On Tuesday 9th of July, software engineer and tech journalist Jonathan Leitschuh published an article on tech blog Medium outlining a security vulnerability he had uncovered within the Zoom video conferencing system.
Zoom responded to the disclosure on the same day, and has since released updates that they state will address the issue.
I am aware that many telehealth practitioners use this platform to perform online health consultations, so I was very keen to understand what implications this security breach may have on digital health practice.
In this post I will endeavour to simplify and summarise what I have learned.
What was the identified problem with Zoom?
Basically, if you install the Zoom app on a Mac, it puts a web server on your computer.
A web server is software designed to activate a domain link request. In this context, this server is what makes the Zoom application open when you click on the meeting link.
With this web server installed on your computer, your camera and microphone can be accessed remotely without your approval if you visit a website designed to exploit this vulnerability.
Even if you delete the Zoom app, this web server still remains on your computer, meaning someone could obtain access to your computer and use the web server to reinstall your Zoom without you approving it.
The presence of this server on your computer also means that someone can interfere with your computer and block your computer from working at all. The techies call this DOS: ‘denial of service’.
Was this an accident or a bug on Zoom’s part?
No. This is how Zoom was built to work on a Mac computer.
This was intentional design and is not a recent change or bug.
Zoom engineered this system to bypass to Apple’s security blocks.
Zoom did this to improve usability on Mac computers (one less click to join a call).
Unfortunately, this bypass simultaneously created a security vulnerability.
Are there recorded incidents of this Zoom vulnerability being taken advantage of?
No. There are no reported incidences of this vulnerability being used to access a user’s camera, reinstall Zoom software once it has been deleted, or carry out a DOS.
(I do wonder, however, whether the publicity that this article generates will trigger a spree of hackers trying to exploit this vulnerability.)
Could other video platforms also have this vulnerability?
To simplify, this comes down to whether a video application works in a browser, or works on your desktop. (Zoom is a desktop application).
What is a browser application?
Browser applications use WebRTC.
WebRTC stands for Web Real Time Communication.
It is an open source project that allows live video to occur in a web browser.
Video calls on WebRTC are encrypted from end to end, enabling these calls to be secure.
Video platforms that use WebRTC, like Coviu, Google hangouts and Facebook Messenger allow you to access a video call by simply clicking a link. (I don’t endorse Google hangouts and Facebook Messenger for telehealth, however).
It is easy and user friendly.
What is a desktop application?
Video conferencing programs that were created prior to the release of WebRTC, or newer applications that have elected not to use WebRTC, require the download of a plugin or app to your computer in order to execute a live video call.
These are known as desktop applications.
Zoom is one of these platforms, along with WebEx, Skype and Skype for Business.
Because these platforms are opening a stand-alone application on your computer, (ie not in a browser) there are traditionally more clicks required to get on the video call.
These platforms therefore have to to find ways to make the experience as simple as possible for the user, ie have less clicks to join.
This is why many of these stand-alone systems have engineered these ‘workarounds’ like Zoom did.
In short, it is likely that other non-WebRTC video conferencing platforms are using similar strategies to Zoom in order to circumvent security restrictions for their plugins.
What has Zoom’s response been?
When Zoom was notified of the vulnerability by Jonathan Leitschuh 90 days before his blog post was published, they did not take any steps to rectify the situation, as they deemed the security risk level to be low.
This lack of action is what prompted the author to publish the blog.
Since the article has been posted, however, Zoom has released a small upgrade on July 9th, and a larger update on July 12th.
Additionally, Zoom are developing an ‘uninstaller app’ to assist Mac users to properly delete both the application and the web server from their computer (although it looks like Apple already has this sorted – see below).
Zoom have also improved controls regarding video settings.
If you select for your video to be off when you enter a call, this setting will be maintained as default for all future calls.
There is no mention of default audio settings however, so it is unclear whether your audio could still be accessed, if not your video.
Apple have acted swiftly to release an instant update to remove the web server in question from Mac users’ computers.
What do I think about all of this?
Security breaches on video platforms have happened before and they will happen again in the future. They can occur on both browser and desktop based systems.
See these examples:
All we, as therapists can do is make the best decision for our digital practice with the information we have at the time.
With telehealth, we need to ensure that we protect ourselves, but we have a responsibility to protect our clients also.
Although we may be diligent with updating our own systems (which tends to solve most of these vulnerabilities as they occur), we cannot trust that our clients are savvy enough to do the same.
For example, if you have used Zoom with a patient in the past, and they have not updated the Zoom app on their computer, they currently remain at risk of having their computer video and audio accessed without their knowledge.
If I had been using Zoom, I’d be investigating alternatives. The appeal of a WebRTC based system is that they do not require a download for the patient. I can therefore sleep easier at night knowing I have not potentially introduced any vulnerabilities into anyone else’s machine.