Since the beginning of the pandemic, everyone with access to the internet has probably become increasingly aware of a desktop (and mobile) application named zoom. No matter who you are, with everything moving to work from home, you’ve probably experienced it in one way or another, or at least a service very similar. Despite it’s popularity, the video conferencing app hasn’t been without issue, in fact, it has a past littered with them[1].
These past security issues however, are not what I want to focus on. More recently, Google Project Zero, Google’s team dedicated to find and report on zero-day vulnerabilities reported on a recently patched (thankfully) security issue[2] within the Zoom app. According to the article, one of these exploits included a zero click attack.
What Exactly is a Zero-Click Attack?
An example of an attack that requires some sort of user input (or click)
For starters, it is probably useful to define exactly what a zero click attack is. In the case of most modern “hacks” some sort of social engineering is used. You’re tricked into clicking a link in a phishing scam, or something of that variety. If you’re wary of what you do and don’t click, you’ll be aware that you’re a target, zero-click attacks don’t work this way. In fact, for the average user there is no way to tell that you are being targeted at all. According to an article from How-To Geek[3] “These attacks don’t often leave much of a trace behind… And the more complex the app is the more room exists for zero-click exploits,” and this is exactly what makes Zoom so vulnerable to these types of attacks. In the modern world, your data and information is becoming increasingly valuable, and people will pay absurd amounts of money to get their hands on it.
Why Should We Care?
With the exploit supposedly fixed according to Zoom themselves, and further corroborated by Natalie Silvanovich at Project Zero who wrote[2] “while I had success with portions of the exploit, I was not able to get it working,” why exactly should we care about this any longer. The issue is fixed, right? Not necessarily. Since it’s rise to dominance in the sphere of online video conferencing software, Zoom has caught flack from security professionals from around the world due to the fact that their client is not Open-Source. You can’t just go look at Zoom’s security features yourself, and in-fact if you wish to get a license to do so, it is reportedly exceedingly expensive[2]. Whilst you may think this seems safer, their software isn’t accessible by just anyone so hackers can’t get to it, it simply makes it harder for people to evaluate it. While open source platforms may not be perfect, they tend to at least have the discernable advantage of known security issues.
At the end of the day, this is my main qualm with Zoom as it is. I’m a university student. I do not have the money to license a piece of security software to delve into it, and even then it’s entirely possible I wouldn’t be able to find out much. Open source technologies allow anyone, you, me, whoever to delve into them as far as we wish, to see what we are really and truly exposing ourselves to, and to decide whether that is a risk we are willing to take. Obviously, nothing is perfect, but at the end of the day, I’d much rather know there are potential flaws and data mining techniques that I’m being exposed to. With Zoom in its current state, there is no way to guarantee that. It could be littered with undiscovered flaws simply waiting to be taken advantage of and the user would be none the wiser. Is this truly something we all want to be using on a daily basis, even if just to attend classes?
References
[1] https://www.tomsguide.com/news/zoom-security-privacy-woes Tom’s Guide , Paul Wagenseil, December 7th, 2021
[2] https://googleprojectzero.blogspot.com/2022/01/zooming-in-on-zero-click-exploits.html Google Project Zero, Natalie Silvanovich, January 18th, 2022
[3] https://www.howtogeek.com/763142/what-is-a-zero-click-attack/ How-To Geek, John Bogna, October 26, 2021
[4] https://www.sitelock.com/blog/social-engineering-attacks/ Image reference, March 31, 2021
This was quite an interesting read!
I think it’s likely a good choice for most companies to go open source, for a few reasons:
– As you mentioned above, many people can spot identify security flaws, hopefully before an adversary.
– It’s a great investment, as the company can get free help from the public.
– People feel like they can trust it more as they have the option to know what’s going on in the background.
– Many bugs can be identified in general, not just security vulnerabilities.
– It can form a sense of community and potential networking opportunities.
– Others can learn (hopefully good quality) coding practices by seeing the code base of a big company, thus adding to the general coding knowledge ecosystem.
Oho Ben my boy this was a very insightful post.
I do agree with you completely for it doesn’t actually make sense to why Zoom is out primary modality of online learning when more reputable and accountable companies such as Microsoft and Google have more feature rich and secure clients at their disposal in the form of Teams and Meet.
I personally feel like open-sourcing is a solid option here as Raine stated, since it allows experienced users to assist with bug identification and potential solutions. On the other hand, what are your thoughts on open-source software having the potential of being repackaged with malicious intent? Potentially a double-edged sword!
Cheers!
Thank you both for your comments!
Raine, I most definitely agree, there are so many reasons for developers to be more open with their software, I chose to focus on security related ones due to the nature of the class but all the reasons you mentioned just enhance the argument. Open-source, in many ways seems superior. It has so many benefits for everyone involved and for those who wish to further their knowledge of coding!
Duc, your potential counterpoint is very interesting. Hopefully any open source project with a large enough user base, or team behind it, (ie Zoom) would have some potential code verification process in place. You wouldn’t want anyone able to destroy the project instantly, but it poses the question of what a process would look like and that in its own could be a very interesting blogpost.
Again, thank you both for your insight and I look forward to hearing back from you if you wish to continue the conversation!
This in an interesting one! Seems like Zoom developers where depending on security through obscurity. All of this happened because Zoom was closed source, and no one was able to review its source code and make sure of its claims, which is important to do when needed. I have heard Teams is much better with security but there is an open sourced one that’s considered the best alternative for Zoom. It’s called Jitsi and their team releases all their libraries, APIs, server instances and infrastructure as open source. This makes you capable of inspecting any single component you may think of (E.g for government requirements) or deploying your own instances of everything.
This is a really good article, considering that everyone here uses or used zoom at one point. I’m glad that you brought awareness towards the issues of zero-click attacks, because I know that many people, myself included, never really looked out for things like that. I’m probably going to be a lot more weary of what I click when navigating zoom and clicking links. I also agree with your point that it would be a good idea to make zoom open source, since you can get so much more insight on problems that your program has, basically for free. I also think that if people know where the program is vulnerable, they are more likely to look out for it on their end, which could also help prevent possible security breaches.
Super relevant topic! It’s crazy to think about how many people use zoom currently, but how little we know as a community about its software. This reminds me of how important it is to peer-review work in the science community. For technology – I absolutely think open source should be held to the same regard. With the risks of open-source mentioned in the other comments considered, I would hope that large-scale technology companies are at least participating in a well-defined technical peer review!
Great post!
It’s nice getting some light shed on zero-click attacks, because they can get really nasty. A recent one would be the zero-click attacks on iOS messages where somebody who has your phone number can send you a message that has the exploit and within seconds would have control of your phone. Since they have control of your phone, they’re able to delete that message and you are now completely oblivious to the fact that your phone has been hacked. I get that you’re stressing for open-sourcing zoom in the fight against the zero-click attack, but what about companies who keep their software a trade secret like Apple?
A very timely topic to discuss! It’s frightening to think that your personal information and sensitive data might be exposed so easily by a single click. The frightening issue is that, while these links may appear to many to be a simple trap to avoid, it mostly targets people who are not good with technology will be easily tricked. a simple click may take control of your whole phone device. Very insightful post!
Interesting post. I was aware that there were some concerns about security with Zoom but I was under the assumption that the majority of them were with zoom-bombing. I had not heard anything about these zero-click attacks and this post has piqued my interest. I agree with you in making zoom open source. Not only would it allow for users to understand and discover where the vulnerabilities are it allows for new innovation within the community to help resolve the vulnerabilities.
This is the first time I actually came across the term “zero-click attacks. Moreover I did not know what open source projects and closed source projects projects exactly mean. I started googling and found out more about close and open source projects. In the recent era, we are using Zoom more than ever before. With a single click we have so much to lose since we are often busy and do not have the time to verify the authenticity. What I do not understand why it is named zero-click attack when you have to click a link? Am I missing a catch or did not understand how zero-click attacks work?
This is a very meaningful post!
Since the beginning of the covid-19, students have turned to online classes and workers have turned to telecommute, and zoom has gradually become an indispensable software for everyone. But many people have ignored its network vulnerabilities. The zero-click attack mentioned in your article made me realize the security problem. Hackers can directly invade our computer through zoom‘s link or email to steal our personal information and database, which is very unfavourable for us. Your article made me more aware of security precautions, and I hope that zoom will take measures to improve their app security.
Great post!
To be honest, I do not totally agree with your points in your blog. I think the reason why the Zoom app is closed source is that the owner company is trying to protect the source codes of the Zoom app from being stolen by hackers. If the hackers cannot get the source codes of the Zoom app, then I think they would spend much more time writing programs to hack Zoom. Since the COVID-19 pandemic and we started to take courses online by using Zoom, I am always worried about hackers or Zoom itself “stealing” my privacy, such as monitoring what I am doing or checking the surroundings in my home by using the camera on my laptop. So, I usually do not give Zoom the permission for using the camera on my laptop, and I have never used Zoom on my cellphone. I think there should be some non-government organizations to supervise Zoom’s owner company to make sure that Zoom is not harmful to our privacy.
Good post! Zero click attacks are definitely an issue, and I’m glad that there are zero-day software teams willing to delve into even source code that requires a license to be able to view just so that issues can be detected and reported on. I agree that having code sheltered from public scrutiny is much more vulnerable to outside attacks, because when it is closed off, attackers will snoop around and find ways in anyways, while if it is open source, those snooping around are often doing so to report on their results instead of abuse them, and that makes it so all the easy to find vulnerabilities are not only found by a hacker, but also a dozen outside observers who will sound the alarm and allow fixes to begin as well. Hopefully, if Zoom is insistent on keeping it closed source, they at least hire more teams like Google’s Project Zero to find issues.
Hey, interesting post!
Since Zooms rise there’s been several privacy concerns I have seen. There was a point where there was concern over the encryption of Zoom cloud recordings which Zoom claimed they were encrypted which was found not true. I wonder if the Zoom zero-click exploit has made it to their auto generated links. This would be devastating and millions of systems would be invested.
Good post! It is surprising that this is still an ongoing issue, especially since Zoom has gained such a large amount of recognition and importance. While Zoom is still fixing whatever issues it may encounter, this problem, in particular, appears to be rooted in its decision to not use Open-Source. I am not adept in this technology, but perhaps that, since it is structured this way, reversing its decision and becoming Open-Source would require immense resources to do without potentially compromising the company’s software? I am not sure of how easy a fix this may or may not be. Could anybody elaborate on this? Regardless of what challenges and changes Zoom needs to address, the company should still do the right thing and make its clients’ data secure from attacks.
I definitely agree with your sentiment about security. If a determined hacker wants to form some exploits with your software and has the possibility to make a ton of money with the data that they harvest, the cost to see the source code doesn’t matter. Actions like hiding security code behind extensive paywalls serves only to keep the genuine security community from detecting potential vulnerabilities in the system before something goes wrong, and does little to prevent attackers following the blood (cash) in the water. It needs to be a more common idea that even if you keep the functionality of your software secret, the security aspects should be that once location where people can openly see and scrutinize your work, but alas I don’t really see this happening. As for Zoom, there’s probably a ton of issues still left in the code for prospective attackers to find, but there’s little to do but hope that the return to in person activities globally will make this a less enticing venture.
Great post, thanks for sharing.