BusinessJuly 16, 2019

The Zoom video conferencing exploit that sends ninja waiters into your home


A vulnerability has hit users everywhere, New Zealand included, and it reveals something very troubling about the way the tech world works

New Zealand Schools, district health boards and even perhaps the halls of power have found themselves compromised by a vulnerability in a video conference app called Zoom. The exploit allows any user to send an unsolicited call request to any Mac computer, which will automatically open the target’s webcam. The request can be planted anywhere, including in a banner ad, and triggers without user input. Zoom were alerted to the issue in March but did very little to fix it, and the tech world is in uproar.

Zoom is near-ubiquitous in the NZ education sector: Victoria, Auckland, Otago and Waikato Universities all have Zoom portals for students and staff, and the VLN Primary School programme has installed it in almost 100 Kiwi schools. It’s also being trialled as part of a remote healthcare program in four DHBs in the upper North Island. It’s popular in and around the Beehive – it’s used by some politicians and support staff, among them Marama Davidson:

Of the four parties approached, only National has replied; a spokesperson said, “We don’t use Zoom for any of our primary video conferencing.”

Though the major tech companies we spoke to seemed unaffected, it seems highly likely that some offices have been exposed to the vulnerability – in a Twitter thread less than a week prior to the incident, Kiwi developers overwhelmingly said Zoom was their first choice for video conferencing. Trade Me told us they only have a small number of devices with Zoom installed, and that they deployed a fix as soon as they became aware of the problem. Xero have declined to comment.

The issue is in how the application handles MacOS and Safari security. Specifically, by ignoring it. It’s wrong to call this a bug: Zoom appear to have intentionally busted a lock to allow their app to launch calls with one less click, which opened devices up to attack. While it’s primarily a Mac issue, it can also affect Windows in certain circumstances.

When you install the Zoom app on a Mac device, you also get the Zoom web server bundled with it, and the web server remains even if you uninstall the app. Each affected device has its own secret web server, virtually undetectable. It circumvents a number of normal protections in order to give you a speedy connection ‑ if you ever used Zoom, you might’ve noticed that it didn’t ask to connect. That’s the problem: the Zoom web server doesn’t ask. Few applications will install a web server on your device, even fewer install one without notifying you, and absolutely none of them should do stuff without letting you know.

A web server is like a waiter: its job is to take requests from the restaurant (app) to the kitchen (database), then bring a specific item back out to the user. A Zoom server is a ninja waiter who follows you home with lockpicks so he can serve you breakfast in bed. Sure, breakfast in bed is great, but the problem is that he broke into your house. The server also reinstalls Zoom if it sees a connect request, so our friendly waiter will break in at very little prompting, with the whole restaurant in tow. But, he explains as you shout at him from beneath the covers, I saw a man outside who said you wanted us here. He seemed trustworthy. Lock the door behind me? What if we want to come back? 

When we talk about how Zoom does stuff, the really scary problem reveals itself: Remote Code Execution. RCE is exactly what it sounds like: it’s when somebody who isn’t you does something on your computer. Zoom was executing code in response to remote calls from anyone, not just from Zoom, and as recently as last year somebody malicious with access to one of the servers could use it to take over the compromised computer. If that happens to you and you’re lucky they’ll mine Bitcoin on it at 3am; if you’re unlucky, you’ve got a $2000 paperweight; if you’re really unlucky then they’ve got your credit card number, your IRD number, and everything else you had on your computer.

As is standard practice, Jonathan Leitschuh – the engineer who found the exploit – gave Zoom 90 days to remedy it before he went public. They implemented a ‘quick fix’ that papered over the cracks. On June 11, 18 days before their deadline ran out, they held a meeting to decide what to do, and apparently decided that their quick fix was sufficient, even though an attacker could still remotely activate your webcam with no warning just by emailing you a link.

The quick fix stopped working on July 7. When Zoom were informed, they told the Leitschuh to change his settings: “Zoom believes in giving our customers the power to choose how they want to Zoom. This includes whether they want a seamless experience in joining a meeting with microphone and video automatically enabled, or if they want to manually enable these input devices after joining a meeting. Such configuration options are available in the Zoom Meeting client audio and video settings.”

Then it hit Twitter, and everything went insane. Less than 24 hours later, Zoom announced that they would remove the web servers. Before they could, Apple beat them to it. At 7pm Wednesday NZ time they shut the servers down, and major tech companies are now in talks about changing the way browsers and operating systems handle permissions. This shouldn’t have happened: in the drive to be the best, Zoom put their users in danger. Or, to quote Catalyst’s Jason Ryan: “Software should serve the user, which is sadly not the case in this instance.”

The problem is that the most obvious fix (forcing Zoom to ask for permissions) will increase the time video calls take to connect, and their speed is their whole unique selling point. It’s right there in the name: Zoom, it’s the fast one. Breaking a lock is faster than knocking, after all.

This whole incident reveals something very troubling about the way the tech world works. Mark Zuckerberg infamously said move fast and break things, and much of Silicon Valley have taken it as their mantra. That might’ve been acceptable for young men building a social media network, but computers run our lives now and – more often and not – the things getting broken are us. Move fast and break things is a fine philosophy for a bull in a Briscoes, but it’s another thing entirely to hear from the bus driver.

Zoom didn’t fold because they changed their minds about the vulnerability: they folded because tech Twitter got ahold of the information and it suddenly became impossible to ignore. They were informed of the problem months ago, and they only did something when the wider internet became aware of it. Before that they did the bare minimum and, when told it wasn’t working, they rolled their eyes and told the Leitschuh to change his settings. Security testing and patching is complex and difficult, and nobody expects a perfect job every time, but Zoom didn’t even try until the internet forced their hand. Even then, they didn’t get to the killswitch in time; Apple were the ones who came in and shut it down, less than 48 hours after being informed of the exploit.

Zoom opened Kiwi schools, homes, and halls of power up to surveillance and attack. Why? Because it let them move fast, and they didn’t appear to care who got broken.

Credit for assistance goes to Sana Oshika and several developers who would prefer to go unnamed. 

Keep going!