Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Zoom Security. Show all posts

Zoom Refutes Claims of AI Training on Calls Without Consent

 

Zoom has revised its terms of service following concerns that its artificial intelligence (AI) models were being trained on customer calls without consent, leading to a backlash. 

In response, the company clarified in a blog post that audio, video, and chats would not be utilized for AI purposes without proper consent. This move came after users noticed modifications to Zoom's terms of service in March, which raised worries about potential AI training.

The video conferencing platform took action to enhance transparency, asserting that it had introduced changes to address the concerns. 

In June, Zoom introduced AI-powered features, including the ability to summarize meetings without recording the entire session. These features were initially offered as a free trial.

However, experts raised concerns that the initial phrasing of the terms of service could grant Zoom access to more user data than necessary, including content from customer calls. 

Data protection specialist Robert Bateman expressed apprehension about the broad contractual provisions that granted considerable data usage freedom to the service provider.

Zoom later amended its terms to explicitly state that customer consent is required for using audio, video, or chat content to train their AI models. This alteration was made to ensure clarity and user awareness.

AI applications are software tools designed to perform intelligent tasks, often mimicking human behavior by learning from vast datasets. Concerns have arisen over the potential inclusion of personal, sensitive, or copyrighted material in the data used to train AI models.

Zoom, like other tech companies, has intensified its focus on AI products to keep up with the growing interest in the technology. The Open Rights Group, a digital privacy advocacy organization, cautioned against Zoom's approach of launching AI features as a free trial and encouraging customer participation, deeming it more alarming due to potential opacity in its privacy policy.

A spokesperson for Zoom reiterated that customers retain the choice to enable generative AI features and decide whether to share content with Zoom for product improvement. 

The company's Chief Product Officer, Smita Hashim, emphasized that account owners and administrators can opt to activate the features and that those who do so will undergo a transparent consent process for AI model training using customer content. Screenshots displayed warning messages for users joining meetings with AI tools, offering the option to consent or exit the meeting.

With 95% Accuracy, New Acoustic Attack can Steal from Keystrokes


UK universities’ researchers have recently developed a deep learning model, designed to extract information from keyboard keystrokes collected using a microphone, with 95% accuracy. 

The prediction accuracy decreased to 93% when Zoom was used to train the sound classification algorithm, still exceedingly good and a record for that medium.

Such an attack has a significantly adverse impact on the users’ data security since it is capable of exposing users' passwords, conversations, messages, and other sensitive information to nefarious outsiders.

When compared to the other side attacks that need specific circumstances and are susceptible to data rate and distance restrictions, these acoustic attacks are easier to operate because of the popularity of devices that are now equipped with high-end microphones. 

This makes sound-based side-channel attacks achievable and far more hazardous than previously thought, especially given the rapid advances in machine learning.

Listening to Keystrokes

The attack is initiated in order to acquire keystrokes on the victim’s keyboard, since the data is required for the prediction algorithm to work. This can be done via a nearby microphone or by accessing the microphone on the target's phone, which may have been compromised by malware.

Additionally, keystrokes can also be recorded via Zoom call, in which, rogue meeting attendee compares the messages entered by the target with the auditory recording of that person.

The researchers acquired training data by pressing 36 keys on a modern MacBook Pro, 25 times each, further recording the sounds produced on each press. 

The spectrogram images were used to train the image classifier "CoAtNet," and it took some trials and errors with the epoch, learning rate, and data splitting parameters to get the best prediction accuracy outcomes.

The same laptop, whose keyboard has been present in all Apple laptops over the past two years, an iPhone 13 mini positioned 17 cm from the target, and Zoom were utilized in the researchers' tests.

The CoatNet classifier gained 95% accuracy in the smartphone recordings and 93% from the content captured via Zoom. Skype, on the other, produced comparatively lower accuracy, i.e. 91.7%.

Possible Security Measures

In order to protect oneself from side-channel attacks, users are advised to try “altering typing styles,” or generating passwords with randomized keys. 

Another safety measure includes utilizing software in order to generate keystroke sounds, white noise, or software-based keystroke audio filters. 

Moreover, since the attack model proved highly efficient even against a very silent keyboard, installing sound dampeners to mechanical keyboards or shifting to membrane-based keyboards is unlikely to help in any way. 

Finally, using password managers to avoid manually entering sensitive information and using biometric authentication whenever possible also serve as mitigating factors.

Two Critical Zero-Day Bugs Identified in Zoom Users and MMR Servers

 

Two critical bugs in videoconferencing app 'Zoom' could have led to remote exploitation in users and MMR servers. Natalie Silvanovich of Google's Project Zero bug-hunting team on Tuesday released an analysis of the security bugs; the vulnerabilities were uncovered as part of an investigation after a zero-click attack was demonstrated at Pwn2Own.

The researcher spotted two different flaws, a buffer overflow issue that impacted both Zoom users and Zoom Multimedia Routers (MMRs), and the second one transmits audio and video content between clients in on-premise deployments. Additionally, the platform possessed a lack of Address Space Layout Randomization (ALSR), a security mechanism that helps to guard against memory corruption assaults.

"In the past, I hadn't prioritized reviewing Zoom because I believed that any attack against a Zoom client would require multiple clicks from a user," the researcher explained in a blog post. "That said, it's likely not that difficult for a dedicated attacker to convince a target to join a Zoom call even if it takes multiple clicks, and the way some organizations use Zoom presents interesting attack scenarios."

"ASLR is arguably the most important mitigation in preventing exploitation of memory corruption, and most other mitigations rely on it on some level to be effective," Silvanovich noted. "There is no good reason for it to be disabled in the vast majority of software." 

As MMR servers process call content including audio and video, the researcher says that the bugs are "especially concerning" – and with compromise, any virtual meeting without end-to-end encryption enabled would have been exposed to eavesdropping, 

As per recent reports, the vulnerabilities were reported to the vendor and patched on November 24, 2021, and Zoom has since enabled ASLR. While most video conferencing systems use open-source libraries such as WebRTC or PJSIP for implementing multimedia communications, Project Zero called out Zoom's use of proprietary formats and protocols as well as its high licensing fees (nearly $1,500) as barriers to security research.

"These barriers to security research likely mean that Zoom is not investigated as often as it could be, potentially leading to simple bugs going undiscovered," Silvanovich said. "Closed-source software presents unique security challenges, and Zoom could do more to make their platform accessible to security researchers and others who wish to evaluate it." 

Last year in November, Zoom rolled out automatic updates for the software's desktop customers on Windows and macOS, as well as on mobile. Previously, this feature was only accessible to business users.

Zoom Security Flaw: Now Hackers Can Take Control Of Your PC, Wait For Patch

 


Zoom security issues were lately troubling users worldwide, very often so. The Zoom video conferencing app was not in the limelight before the ongoing pandemic, however, since the inception of Covid-19, a lot has changed along with the ways of living, this was also the time when Zoom App underwent some regulatory security measures, owing to the suddenly enhanced reputation enjoyed by the app, as the work from home was necessitated by the pandemic. 

However, as of now, it is being observed that the security measures that had been taken a year ago are failing to secure users' data from threat actors.

Cybercriminals exploited a vulnerability and undertook a distant code execution (RCE) assault to take management of host PCs. The two Computest cyber safety intelligence observed the vulnerability on the Pwn2Own 2021 competition, organized by the Zero Day Initiative. The two Computest researchers Daan Keuter and Thijs Alkemade were awarded $200,000 for their findings. 

How does This work? 


Foremostly, the hacker has to be a part of the same organizational domain as the host PC’s user has to get permission from the host to join the meeting; When the attackers become part of a meeting, they will be able to execute a chain of three malware that will install an RCE backdoor on the victim’s PC. 

It can also be understood as — the threat actors can get access to your PC, and simultaneously will able to be able to implement remote commands that will then give access to your sensitive data.

Besides, what is even dangerous here is that the hackers can run their operations without the victim being required to do anything, therefore it is very essential to add more layers of security measures that can slow down the future operations of the attackers. 

The aforementioned operation runs on Mac, Windows, but on Zoom’s iOS and Android apps, it has not been checked yet. Notably, the browser version is safe. 

Currently, Zoom is yet to take measures, and the technical details of the attack have not been reported to the public, yet. Reportedly, the patch will arrive on Zoom for Mac and Windows within the next 90 days.