![]() Touchfaith has detailed ways in which Zoom themselves advertise their surveillance features to bridge administrators. For example, Ouren has detailed the ways in which Zoom monitors all your screen and app activity, collecting that data both for themselves and for whoever setup the Zoom call. The Mac backdoor and the forcing cameras on without consent are not the only issues with Zoom. Still, it is my belief that if you deliberately hack fundamental security controls in browsers so you can deploy a persistent backdoor, and you make a feature allowing meeting organizers to force users' webcams on - you don't get the benefit of the doubt. It is also true that it is possible to mitigate the worst of Zoom's many issues via careful configuration. Addendumįollowing the public outcry about their backdoor, first Apple pushed an OSX update that blocked Zoom's backdoor, and then later Zoom pushed an update to remove it from their program. ![]() It was written by the US government, the NSA - and they claim to have a "legal" right to continue writing and using malware like this.įor our industry and for interested legislators, there is clearly a need to take a closer look at how to deal with "legitimate" companies whose business models and products are today, completely arbitrarily, not classed as cyber crime. In fact one of the most damaging exploits still used in major malware families today, an exploit that is responsible for probably the most expensive cyber security incident in history to date, is EternalBlue. Thanks to Eva Galperin's and Motherboard's work against "legitimate" spyware products that are widely used in domestic abuse and stalking, the InfoSec industry have started to recognize this as a specific category of malware that needs to be taken more seriously, "StalkerWare".Ĭyber security companies also already regularly block "legal" malware written by the security services of our own states. There is recent precedence for this approach. I think cyber security companies need to seriously consider agreeing to treat the software and websites from these companies as what it is indistinguishable from: malicious software, malware. In April, ProPublica exposed the TurboTax's behaviour, where Intuit brazenly uses phishing and malicious fake sites to scam thousands out of $50-200 each. Note that this is the second major 'legitimate' US company caught recently in behaviour that is indistinguishable from #CyberCrime. I recommend businesses and individuals seek alternatives and systematically refuse all Zoom conferences going forward. There is no way to explain away what Zoom does as an innocent mistake, nor as normal #InfoSec bugs that come up in all products - this was multiple deliberate design choices from people who very clearly knew and understood the security controls they intentionally subverted. This behaviour is indistinguishable from #malware, even if Zoom are supposed to be a legitimate business. Why? As a fundamental part of the working of their product, Zoom added a hack using file sizes of “invisible” images to get around CORS protection in browsers, so they could install a persistent backdoor, silently forcing webcams to broadcast. Mac Backdoor, Camera on Without Consentįirst off, a WARNING: If you are using #Zoom, especially on #Mac, you should immediately uninstall and follow the instructions here to remove the persistent backdoor that they leave on your computer. I have also written a follow-up article with advice on mitigating risk for those that do not have a real choice to move away from Zoom. That section remains useful context for understanding Zoom's pattern of behaviour around consent, and for why I continue to advise people, where possible, to uninstall and avoid Zoom on all platforms.Ģ additional sections were added at the end of this article in March 2020 based on reporting on many additional Zoom ethics issues ("Addendum"), and giving advice for alternatives in the context of our pandemic-based mass confinement ("Alternatives"). ![]() The backdoor issue in the first section is no longer applicable the camera on without consent issue remains. March 2020 : please note that the first two sections of this article were written in summer 2019 when Zoom's Mac backdoor was first widely reported. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |