Zoom for Mac makes it too easy for hackers to access webcams. Here's what to do

Zoom for Mac makes it too easy for hackers to access webcams. Here's what to do

One of the easiest ways to tell if someone is a computer security professional is to look at their laptop. If the webcam is covered with a tape or a sticker, I probably am. A recently published report on the Zoom for Mac conferencing application highlights why this practice makes sense.
Researcher Jonathan Leitschuh reported Monday that, in some cases, websites can automatically cause visitors to participate in calls with their cameras on. It is not difficult to imagine that this is a problem for people in their bathrobes or in the middle of a sensitive business conference because a malicious connection would not give any advance warning will open Zoom and transmit all that is in view of the camera.
Almost certainly, the Zoom developers intended the behavior to make it easier to use the Web conferencing app. But unless users have correctly optimized their settings in advance, Lietschuh's findings show how the wicked can turn this ease of use against unwitting users. It is a proof-of-concept exploit available here, but the reader must be warned: depending on the Zoom settings, your webcam may soon transmit what it sees to perfect strangers.
"This vulnerability allows any website to forcibly join a user with a Zoom call, with the camera activated, without the user's permission," Leitschuh wrote.
Leitschuh is mostly correct there. Clicking on the link will automatically open Zoom and participate in a call. But as mentioned above, the video is only collected when Zoom is configured to start conferences with a camera turned on. Some media reports and social media commentators have said that this behavior allows websites to "hijack" a Mac webcam. I would say it is a trait from (1) it is quite obvious that Zoom is opening up and transmitting what the camera sees and (2) it is easy to leave the conference immediately or simply turn off the camera.
Also, prevent video capture from involving a single click in a box in the Zoom preferences that keep the video off when you join a video. But beware of the user: even when this setting is active, the sites can still force the Macs to open Zoom and participate in a conference.

This does not mean that the threat that Leitschuh has revealed is a simple maneuver. It is not. But it underlines the almost impossible balancing act that the developers must hit. Make it too difficult to use a feature and people will move to a competing product. Making it too easy and the attackers could abuse it to do bad things that the developer would never have imagined.
In this case, the Zoom developers should have warned that the possibility of automatically participating in a conference with activated video was a powerful feature that could be used to compromise user privacy. Instead, the developers left users with the option to decide without advance guidance. (In contrast, audio is automatically muted when attending a Zoom conference.) In other words, Zoom developers have made this webcam automatic by joining too easily. In retrospect, thanks to Leitschuh's post, it's easy to see.
In a response to Leitschuh's disclosure Richard Farley's zoom said that the company will publish an update this month that "will apply and save the user's video preferences from the first Zoom meeting to all future Zoom meetings."Farley has not said whether Zoom will give the manager that various customers should choose a good choice.

An always active web server

Leitschuh's research has uncovered another behavior of Zoom for Mac that is also disturbing to security-conscious people. The app installs a web server that accepts queries from other devices connected to the same local network. This server continues to run even when a Mac user uninstalls Zoom. Leitschuh showed how this web server can be abused by people on the same network to force Macs to reinstall the app.
This is clearly not good. While the web server is only accessible to devices on the same network, this still exposes people using untrusted networks. And if hackers ever encounter a code execution vulnerability in the web server, the potential for abuse is even higher. Farley said that Zoom introduced the web server as a way to get around a change introduced in Safari 12 that requires users to confirm with a click every time they want to start the Zoom app before joining a meeting.
"We believe this is a legitimate solution to a problem of poor user experience, allowing our users to have faster, one-click meetings," Farley wrote. "We are not the only one among video conferencing suppliers in actualizing this arrangement."
Independent security researcher Kevin Beaumont said on Twitter that the BlueJeans video conferencing app for Mac also opens a web server.

Convenience is the enemy of security

As in the case of the auto-on webcam when attending meetings, the implementation of Zoom of a web server is a convenience that presents itself at the potential cost of security. Neither behavior represents a critical vulnerability, but they suggest that the Zoom developers could do more to block the Mac version of their app, particularly for users who may be less aware of security issues.
And it is here that precautions like the tape on a webcam come into play. Users can never be sure that developers have adequately protected their apps from attacks or abuse, so the responsibility rests with end users to compensate. Other ways to protect yourself from the abuse of Zoom or another web conferencing software is to use an app like Little Snitch and configure it to provide the conference software with Internet access for a limited time only. Another self-help protection is to configure macOS so that Zoom has access to the webcam only at specific times when it's needed.
Zoom for Mac makes it too easy for hackers to access webcams. Here's what to do
Yes, these additional protections can be a problem. But they also emphasize the fundamental tension between comfort and security.

Post a Comment

1 Comments

  1. Valuable for information.. let me know if there is any other blog related to this...
    *
    *
    *
    *
    Read to know more about Zoom Video Conferencing

    ReplyDelete

Please do not enter any spam link in the comment box.