But as the COVID-19 pandemic began changing our lives in March and Zoom became so popular, the video units pivoted as ways to have one place to make your calls, without having to worry about setup. Additionally, a dedicated unit could free up laptop space, and allow for note-taking while attending the meetings.
To set it up, one Echo owner creates the group in the Communicate tab in the Amazon Alexa app, inputting everyone's contact info. Amazon, Facebook, and Google today announced Zoom video calls are coming to their smart displays in a shift that could shake up how people receive video calls and interact with AI assistants.
Zoom has grown rapidly as the global pandemic forced many to work from home. Successors to the smart speaker, typical smart displays have a video camera, screen, microphone array, and an AI assistant that responds to queries with voice or visuals that appear on the display.
Canals estimated that 6.3 million smart display units shipped worldwide in Q3 2019. VentureBeat's mission is to be a digital town square for technical decision makers to gain knowledge about transformative technology and transact.
When a pandemic hits, stay-at-home orders are issued and people spend less time at retail stores. Amazon ’s sales ballooned, as the initial delays and hiccups got fixed and the retailer figured out ways to continue moving products from one location to another, often overnight.
Amazon ’s sales ballooned, as the initial delays and hiccups got fixed and the retailer figured out ways to continue moving products from one location to another, often overnight. The updated interface for the Alexa-enabled smart TV platform will introduce a handful of new features, including support video calling and other options for using Fire TV as a way to video chat, including later, support for Zoom, Amazon says.
The updated Fire TV design includes a personalized home page where you can more quickly get to your favorite content and apps. The profiles allow users to keep track of the shows they’re watching and see recommendations tailored to their own interests.
Instead, navigation has moved down the page next to your profile icon, and now includes tabs for Home, Find, Live, and Library, alongside a row of your favorite apps. The top of the screen, meanwhile, has been freed up to better display a large advertisement for Amazon ’s own content or those from other properties.
Initially, this will work by allowing customers to connect a Logitech USB webcam with their Fire TV Cube to enable two-way video calling on Alexa. Though not mentioned today, it seems obvious that Amazon is likely planning to introduce new Fire TV television sets that include built-in webcams at some point further down the road.
It will continue to ship with the Alexa remote, which includes dedicated volume, power and mute buttons that can control your TV, soundbar and AV equipment. This version, which isn’t quite as powerful as the new Fire TV Stick, supports streaming in full-HD with HDR, and comes with Alexa Voice Remote Lite.
“We’re excited to bring the Prime Video app to Chromecast and Android TV devices, and to give our customers convenient access to the shows and movies they love,” added Amazon Prime Video head of worldwide business development Andrew Bennett. At the time, Google further escalated the conflict, and also began blocking YouTube on Amazon ’s Fire TV devices.
Amazon eventually instituted another work-around that is based on simply launching a YouTube web interface on a TV-optimized browser. It’s worth noting that this week’s agreement doesn’t include a native YouTube app for the Echo Show.
Zoom Makes Sweeping Changes to Address Security Criticisms Since we published this article, Zoom has made numerous changes to address the problems we report on below, along with others to deal with issues that came to light after publication. We’re working on a followup article that will recap the changes, but in the meantime, make sure to keep your Zoom app up to date to take advantage of the many fixes.
Of all the tech companies that have benefited from the massive shift to telecommuting that the global pandemic has forced, Zoom stands at the top. The company’s multi-platform videoconferencing software was well known before, being a frequently used, market-leading choice mentioned in the same breath as Adobe Connect, Cisco WebEx, GoToMeeting, Microsoft Teams, and Skype.
That’s partly because of the scope of Zoom ’s free tier, which allows up to 100 streaming video participants, and the way it has focused its service on scheduling or creating “meetings” that people can join with just a URL, either downloading a simple app on any platform or using an in-browser alternative. Any time we discuss Zoom and consider recommending its use or thinking about its future, we have to look at a series of bad programming, security, marketing, and privacy decisions the company has taken.
Evidence of this began to accumulate last year with a screw-up that exposed macOS users to significant privacy exposure: your video camera could have been activated by visiting a page that loaded a malicious link. The problematic disclosures have accelerated this year with a series of errors in judgment and programming flaws.
Zoom may have a top-notch technical solution and user experience, but the company deserves to take its knocks for slapdash and negligent programming. Zoom also has made poor privacy decisions, some of which have already been remediated, by positioning itself more like a marketing firm than one that provides personal, academic, and business services over which we conduct private, confidential, or secret conversations.
Almost as bad, from my perspective, is that Zoom seemed unwilling to admit any failing, avoided apologizing, and didn’t provide a roadmap on how it will do better. On the same day, New York State’s attorney general sent Zoom a letter asking for details on how it’s managing security risks given its history.
Tidbits contacted Zoom for its insights about how it has handled security and privacy issues, but the company didn’t reply. As I finished this article and in a few days that followed, however, Zoom publicly responded to disclosures of new security problems.
A subsequent post laid out the company’s plans for how it will improve its software and its culture around security and privacy. A third responded to a privacy group’s investigation into the company’s weak choices in encryption algorithms and in routing some meeting traffic through China for non-Chinese participants.
In this article, I walk through the much software, security, and privacy issues Zoom has encountered and its response to each. The Zoom client app installed a tiny Web server without disclosing this to users.
This Web server bypassed a security improvement in Safari designed to require users to click Allow each time a URL with an application-based link was loaded or the user’s Web browser redirected to such a URL. This attack worked only if you had changed the default settings to start audio or video automatically upon joining a meeting, something many users did.
However, on 2 April 2021, Trent Lo of Sec KC, a group of folks who meet up for security talk in Kansas City, Missouri, sent details to Brian Krebs of Krebs on Security that the number-space flaw could still be exploited using “war dialing” methods reminiscent of dial-up modem days. This required, in part, using a different IP address for every connection, subverting Zoom ’s throttling approach.
The tool the group developed had a whopping 14% success rate for finding public meetings. The ultimate solution that Zoom will have to implement eventually is one I recall reading about in the mid-1990s, when it was already old hat: create a much larger addressable space.
In late March, the venerable magazine Consumer Reports, Internet thinker and Clue train Manifesto author Doc Seals, and others engaged the company in a full-court press about its stated policies. As Consumer Reports noted, the company could store and collect personal data and share it with third parties (including advertisers).
As Motherboard explained, “attention tracking” put a small icon in the list of participants indicating that they had moved out of the app. On 29 March 2021, drippy” posted at Hacker News, saying that he noticed that the installation happened quite early on during what’s called the “preflight” process.
It’s another incidence of behavior by Zoom that avoids disclosure and bypasses user intent in the interest of ensuring its software is rapidly installed. On 31 March 2021, Zoom ’s CEO responded directly to a technical researcher on Twitter who popularized the finding there stating, “Your point is well taken, and we will continue to improve.” On 2 April 2021, Zoom released an updated version that follows normal installation practices.
Prior to the spread of E2E, most encryption used a client/server approach with digital certificates, such as with HTTPS for a secure Web link. By creating a centralized public-key infrastructure, a company manages that problem by distributing its own root of trust, a bit of global validation, as part of its software.
Apple relies on endpoint-controlled keys with iCloud Keychain, certain aspects of facial recognition details in Photos, and HomeKit Secure Video. In either E2E approach, without the endpoint encryption keys, an attacker could intercept all the data transmitted and never be able to decipher it.
But on 31 March 2021, The Intercept reported that Zoom appeared to employ a simpler form of transport-layer security in which connections from meeting endpoints are encrypted to Zoom ’s central servers, where the data is decrypted (but not stored) before being re-encrypted and transmitted to other participants via text, audio, or video. However, on 1 April 2021, Zoom published an apologetic blog post in which Chief Product Officer Odd Gal explained that Zoom operates something closer to the first kind of E2E system (centralized company management of keys) than the second (endpoint-only possession of keys).
However, in order to connect sessions to other kinds of services, Zoom operates “connectors” that will decrypt data in certain circumstances. For instance, if you enable the company’s cloud-based recording option, sessions have to be briefly decrypted within Zoom ’s cloud system.
For instance, an attacker could conceivably be able to force cloud-recording of sessions quietly and redirect the data stream with no need to break into the actual meeting. That’s simply infeasible with Skype, iMessage, or FaceTime without Microsoft or Apple rewriting its software.
(None of these firms offer sufficient independent code auditing, however, so it’s impossible to ensure that my statement is absolutely true.) On 3 April 2021, the nonprofit privacy and security research organization Citizen Lab released a report examining Zoom ’s E2E technology and other implications (discussed below).
Gal noted in the Zoom blog post that the company already offers a corporate-focused option that keeps all encryption within a company’s local control, and it plans to offer more such choices later in the year, though likely just to paid accounts of a minimum size. If Zoom ’s advertising and description of its encryption comprised unfair or deceptive trade practices, the FTC could opt to intervene.
Ashcan Sultan, the former FTC chief technologist and an avid investigator of security and privacy practices, told The Intercept: Taking Zoom ’s explanation as accurate, calling their method E2E is not a distortion, though it now has several caveats that were not previously understood.
On 1 April 2021, Motherboard reported that Zoom shares contact information among everyone whose email address has the same domain name, excluding major consumer hosting and email services like Gmail, Hotmail, and Yahoo. For any user at any domain not included in that list, the Contacts tab in the Zoom client allows access to the email address, full name, profile picture, and current status of all other registered users of that domain.
If a user clicked such a link, their Windows system would send encrypted but vulnerable credentials that use an outdated security approach. Without the act being disclosed, every Zoom participant’s name and email address (if available) was matched against LinkedIn’s database and, if they had a profile, connected to it.
Zoom removed the feature on 1 April 2021 after the New York Times contacted the company to ask about it. On 30 March 2021, noted Mac and iOS security researcher Patrick Warble posted a lengthy entry on his Objective-See blog about two “zero-day” bugs that leave Zoom ’s Mac users vulnerable to exploits by someone who can gain access to their computer (which seems less likely in today’s stay-at-home days).
Warble apparently didn’t provide advance disclosure to Zoom, hence the “zero-day” term, which means the vulnerability remains exploitable at the time it is revealed. Since these bugs are local-only problems that can be exploited only during a Zoom app installation or update, the likelihood of an attacker taking advantage of them is low.
One bug could let an attacker replace a script that’s part of Zoom with software of their choosing that would be installed with the highest privileges. Action needed by you: If you’re a host, either don’t engage in a private chat that could be problematic or have the discussion in a separate secure app, such as Messages.
In the previously noted Citizen Lab report that examines poor encryption choices, the organization also described how it tracked down both Chinese companies associated with Zoom and the generation of encryption keys by servers located in China even when all participants were outside that country. As the report notes, the Chinese government reserves the right under local law to compel companies to provide authorities access to otherwise encrypted sessions.
These recommendations may seem overblown, but China has an extensive and well-documented history of obtaining private information from individuals, businesses, and governments. On 3 April 2021, following the Citizen Lab report, Zoom ’s CEO wrote on a blog post that including Chinese servers for meetings that didn’t involve participants in China was an error brought on by the company’s efforts to scale up capacity massively.
This scenario combines the power of Web search engines, technical choices Amazon made with its cloud-storage system, the popular misunderstanding that obscurity equals online privacy, and a failure by Zoom to consider unintended consequences: Many people also simply don’t understand the privacy implications of posting videos online.
Unintended consequences: For ease of use, Zoom chose to name each saved video recording with a standard pattern. That’s typical behavior for photo and video capture devices, which often name in a sequential pattern.
Confirm that you haven’t uploaded any private recordings of videos to places that are publicly accessible. Contact hosts of sessions in which you’ve participated to alert them and have them check their upload locations.
In the future, after recording a meeting, rename the file immediately to avoid the potential of a searchable link. I discourage sharing the full URL or the password on any forum, social network, or Web page that random garbage people could be scanning manually or via automatic scraping tools.
Discourage invited participants from sharing the URL to others who aren’t part of your group, organization, or movement. Tell people that the URL is coming and then post it quite close to the event start time, such as 30 minutes before.
You can add everyone in a waiting room at once, so you can scan through a list of people, and if they’re all acceptable, click a single button. As detailed as this article is, I fear that this list of problems and choices will be far from the last we hear about Zoom ’s security and privacy troubles.
In fact, while writing and editing this article over the last 48 hours, we had to add six additional exploits, design-choice errors, and privacy concerns. Zoom has gone into what’s known as “technical debt.” The company’s developers made a lot of poor decisions in the past, which are likely difficult and costly to fix.
The longer it takes Zoom to address the core problems, the harder and more costly future fixes will be, as additional code is built upon that weak foundation. Eventually, its roadbed will start to crumble, and girders will rust through, and all that deferred maintenance will come home to roost in a lengthy rebuilding project.
It needs to step up to that responsibility, and we can hope Yuan’s words mean that Zoom has now accepted its role. It contains a number of videoconferencing tips, among many others provided by Take Control authors, Tidbits editors and contributors, and others who donated their experiences and insights.