoSec bugs that come up in all products - this was multiple deliberate design choices from people who very clearly knew and understood the security controls they intentionally subverted.
I recommend businesses and individuals seek alternatives and systematically refuse all Zoom conferences going forward.
If It Walks Like A Duck..
Note that this is the second major 'legitimate' US company caught recently in behaviour that is indistinguishable from #CyberCrime. In April, ProPublica exposed the TurboTax's behaviour, where Intuit brazenly uses phishing and malicious fake sites to scam thousands out of $50-200 each.
I think cyber security companies need to seriously consider agreeing to treat the software and websites from these companies as what it is indistinguishable from: malicious software, malware.
There is recent precedence for this approach. Thanks to Eva Galperin's and Motherboard's work against 'legitimate' spyware products that are widely used in domestic abuse and stalking, the InfoSec industry have started to recognize this as a specific category of malware that needs to be taken more seriously, 'StalkerWare'.
Cyber security companies also already regularly block 'legal' malware written by the security services of our own states. In fact one of the most damaging exploits still used in major malware families today, an exploit that is responsible for probably the most expensive cyber security incident in history to date, is EternalBlue. It was written by the US government, the NSA - and they claim to have a 'legal' right to continue writing and using malware like this.
For our industry and for interested legislators, there is clearly a need to take a closer look at how to deal with 'legitimate' companies whose business models and products are today, completely arbitrarily, not classed as cyber crime.
Addendum
Following the public outcry about their backdoor, first Apple pushed an OSX update that blocked Zoom's backdoor, and then later Zoom pushed an update to remove it from their program. It is also true that it is possible to mitigate the worst of Zoom's many issues via careful configuration. Still, it is my belief that if you deliberately hack fundamental security controls in browsers so you can deploy a persistent backdoor, and you make a feature allowing meeting organizers to force users' webcams on - you don't get the benefit of the doubt.
The Mac backdoor and the forcing cameras on without consent are not the only issues with Zoom. For example, Ouren has detailed the ways in which Zoom monitors all your screen and app activity, collecting that data both for themselves and for whoever setup the Zoom call.
Touchfaith has detailed ways in which Zoom themselves advertise their surveillance features to bridge administrators. Again this is all without anything that can be reasonably called consent by the end-users.
Zoom Hack For Mac
Felix has detailed how, just like in phishing attacks by cyber criminals, Zoom is trying to trick Mac users into giving their admin password to gain persistence.
Even if I understand the relucantance to get sued by major US companies, I don't see how we in the cyber security industry can honestly call this anything except malware.
This is why my advice remains to uninstall Zoom and refuse Zoom calls. Any company that behaves this way cannot be trusted. Any software that behaves this way is indistinguishable from malware, and should be treated as malware.
Alternatives
Depending on your organization and requirements, you or your IT administrators may not have many alternatives. For example, Zoom is being heavily used in the education field, especially now we all must #StayTheFuckHome. And yet educational establishments often have very constrained IT budgets and they are unlikely to find good alternatives in the edutech industry, which is already well known for forcing surveillance on already vulnerable students & staff. That is no doubt part of the appeal to certain administrators.
Just like with most 'free' online services we all use, we do not have any real uncoerced choice to opt-out from the surveillance. At least opting out comes at unacceptable cost to access to basics of modern life. The consent forms and terms & conditions that we must live with are like the highway robber asking us to choose between 'your money or your life?' - of course we choose our lives.
Malware behaviour and creepy surveillance aside, I have little doubt that Zoom's features and UX are some of the best available - a full free alternative that is as good in every aspect is not realistic.
Most companies use enterprise solutions like Microsoft's Teams for this kind of use case. I'm assuming these tools are not cheap. As part of their COVID-19 response, Microsoft announced they will provide a 6 months free trial version for educational and governmental organizations. These enterprise tools are not free - you are paying for your company and IT admins' ability to control the security and privacy and have a much higher degree of trust in the tools that are accessing sensitive information on everyone's devices.
If you need something free, this open source alternative may be more acceptable. If your admins have sufficient resources and skills, they can also use it to standup a local instance usable by your staff and students. It is worth remembering that self-hosting is rarely the going to be the most secure approach - something that can be partially mitigated by standing the service up on a good cloud hosting provider, especially if additional support services are provided.
Leaders of a non-profit organization I trust have similarly used Big Blue Button for online learning and video calling, with very good results.
Like most things in security, the most important first step is to understand your threat model. Then you make (often Sophie's) choices based on the risks that matter most to you. Then you try to mitigate the remaining issues with those necessarily imperfect choices. Then you make sure this is a continuous ongoing process.
Bottom line - I understand there are very good reasons why many people and organizations (especially the most vulnerable) will be constrained to decide to continue to use Zoom. That said, if you are able, my recommendation remains to uninstall Zoom and refuse Zoom calls.
It is not only for your security and privacy, it is also important for the health of society to send a strong signal that this kind of behaviour by so-called legitimate companies is unacceptable.
Zoom, the popular video call service has had a number of privacy and security issues over the years and we’ve seen several very recently as Zoom has seen usage skyrocket during the coronavirus pandemic. Now two new bugs have been discovered that allow hackers to take control of Macs including the webcam, microphone, and even full root access.
Update 4/2: Zoom has issued an apology for its privacy and security gaffes, patched these two most recent Mac bugs, and laid out a plan for the next 90 days to improve the service.
But if you’re still wanting to switch to another option, check out our roundup of 10 Zoom alternatives here.
Reported by TechCrunch, the new flaws were discovered by Ex-NSA hacker Patrick Wardle, now principal security researcher at Jamf, who detailed his findings on his blog Objective-See.
Wardle goes through a history of Zoom’s privacy and security issues like the webcam hijacking we saw last summer, the calls not actually being end-to-end encrypted as the company claims, the iOS app sending user data to Facebook, and more.
Zoom Hack For Mac
That brings us to today. Wardle’s new bug discoveries mean Macs are vulnerable to webcam and mic takeover again, in addition to taking gaining root access to a Mac. It does have to be a local attack but the bug makes it relatively easy for an attacker to gain total control in macOS through Zoom.
As such, today when Felix Seele also noted that the Zoom installer may invoke the AuthorizationExecuteWithPrivileges API to perform various privileged installation tasks, I decided to take a closer look. Almost immediately I uncovered several issues, including a vulnerability that leads to a trivial and reliable local privilege escalation (to root!).
Wardle describes the entire process in technical detail if you’re interested but the flaw comes down to this:
To exploit Zoom, a local non-privileged attacker can simply replace or subvert the runwithroot script during an install (or upgrade?) to gain root access.
Zoom Hack Menu Download
Then, a second flaw Wardle discovered allows access for hackers to access a Mac’s camera and mic and even record the screen, all without a user prompt.
Unfortunately, Zoom has (for reasons unbeknown to me), a specific “exclusion” that allows malicious code to be injected into its process space, where said code can piggy-back off Zoom’s (mic and camera) access! This give malicious code a way to either record Zoom meetings, or worse, access the mic and camera at arbitrary times (without the user access prompt)!
Zoom didn’t respond to TechCrunch after a request for comment. With the millions of people using Zoom with the current global health crisis, hopefully, we see a fix real fast!
Zoom Mac Hack
FTC: We use income earning auto affiliate links.More.