Re: [irsg] Meetecho for interims?

[Carsten Bormann <cabo@tzi.org>]

On 2020-08-01, at 09:47, Leif Johansson <leifj@sunet.se> wrote:
> 
> 
> 
> Skickat från min iPhone
> 
>> 31 juli 2020 kl. 23:57 skrev Jim Fenton <fenton@bluepopcorn.net>:
>> 
>> On 7/31/20 2:53 PM, Carsten Bormann wrote:
>>> Yes, but you should be wary of the security issues that you haven’t heard of.
>>> (Zoombombing is a ridiculous “security issue”.)
>>> At least, with Webex, I can be reasonably sure about the absence of criminal intent of the operator.
>> 
>> That is a very serious allegation that you are making without evidence.
>> 
>> -Jim
>> 
> 
> I was just thinking the same thing.

Actually, it is a statement of fact: I feel way more secure with software from Cisco than with software from Zoom Video Communications (ZVC), because I have good reason not to be certain about ZVC’s corporate intent.  I didn’t know there would be an expectation that I would embellish this simple fact with formal indictment papers.



Feel free to skip the rest of the message if you are not interested in the evidence that makes me so uncertain.  Other people keep asking me why I don’t use ZVC products, so maybe it’s worth writing this up in more detail.

Mid-2019 a vulnerability became known.  That of course happens every day with something, and a prudent response for me was to uninstall the (rarely used) ZVC software until it is fixed.  Sounded uncomplicated.

What we didn’t know at first: ZVC had installed a backdoor that, even after deinstallation, allowed them to re-install the software under the covers.  This backdoor could be activated from any website, not just by ZVC.

OK, this is getting quite serious, but it still might have been an intern doing things that escaped quality control.

Confronted with the situation, ZVC made a statement essentially saying that this was company policy and all was well.  This is the place where they committed corporate suicide, and I was sure no decent person would ever talk to them again.  Interestingly, nothing happened on the legal side, nobody seemed to have a copy of the CFAA (or § 303b StGB in Germany) handy.

Finally, this was “resolved” when Apple put pointers to the ZVC backdoor into an emergency malware detector update to get rid of the issue.  That hasn’t happened often, and I would expect Apple to have exhausted all means to fix this amicably before taking out the cudgel (of course they never made any statement about this apart from sending out the malware remover).  Only when it became clear that they wouldn’t get to keep their backdoor, they finally played nice to its removal (“we’re happy to have worked with Apple on testing this update.”).



What happened after that incident did not give any reason to believe something has changed with their corporate policies (sorry, no references, there are too many further incidents, both on the security and privacy sides).

Of course, 9 months later, when they noticed their stance on security issues might be damaging their COVID-boosted stock price, they started to pay lip service.  I haven’t noticed any consequences of the July incident in their personnel lineup, so I am assuming it is still run by the same people that ran ZVC in mid-2019.  Will they do something like this again?  Seriously, I don’t know.

All of this has happened in public; there isn’t any news in this message.



I am not part of the culture that shrugs away persistent, egregious behavior.

(Yes, Zoom is sooo convenient, so you'll find a lot of apologists.  Also, the sheer number of security issues that pop up and eventually are resolved by ZVC can make it seem they are doing a lot of good recently.  And, those background images…  More seriously, sometimes you have to make tough choices, so I don’t blame the users either.)

Now you know what makes me feel infinitely safer with Cisco software than with ZVC software, and (in case you wonder why I even care about this) why I feel seriously unhappy about my university deciding to impose the use of ZVC software on its 20000 students (administrative meetings tend to be run on platforms where we have better assurance levels).

I didn’t set out to write a piece disparaging ZVC, but you (*) asked for information, and the information about the July incident itself unfortunately simply is nothing less then disparaging. I could go on citing more analysis (**), because I had to research the subject seriously when my university started preparing for COVID, but I’ll stop here.

Grüße, Carsten


A few refs:
https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5
https://www.schneier.com/blog/archives/2019/07/zoom_vulnerabil.html
https://www.theverge.com/2019/7/10/20689644/apple-zoom-web-server-automatic-removal-silent-update-webcam-vulnerability
https://techcrunch.com/2019/07/10/apple-silent-update-zoom-app/

(*) Actually Jim, but his message never reached me.

(**) If you need a more in-depth discussion of ZVC's communication security that does not touch corporate responsibility (or even the July incident), I recommend http://www.circleid.com/posts/20200406-rusting-zoom/ [sic] by Steven Bellovin.

A recent analysis by the German Data Protection Officer may come to the conclusion that no global vendor offers perfect contractual assurances, but for ZVC specifically it is pointing out "Zweifel an der Zuverlässigkeit des Anbieters” (doubts about the reliability of the vendor, p. 14), which is about as far as a German state officer will go in a formal document before starting legal proceedings.
https://www.datenschutz-berlin.de/fileadmin/user_upload/pdf/orientierungshilfen/2020-BlnBDI-Hinweise_Berliner_Verantwortliche_zu_Anbietern_Videokonferenz-Dienste.pdf