Zoom Hack Mac

Posted on by

March 2020 : please note that the first two sections of this article were written in summer 2019 when Zoom's Mac backdoor was first widely reported. The backdoor issue in the first section is no longer applicable; the camera on without consent issue remains. That section remains useful context for understanding Zoom's pattern of behaviour around consent, and for why I continue to advise people, where possible, to uninstall and avoid Zoom on all platforms.

Zoom Hack Mac

2 additional sections were added at the end of this article in March 2020 based on reporting on many additional Zoom ethics issues ('Addendum'), and giving advice for alternatives in the context of our pandemic-based mass confinement ('Alternatives').

A new Zoom security issue has emerged that allows attackers to take over your Apple Mac's microphone and webcam. Update Your Mac Now: Nasty Hack Breaks Apple Security To Take Sneaky Photos. New Zoom bugs can give attackers root access to your Mac, take over the webcam and mic Evan Selleck / April 1, 2020 Zoom is having a moment, thanks to the fact that many, many people around the world are being forced to work from home (when they can) due to the global coronavirus pandemic.

I have also written a follow-up article with advice on mitigating risk for those that do not have a real choice to move away from Zoom.

Mac Backdoor, Camera on Without Consent

First off, a WARNING: If you are using #Zoom, especially on #Mac, you should immediately uninstall and follow the instructions here to remove the persistent backdoor that they leave on your computer.

  • As a fundamental part of the working of their product, Zoom added a hack using file sizes of “invisible” images to get around CORS protection in browsers, so they could install a persistent.
  • Security researcher Felix Seele found that Zoom uses a 'shady' technique to install its Mac app without user interaction using 'the same tricks that are being used by macOS malware,' thus allowing the app to be installed without users providing final consent. On April 2, Zoom issued a fix to resolve the bug.

Why? As a fundamental part of the working of their product, Zoom added a hack using file sizes of “invisible” images to get around CORS protection in browsers, so they could install a persistent backdoor, silently forcing webcams to broadcast.

This behaviour is indistinguishable from #malware, even if Zoom are supposed to be a legitimate business.

There is no way to explain away what Zoom does as an innocent mistake, nor as normal #InfoSec bugs that come up in all products - this was multiple deliberate design choices from people who very clearly knew and understood the security controls they intentionally subverted.

I recommend businesses and individuals seek alternatives and systematically refuse all Zoom conferences going forward.

If It Walks Like A Duck..

Note that this is the second major 'legitimate' US company caught recently in behaviour that is indistinguishable from #CyberCrime. In April, ProPublica exposed the TurboTax's behaviour, where Intuit brazenly uses phishing and malicious fake sites to scam thousands out of $50-200 each.

Zoom mac hack

I think cyber security companies need to seriously consider agreeing to treat the software and websites from these companies as what it is indistinguishable from: malicious software, malware.

There is recent precedence for this approach. Thanks to Eva Galperin's and Motherboard's work against 'legitimate' spyware products that are widely used in domestic abuse and stalking, the InfoSec industry have started to recognize this as a specific category of malware that needs to be taken more seriously, 'StalkerWare'.

Cyber security companies also already regularly block 'legal' malware written by the security services of our own states. In fact one of the most damaging exploits still used in major malware families today, an exploit that is responsible for probably the most expensive cyber security incident in history to date, is EternalBlue. It was written by the US government, the NSA - and they claim to have a 'legal' right to continue writing and using malware like this.

For our industry and for interested legislators, there is clearly a need to take a closer look at how to deal with 'legitimate' companies whose business models and products are today, completely arbitrarily, not classed as cyber crime.

Addendum

Following the public outcry about their backdoor, first Apple pushed an OSX update that blocked Zoom's backdoor, and then later Zoom pushed an update to remove it from their program. It is also true that it is possible to mitigate the worst of Zoom's many issues via careful configuration. Still, it is my belief that if you deliberately hack fundamental security controls in browsers so you can deploy a persistent backdoor, and you make a feature allowing meeting organizers to force users' webcams on - you don't get the benefit of the doubt.

Zoom hack menu download

The Mac backdoor and the forcing cameras on without consent are not the only issues with Zoom. For example, Ouren has detailed the ways in which Zoom monitors all your screen and app activity, collecting that data both for themselves and for whoever setup the Zoom call.

Touchfaith has detailed ways in which Zoom themselves advertise their surveillance features to bridge administrators. Again this is all without anything that can be reasonably called consent by the end-users.

Felix has detailed how, just like in phishing attacks by cyber criminals, Zoom is trying to trick Mac users into giving their admin password to gain persistence.

Even if I understand the relucantance to get sued by major US companies, I don't see how we in the cyber security industry can honestly call this anything except malware.

This is why my advice remains to uninstall Zoom and refuse Zoom calls. Any company that behaves this way cannot be trusted. Any software that behaves this way is indistinguishable from malware, and should be treated as malware.

Alternatives

Depending on your organization and requirements, you or your IT administrators may not have many alternatives. For example, Zoom is being heavily used in the education field, especially now we all must #StayTheFuckHome. And yet educational establishments often have very constrained IT budgets and they are unlikely to find good alternatives in the edutech industry, which is already well known for forcing surveillance on already vulnerable students & staff. That is no doubt part of the appeal to certain administrators.

Just like with most 'free' online services we all use, we do not have any real uncoerced choice to opt-out from the surveillance. At least opting out comes at unacceptable cost to access to basics of modern life. The consent forms and terms & conditions that we must live with are like the highway robber asking us to choose between 'your money or your life?' - of course we choose our lives.

Malware behaviour and creepy surveillance aside, I have little doubt that Zoom's features and UX are some of the best available - a full free alternative that is as good in every aspect is not realistic.

Most companies use enterprise solutions like Microsoft's Teams for this kind of use case. I'm assuming these tools are not cheap. As part of their COVID-19 response, Microsoft announced they will provide a 6 months free trial version for educational and governmental organizations. These enterprise tools are not free - you are paying for your company and IT admins' ability to control the security and privacy and have a much higher degree of trust in the tools that are accessing sensitive information on everyone's devices.

If you need something free, this open source alternative may be more acceptable. If your admins have sufficient resources and skills, they can also use it to standup a local instance usable by your staff and students. It is worth remembering that self-hosting is rarely the going to be the most secure approach - something that can be partially mitigated by standing the service up on a good cloud hosting provider, especially if additional support services are provided.

Leaders of a non-profit organization I trust have similarly used Big Blue Button for online learning and video calling, with very good results.

Zoom hack menu

Like most things in security, the most important first step is to understand your threat model. Then you make (often Sophie's) choices based on the risks that matter most to you. Then you try to mitigate the remaining issues with those necessarily imperfect choices. Then you make sure this is a continuous ongoing process.

Zoom Hack Menu Download

Bottom line - I understand there are very good reasons why many people and organizations (especially the most vulnerable) will be constrained to decide to continue to use Zoom. That said, if you are able, my recommendation remains to uninstall Zoom and refuse Zoom calls.

Zoom Hack For Mac

It is not only for your security and privacy, it is also important for the health of society to send a strong signal that this kind of behaviour by so-called legitimate companies is unacceptable.