Zoom Accused of Misleading Users With ‘End-to-End Encryption’ Claims

Zoom is facing fresh scrutiny today following a report that the videoconferencing app's encryption claims are misleading.


Zoom states on its website and in its security white paper that the app supports end-to-end encryption, a term that refers to a way of protecting user content so that the company has no access to it whatsoever.

However, an investigation by The Intercept reveals that Zoom secures video calls using TLS encryption, the same technology that web servers use to secure HTTPS websites:
This is known as transport encryption, which is different from end-to-end encryption because the Zoom service itself can access the unencrypted video and audio content of Zoom meetings. So when you have a Zoom meeting, the video and audio content will stay private from anyone spying on your Wi-Fi, but it won't stay private from the company.
As the report makes clear, for a Zoom meeting to be end-to-end encrypted, the call would need to be encrypted in such a way that ensures only the participants in the meeting have the ability to decrypt it through the use of local encryption keys. But that level of security is not what the service offers.

When asked by The Intercept to comment on the finding, a spokesperson for Zoom denied that the company was misleading users:
"When we use the phrase 'End to End' in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point… The content is not decrypted as it transfers across the Zoom cloud."
Technically, Zoom's in-meeting text chat appears to be the only feature of Zoom that is actually end-to-end encrypted. But in theory, the service could spy on private video meetings and be compelled to hand over recordings of meetings to governments or law enforcement in response to legal requests.

Zoom told The Intercept that it only collects user data that it needs to improve its service – this includes IP addresses, OS details, and device details – but it doesn't allow employees to access the content of meetings.

Last week, Zoom's data sharing practices were criticized after it emerged that the service was sending data to Facebook without disclosing the fact to customers. The company subsequently updated the app to remove its Facebook log-in feature and prevent the data access.
This article, "Zoom Accused of Misleading Users With 'End-to-End Encryption' Claims" first appeared on MacRumors.com

Discuss this article in our forums

Israel Passes Emergency Law to Track and Trace Mobile Users With Suspected COVID-19

Israel has passed emergency measures that will allow security agencies to track the smartphone data of people with suspected COVID-19 and find others they may have come into contact with (via BBC News).


The Israeli government said the new powers will be used to identify people infected with coronavirus and make sure they're following quarantine rules.

On Monday, an Israeli parliamentary subcommittee discussed a government request to authorize the security service to assist in a national campaign to stop the spread of COVID-19, but the group decided to delay voting on the request, arguing that it needed more time to assess it.

The emergency law was passed on Tuesday during an overnight sitting of the cabinet, effectively bypassing parliamentary approval.

The government has yet to explain how the mobile tracking will work, but the BBC reports that it is understood the location data collected through telecommunication companies by Shin Bet, the domestic security agency, will be shared with health officials.

Israeli prime minister Benjamin Netanyahu last week announced his intention to bypass parliamentary oversight in order to push through the emergency regulations. Netanyahu says the new powers will last for 30 days only. Civil liberties campaigners in Israel called the move "a dangerous precedent and a slippery slope."

Israel is still in the relatively early stages of the pandemic. It had 200 confirmed cases of the coronavirus as of Tuesday morning. On Wednesday, the country's health ministry reported that cases had risen to 427.

Note: Due to the political or social nature of the discussion regarding this topic, the discussion thread is located in our Political News forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.
This article, "Israel Passes Emergency Law to Track and Trace Mobile Users With Suspected COVID-19" first appeared on MacRumors.com

Discuss this article in our forums

iPhones Can Now Be Used to Generate 2FA Security Keys for Google Accounts

A new update to Google's Smart Lock iOS app lets users set up their iPhone or iPad as a security key for two-factor authentication when signing into native Google services via Chrome browser.

Once the feature is set up in the app, attempting to log in to a Google service via Chrome on another device such as a laptop results in a push notification being sent to their iOS device.

The user then has to unlock their ‌iPhone‌ or ‌iPad‌ using Face ID or Touch ID and confirm the log-in attempt via the Smart Lock app before it can complete on the other device.

After installing the update, users are asked to select a Google account to set up their phone's built-in security key. According to a Google cryptographer, the feature makes use of Apple's Secure Enclave hardware, which securely stores ‌Touch ID‌, Face ID, and other cryptographic data on iOS devices.

The Smart Lock app requires that Bluetooth is enabled on both the ‌iPhone‌/‌iPad‌ and the other device for two-factor authentication to work, so they have to be in close proximity, but the advantage of the system is that it ensures the process is localized and can't be leaked onto the internet.

The Google Smart Lock app is a free download for ‌iPhone‌ and ‌iPad‌ on the App Store. [Direct Link]

(Via 9to5Google.com)


This article, "iPhones Can Now Be Used to Generate 2FA Security Keys for Google Accounts" first appeared on MacRumors.com

Discuss this article in our forums

‘Turkish Crime Family’ Hacker Pleads Guilty to Blackmailing Apple

A 22-year-old man who claimed to be the spokesman for a hacker group called the "Turkish Crime Family" has pleaded guilty in London to trying to blackmail Apple, reports Bloomberg.


In March 2017, Kerem Albayrak claimed to have access to several million iCloud accounts and demanded that Apple pay $75,000 in cryptocurrencies, or he would reset a number of the accounts and make the database available online. He later raised his demand to $100,000.

Apple responded to the ransom threat at the time by saying there had been no breaches of its systems. Indeed, according to the U.K.'s National Crime Agency (NCA), the data Albayrak claimed to have was from previously compromised third-party services which were mostly inactive, as Apple originally claimed.

A senior investigative officer at the NCA said in a statement that during the investigation, "it became clear that Albayrak was seeking fame and fortune."
Branded a "fame-hungry cyber-criminal" by the NCA, Albayrak told investigators that "when you have power on the internet it's like fame and everyone respects you, and everyone is chasing that right now."
Albayrak avoided prison time and instead was given a two-year suspended sentence following the NCA investigation. He was also sentenced to a six-month electronic curfew and 300 hours of unpaid work.


This article, "'Turkish Crime Family' Hacker Pleads Guilty to Blackmailing Apple" first appeared on MacRumors.com

Discuss this article in our forums

Google Pixel 4’s Face Unlock Feature Works With Eyes Closed, Sparking Security Concerns

Google has ignited security concerns over the facial authentication system in its new Pixel 4 smartphone by admitting that it will unlock the device even when the user's eyes are shut.


Google unveiled the Pixel 4 this week to mostly positive reviews, many of which praised the phone for is super-fast new face unlock system, which replaces the fingerprint sensor and works much the same as Apple's Face ID on iPhones, except for one key security feature.

The BBC has discovered that the Pixel 4 can be unlocked even with the user's face even if they're sleeping (or pretending to be asleep). That contrasts with Apple's Face ID system, which engages by default an "Attention Aware" feature that requires the user's eyes to be open for the iPhone to be unlocked. Attention Aware can be disabled for convenience, but the Pixel 4 lacks an equivalent security feature entirely.

To its credit though, Google isn't hiding this fact. A Google support page reads: "Your phone can also be unlocked by someone else if it's held up to your face, even if your eyes are closed. Keep your phone in a safe place, like your front pocket or handbag."

To "prepare for unsafe situations," Google recommends holding the power button for a couple of seconds and tapping Lockdown, which turns off notifications and face recognition unlocking.

In early leaks of the Pixel 4, screenshots revealed a "require eyes to be open" setting for face unlock, so it looks as if Google tried to implement a similar feature to Apple's Attention Aware, but couldn't get it working in time for the device's launch.

Subscribe to the MacRumors YouTube channel for more videos.

Speaking before the launch, Pixel product manager Sherry Lin said: "There are actually only two face [authorisation] solutions that meet the bar for being super-secure. So, you know, for payments, that level - it's ours and Apple's."

Cyber-security experts disagree.

"If someone can unlock your phone while you're asleep, it's a big security problem," security blogger Graham Cluley told the BBC. "Someone unauthorized - a child or partner? - could unlock the phone without your permission by putting it in front of your face while you're asleep."

In a statement given to the BBC, Google said it would "continue to improve Face Unlock over time."


This article, "Google Pixel 4's Face Unlock Feature Works With Eyes Closed, Sparking Security Concerns" first appeared on MacRumors.com

Discuss this article in our forums

How to Use Firefox Private Network to Encrypt Your Web Traffic

Mozilla this week began piloting its own browser-based VPN service, and if you're located in the U.S. you can start testing it for free right away.

Called the Firefox Private Network, the service promises Firefox users a more secure, encrypted path to the web that prevents eavesdroppers from spying on your browsing activity and hides your location from websites and ad trackers.

In that respect, it won't protect any internet traffic outside of your web browser, but it's a good option if you want to use an encrypted connection on the fly when you're using Firefox on a public Wi-Fi network, for example.


As a time-limited beta, the Firefox Private Network is currently free to try, although this does suggest it may become a paid service in the future. You also need to be a U.S. resident logged into your Firefox account using Firefox desktop browser.

If you can fulfill those pre-requisites, you can install the private network by navigating to this page, clicking the blue + Add to Firefox button, then granting permission for the network to be added to the browser.


Click the door hanger icon that appears at the top-right corner of the toolbar, and you'll see a switch that you can use to toggle the VPN on and off. A green tick in the icon indicates the secure network is active and your browsing activity is being encrypted.

Opera browser offers a similar free VPN service that cloaks your web browsing, but with the added benefit that it lets you choose the continent that you want your connection to reside. So if you're looking to access a location-restricted service (Netflix, say) from abroad, you might have better luck using it instead.


This article, "How to Use Firefox Private Network to Encrypt Your Web Traffic" first appeared on MacRumors.com

Discuss this article in our forums

Israeli Security Firm Claims Spyware Tool Can Harvest iCloud Data in Targeted iPhone Attack

An Israeli security firm claims it has developed a smartphone surveillance tool that can harvest not only a user's local data but also all their device's communications with cloud-based services provided by the likes of Apple, Google, Amazon, and Microsoft.


According to a report from the Financial Times [paywalled], the latest Pegasus spyware sold by NSO Group is being marketed to potential clients as a way to target data uploaded to the cloud. The tool is said to work on many of the latest iPhones and Android smartphones, and can continue to harvest data even after the tool is removed from the original mobile device.
The new technique is said to copy the authentication keys of services such as Google Drive, Facebook Messenger and iCloud, among others, from an infected phone, allowing a separate server to then impersonate the phone, including its location.

This grants open-ended access to the cloud data of those apps without "prompting 2-step verification or warning email on target device", according to one sales document.
Attackers using the malware are said to be able to access a wealth of private information, including the full history of a target's location data and archived messages or photos, according to people who shared documents with the Financial Times and described a recent product demonstration.

When questioned by the newspaper, NSO denied promoting hacking or mass-surveillance tools for cloud services, but didn't specifically deny that it had developed the capability described in the documents.

In response to the report, Apple told FT that its operating system was "the safest and most secure computing platform in the world. While some expensive tools may exist to perform targeted attacks on a very small number of devices, we do not believe these are useful for widespread attacks against consumers." The company added that it regularly updates its operating system and security settings.

The news raises concerns that such spyware could be used by repressive regimes and other shady attackers to monitor members of the public. In May, for example, WhatsApp disclosed a vulnerability that allowed hackers to remotely exploit a bug in the app's audio call system to access sensitive information on an iPhone or Android device.

Security researchers said that the spyware that took advantage of the WhatsApp flaw featured characteristics of the Pegasus spyware from NSO Group, which maintains that its software, costing millions of dollars, is only sold to responsible governments to help prevent terrorist attacks and criminal investigations.

However, the WhatsApp flaw was used to target a London lawyer who has been involved in lawsuits against the NSO Group, and security researchers believe others could have been targeted as well.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


This article, "Israeli Security Firm Claims Spyware Tool Can Harvest iCloud Data in Targeted iPhone Attack" first appeared on MacRumors.com

Discuss this article in our forums

Serious Vulnerability in Zoom Video Conference App Could Let Websites Hijack Mac Webcams

A serious zero-day vulnerability in the Zoom video conferencing app for Mac was publicly disclosed today by security researcher Jonathan Leitschuh.

In a Medium post, Leitschuh demonstrated that simply visiting a webpage allows the site to forcibly initiate a video call on a Mac with the Zoom app installed.


The flaw is said to be partly due to a web server the Zoom app installs on Macs that "accepts requests regular browsers wouldn't," as noted by The Verge, which independently confirmed the vulnerability.

In addition, Leitschuh says that in an older version of Zoom (since patched) the vulnerability allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call. According to Leitschuh, this may still be a hazard because Zoom lacks "sufficient auto-update capabilities," so there are likely to be users still running older versions of the app.

Leitschuh said he disclosed the problem to Zoom in late March, giving the company 90 days to fix the issue, but the security researcher reports that the vulnerability still remains in the app.

While we wait for the Zoom developers to do something about the vulnerability, users can take steps to prevent the vulnerability themselves by disabling the setting that allows Zoom to turn on your Mac's camera when joining a meeting.

Note that simply uninstalling the app won't help, because Zoom installs the localhost web server as a background process that can re-install the Zoom client on a Mac without requiring any user interaction besides visiting a web page.

Helpfully, the bottom of Leitschuh's Medium post includes a series of Terminal commands that will uninstall the web server completely.

Update: In a statement given to ZDNet, Zoom defended its use of a local web server on Macs as a "workaround" to changes that were introduced in Safari 12. The company said that it felt running a local server in the background was a "legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."


This article, "Serious Vulnerability in Zoom Video Conference App Could Let Websites Hijack Mac Webcams" first appeared on MacRumors.com

Discuss this article in our forums

Data Extraction Company Cellebrite Touts New Software for Cracking iPhones and iPads Running up to iOS 12.3

Israel-based software developer Cellebrite, known for breaking into mobile devices like the iPhone to obtain sensitive data, has announced that it can now unlock any iOS device running up to iOS 12.3, which was released only a month ago.


The firm revealed the capability in a tweet posted late Friday advertising UFED Premium, the latest version of its Universal Forensic Extraction Device.

On its UFED web page, Cellebrite describes the tool's ability to glean forensic data from any iOS device dating back to iOS 7, as well as from Android devices made by Samsung, Huawei, LG, and Xiaomi.

The Israel firm describes UFED Premium as "the only on-premise solution for law enforcement agencies to unlock and extract crucial mobile phone evidence from all iOS and high-end Android devices."

If the claims are accurate, Cellebrite's tool will enable authorities to potentially crack the vast majority of smartphones currently available on the market. As Wired notes, no other law enforcement contractor has made such broad claims about a single product, at least not publicly.

Apple continually introduces improvements to the security of its operating systems in order to keep ahead of companies like Cellebrite that are always searching for flaws and vulnerabilities to exploit in order to access the data on locked iOS devices.

For example, in October 2018 Apple's successfully thwarted the "GrayKey" iPhone passcode hack, sold by Atlanta-based company Grayshift, which had also been in use by U.S. law enforcement.

Cellebrite first garnered significant attention in 2016, when it was believed the company was enlisted to help the FBI break into the iPhone 5c of San Bernardino shooter Syed Farook after Apple refused to provide the FBI with tools to unlock the device.

The FBI did not use Cellebrite's services for that particular case, but several United States government agencies do regularly work with Cellebrite to unlock iOS devices.

According to Wired's sources, Grayshift has developed tools to unlock at least some versions of iOS 12. If true, the firm is still keeping its cards close to its chest, but probably not for much longer.

Even as Apple works to increase the security of its iOS devices, Cellebrite's brazen announcement suggests the cat-and-mouse game of exploiting vulnerabilities in mobile device software will only become more competitive, as rival companies attempt to grab a bigger share of the market.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

Related Roundup: iOS 12

This article, "Data Extraction Company Cellebrite Touts New Software for Cracking iPhones and iPads Running up to iOS 12.3" first appeared on MacRumors.com

Discuss this article in our forums

Apple and Other Tech Giants Condemn GCHQ Proposal to Eavesdrop on Encrypted Messages

Apple and other tech giants have joined civil society groups and security experts in condemning proposals from Britain's cybersecurity agency that would enable law enforcement to access end-to-end encrypted messages (via CNBC).

British Government's Communications HQ in Cheltenham, Gloucestershire

In an open letter to the U.K.'s GCHQ (Government Communications Headquarters), 47 signatories including Apple, Google and WhatsApp urged the U.K. eavesdropping agency to ditch plans for its so-called "ghost protocol," which would require encrypted messaging services to direct a message to a third recipient, at the same time as sending it to its intended user.

Ian Levy, the technical director of Britain's National Cyber Security Centre, and Crispin Robinson, GCHQ's head of cryptanalysis, published details of the proposal in November 2018. In the essay, Levy and Robinson claimed the system would enable law enforcement to access the content of encrypted messages without breaking the encryption.

The officials argued it would be "relatively easy for a service provider to silently add a law enforcement participant to a group chat or call," and claimed this would be "no more intrusive than the virtual crocodile clips," which are currently used in wiretaps of non-encrypted chat and call apps.

Signatories of the letter opposing the plan argued that the proposal required two changes to existing communications systems that were a "serious threat" to digital security and fundamental human rights, and would undermine user trust.
"First, it would require service providers to surreptitiously inject a new public key into a conversation in response to a government demand. This would turn a two-way conversation into a group chat where the government is the additional participant, or add a secret government participant to an existing group chat.

"Second, in order to ensure the government is added to the conversation in secret, GCHQ's proposal would require messaging apps, service providers, and operating systems to change their software so that it would 1) change the encryption schemes used, and/or 2) mislead users by suppressing the notifications that routinely appear when a new communicant joins a chat.

"The overwhelming majority of users rely on their confidence in reputable providers to perform authentication functions and verify that the participants in a conversation are the people they think they are, and only those people. The GCHQ's ghost proposal completely undermines this trust relationship and the authentication process."
Apple's strong stance against weakened device protections for the sake of law enforcement access was highlighted in the 2016 Apple vs. FBI conflict that saw Apple refuse to create a backdoor access solution to allow the FBI to crack the iPhone 5c owned by San Bernardino shooter Syed Farook.

Responding to the open letter, which was first sent to GCHQ on May 22, the National Cyber Security Centre's Ian Levy told CNBC: "We welcome this response to our request for thoughts on exceptional access to data — for example to stop terrorists. The hypothetical proposal was always intended as a starting point for discussion."

"We will continue to engage with interested parties and look forward to having an open discussion to reach the best solutions possible," Levy said.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


This article, "Apple and Other Tech Giants Condemn GCHQ Proposal to Eavesdrop on Encrypted Messages" first appeared on MacRumors.com

Discuss this article in our forums