Avoid Zoom’s Software— Alternatives

Keep yourself safe and don’t install Zoom’s Client. Although Zoom aggressively works to get you to download and install their software for video conferences (using “dark patterns”), it isn’t required.

If you’re ever asked to use Zoom, your best solution is to join from your browser, or not at all.

To join Zoom from your browser:

1. At first the “Join from Your Browser” link is hidden. Zoom may auto-download the web client (delete it).
2. Click “Launch Meeting” button, and the “Join from Your Browser” link will appear at the bottom.
3. Click the “Join from Your Browser” link and you can join the meeting without installing Zoom software.

Sticking with your web browser (and refusing to install their software) affords you at least a little more protection from a range of troubling issues.

What’s wrong with installing Zoom?

⌨️ 🕵️ — Researchers have shown that Zoom could be used as a key-logger while you are connected [1] [2].

🎤 📸 — Zoom‘s software could be used to access your microphone webcam without your knowledge [12] [14].

🐴🚪 — If you ever installed the Zoom client and then uninstalled it, you weren’t out of the clear. Zoom retained a localhost server that allowed it to reinstall itself without your knowledge [3]. Apple worked to remove the hidden Zoom server using the same mechanism it typically uses to disable malware [18].

🤖💰 — Hackers often rely on people’s misguided willingness to install software that pops up on their screen. Zoom perpetuates this problem with their aggressive software install; anti-virus maker TrendMicro already found coin-miner malware secretly bundled with Zoom on scam websites [22].

🧟💣 — Cisco Talos discovered two vulnerabilities in the Zoom video chatting application that could allow a malicious user to execute arbitrary code on victims’ machines [23]. Tenable’s researchers found Zoom allowed an attacker to hijack screen controls, spoof chat messages or kick and lock attendees out of meetings [25].

What’s wrong with Zoom (the company)?

• Zoom misled their customers in their claim of end-to-end encryption [4].
• Zoom shut down services for dissidents in China holding memorials for the victims of China’s violent suppression of peaceful protests at Tiananmen Square on June 4, 1989 [8][9][10].
• Zoom has admitted to shutting down services for dissidents at the request of the Chinese Government [11].
• The FBI has warned of the multiple reports of Zoom conferences being disrupted by pornographic and/or hate images and threatening language (“Zoombombing”) [15].
• Zoom’s relationship to privacy is considered a “disaster waiting to happen” [5][6].
• Zoom was found to be leaking people’s email address and photos to strangers [16].
• A report by The Citizen Lab concluded that Zoom is “Not Suited for Secrets” and has “Questionable Crypto & Encryption Keys Sent to Beijing” [17] [24].

“Zoom is malware.”
— Arvind Narayanan, associate computer science professor at Princeton University [21].

• Given the abundance of risks imposed by Zoom, many have moved to ban Zoom: Daimler AG, Ericsson AB, NXP Semiconductors NV, Bank of America, Tesla, Google, and the governments of Taiwan, Singapore, India, Germany, Australia, and more [19] [20].
• Zoom has been probed by at least three states, the SEC, and the DOJ for potential privacy violations and “Zoombombing”. In one case, a government forum on the Census was flooded with profane messages in the chat box [7].

There are plenty of video conferencing options available. Do yourself a favor and consider one of the many alternatives. If you need a list of teleconference services, you might consider a video meeting service that’s also safe for healthcare security.

Citations

1. “This horrifying Zoom hack will deter you from ever side-chatting again” November 11, 2020. https://www.fastcompany.com/90570509/this-horrifying-zoom-hack-will-deter-you-from-ever-side-chatting-again
2. “Zoom on the Keystrokes: Exploiting Video Calls for Keystroke Inference Attacks” October 22, 2020. https://arxiv.org/abs/2010.12078
3. “Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!” July 8, 2019. https://infosecwriteups.com/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5
4. “Zoom Meetings Aren’t End-To-End Encrypted, Despite Misleading Marketing” March 31, 2020. https://theintercept.com/2020/03/31/zoom-meeting-encryption/
5. “Zoom is a work-from-home privacy disaster waiting to happen” March 13, 2020. https://mashable.com/article/zoom-conference-call-work-from-home-privacy-concerns/
6. “Zoom Calls Aren’t as Private as You May Think. Here’s What You Should Know.” March 30, 2020. https://www.consumerreports.org/video-conferencing-services/zoom-teleconferencing-privacy-concerns/
7. “States probe Zoom for possible privacy violations after officials’ calls are Zoombombed” April 3, 2020. https://www.cnbc.com/2020/04/03/zoom-probed-by-three-states-for-potential-privacy-violations.html
8. “Zoom Says It’s Being Probed by SEC, Two U.S. Attorneys Offices” December 18, 2020. https://www.bloomberg.com/news/articles/2020-12-19/zoom-says-it-s-being-probed-by-sec-two-u-s-attorneys-offices
9. “Our Perspective on the DOJ Complaint” December 18, 2020. https://blog.zoom.us/our-perspective-on-the-doj-complaint/
10. “China-based Zoom employee charged for secretly censoring Tiananmen Square anniversary events” December 18, 2020. https://www.theverge.com/2020/12/18/22189519/zoom-julien-xinjiang-jin-charged-harassment-tiananmen-square-anniversary-events
11. “Zoom admits to shutting down activist accounts at the request of the Chinese government” June 11, 2020. https://techcrunch.com/2020/06/11/zoom-admits-to-shutting-down-activist-accounts-at-the-request-of-the-chinese-government/
12. “A Zoom Flaw Gives Hackers Easy Access to Your Webcam”. July 9, 2019. https://www.wired.com/story/zoom-bug-webcam-hackers/
13. “Zoom iOS App Sends Data to Facebook Even if You Don’t Have a Facebook Account” March 26, 2020. https://www.vice.com/en/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account
14. “The ‘S’ in Zoom, Stands for Security. uncovering (local) security flaws in Zoom’s latest macOS client”. March 30, 2020. https://objective-see.com/blog/blog_0x56.html
15. “FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic” March 30, 2020. https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic
16. “Zoom is Leaking Peoples’ Email Addresses and Photos to Strangers” April 1, 2020. https://www.vice.com/en/article/k7e95m/zoom-leaking-email-addresses-photos
17. “Move Fast and Roll Your Own Crypto — A Quick Look at the Confidentiality of Zoom Meetings” April 3, 2020. https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/
18. “Apple has pushed a silent Mac update to remove hidden Zoom web server” July 10, 2019. https://techcrunch.com/2019/07/10/apple-silent-update-zoom-app/
19. “Zoom backlash intensifies as companies from Daimler to BofA institute bans and curbs over security concerns” April 23, 2020. https://fortune.com/2020/04/23/zoom-backlash-daimler-bank-of-america-bans-curbs-security-concerns/
20. “Indian government latest to ban Zoom” April 17, 2020. https://www.techradar.com/news/india-comes-down-on-the-use-of-zoom
21. “‘Zoom is malware’: why experts worry about the video conferencing platform” April 2, 2020. https://www.theguardian.com/technology/2020/apr/02/zoom-technology-security-coronavirus-video-conferencing
22. “Zoomed In: A Look into a Coinminer Bundled with Zoom Installer” April 3, 2020. https://www.trendmicro.com/en_us/research/20/d/zoomed-in-a-look-into-a-coinminer-bundled-with-zoom-installer.html
23. “Vulnerability Spotlight: Two vulnerabilities in Zoom could lead to code execution” June 3, 2020. https://blog.talosintelligence.com/2020/06/vuln-spotlight-zoom-code-execution-june-2020.html
24. “Zoom Shared US User Data With Beijing to Ensure Chinese Market Access, Court Documents Show” December 21, 2020. https://www.theepochtimes.com/zoom-shared-american-user-data-with-beijing-to-ensure-access-to-chinese-market-court-documents-show_3627905.html
25. “Tenable Research Advisory: Zoom Unauthorized Command Execution (CVE-2018–15715)” November 29, 2018. https://www.tenable.com/blog/tenable-research-advisory-zoom-unauthorized-command-execution-cve-2018-15715