Zoom Safely: Minimize the Risks

Last week I was shocked when a friend, a senior vice president of cybersecurity at a large media corporation, posted this on Facebook:

“Just don’t use Zoom. It is a cesspool of security and privacy issues…”

I took his warning seriously. He knows what he is talking about. This post is no April Fool’s joke.

However, today Zoom is a lifeline for many people and important to me personally. With a heart condition, diabetes, and being over 70, I had best stick close to home with COVID-19 in the air.

Everyone uses Zoom today. My daughter in law school attends classes on Zoom all day. My library friends get together on Zoom to share a beer and discuss books. My wife and I met with our realtor on Zoom yesterday.

I don’t expect folks to quit using Zoom, and I don’t plan to quit myself. It’s popular for good reason: it works well and is remarkably easy to use. In my old job as a software architect working with developers on every continent but Antarctica, I’ve used just about every online meeting platform frequently. Zoom is excellent, particularly for people for who can’t take time to learn complex and balky platforms. Which makes Zoom security and privacy issues all the more troubling.

Zoom has not been a paragon of responsibility in fixing security vulnerabilities. I won’t go into the details of what is wrong with Zoom. I might in a future post. Here, I will tell you how to minimize the risks.

Concerns

First, Zoom shares data with companies like Facebook and other data brokers. That is what it is. I don’t like it, but it’s part of the 21st century. I believe we can and should do something to fix the data sharing digital economy, but nothing will happen overnight. I wish Zoom would just stop it, but I have little hope that they will until they are forced to. Their sharing pays for your free service. If it makes you feel better, Zoom is not the only offender; your data is probably already being bought and sold all over the network.

Second, Zoom meetings are subject to unwanted intruders and harassment. Louts sneak in and flash pornography and hate messages. They dominate chat sessions. Meetings, like town meetings or church and temple services, can turn into travesties and have to break up.

Third, less of a concern to individuals, Zoom is susceptible to denial of service attacks. Meetings can be overwhelmed with unwanted messages which tank performance.

Finally, Zoom emits digital pheromones that drive cats to walk over keyboards, hit keyboard shortcuts, and take over the screen.

What can you do about it?

There are a few steps you can take that will considerably improve Zoom experiences.

  • View the Zoom video tutorials. They’re easy and worthwhile. Become a Zoom expert.
  • Access Zoom through your web browser. Don’t install the Zoom app. Many of the ongoing problems have come from the app, so avoid it, at least until Zoom gets their house in order.
  • Guard the Zoom meeting link and ID. If you are not conducting a public meeting, don’t make it public. (Boris Johnson, UK prime minister, tweeted a screen shot of a cabinet meeting with the meeting ID prominent. Don’t do that.)
  • Zoom has a meeting password option. Use it when appropriate.
  • Let Zoom generate a random meeting ID. You can put in your own meeting ID like “Joes-Dance-Party”. Trolls could guess the ID and slip in.
  • Use Waiting Rooms to control entry to the meeting.
  • Protect the screen sharing option. When setting up a meeting, you can restrict who can share and who can start sharing when someone else is sharing. Change these settings during a meeting by clicking on the down caret next to the “Share Screen” button at the bottom of the screen.
  • Do not click on links in Zoom chats unless you trust the participant who posted the link.

Zoom is not perfect, but these are not perfect times.

Are Bluetooth Medical Devices Dangerous?

Do not act on this post without discussing it with your physician or healthcare professional. I have some thoughts you and your physician may want to consider, but this is not the place for health advice. Make health decisions by consulting with physicians and health professionals, not software engineers

Let me say the worst out front, hackers exploiting weaknesses in Bluetooth-enabled electronic medical devices could kill their victims. However, given the currently known vulnerabilities, the feat would be physically difficult, require a high level of skill, and be unreliable as an assassination method. More likely, these devices could be the basis for threats and extortion similar to ransomware.

That being said, I don’t think anyone should feel immediately threatened by Bluetooth medical devices. Some recognized Bluetooth vulnerabilities have troubling potential, but only potential. Researchers have found vulnerabilities that are theoretically exploitable, but no exploits have been seen. In the meantime, engineers are scrambling to patch the weak spots and the engineers have a good chance to beat the criminals.

Bluetooth Technology

Bluetooth is a technology for connecting computer peripherals wirelessly. It is intentionally designed to work only at short distances; thirty feet is the designated limit for reliable operation, although the functional range can be broader. Unlike Wi-Fi or cellular signals, Bluetooth is not good at penetrating walls and other barriers.

I use Bluetooth headphones, mice, styluses, and keyboards all the time. Good riddance to pesky cables and cords. But Bluetooth is not always secure. For example, the National Security Agency bans Bluetooth cellphone headphones for discussing classified information. The Cayla doll of a few Christmases ago had some disturbing security flaws— not all due to Bluetooth, but Bluetooth was a factor. See Checklist to Avoid the Next Cayla Doll for some advice on using Bluetooth in general. I wrote some rules for using Bluetooth safely a few years ago that are still good. Seven Rules for Bluetooth at Starbucks.

Like many computing standards, Bluetooth is designed to work in many different situations by using some features in one implementation but not in others. For example, one of the most vulnerable— and annoying— aspects of Bluetooth usage is pairing, the process of connecting two Bluetooth devices. The standard document lists several different ways that pairing can work. The most popular, called “Just works,” freely connects any device to any other: easy but totally insecure. Most people don’t really care if an intruder overhears music from their phone and prefer the ease of “Just works” pairing, but the NSA takes issue with eavesdropping on classified info, hence the banned headphones.

Other pairing methods require exchange of passwords and other codes. They are a hassle, but more secure and therefore sometimes necessary. For example, Bluetooth keyboards often use more secure pairing because most people would rather that the stranger at the next table at Starbucks not be able to type commands into their laptop. The manufacturers of these devices have to balance convenience and ease of use with security. I have to say, for a product manager whose salary depends on producing easily sold products, choosing ease-of-use is tempting. Security is often said to drive away customers.

Bluetooth Medical Device Vulnerabilities

Bluetooth is great for users of medical devices like implanted pacemakers and defibrillators, insulin pumps, continuous blood sugar monitors, and other life-saving gadgets. Leads that connect internal devices to external controls are open wounds that invite infection and require constant effort to keep sanitary. Connecting an external device to a controller with physical cables is a nuisance. Mouse cables are annoying, cables that snake through clothing are worse. Bluetooth wireless connections eliminate many of these issues.

A security group in Singapore has published what are called the SweynTooth vulnerabilities, a list of known flaws in Bluetooth implementations that could compromise a number of Internet of Things, Smart-home, wearable, and other gadgets including medical devices. Details here. I’ve examined these vulnerabilities and divide them into three groups:

  • Device crashes
  • Denial of Service issues— overwhelming the device by bombarding it with unwanted messages
  • Device takeovers

The first two groups of vulnerabilities lead to a crash or throwing the device into an overwhelmed state in which it effectively stops working. The device has to be restarted, but it will most likely return to normal operation after reboot. These issues are annoyances, perhaps extreme annoyances, but I find it hard to imagine they are life threatening. Most of the SweynTooth vulnerabilities fall into this class.

One SweynTooth vulnerability has an extremely disturbing outcome: device takeover. In this scenario, a criminal takes control of the medical device. If the device is a defibrillator, the criminal could repeatedly defibrillate a normally functioning heart. Death is a reasonable expectation. A compromised pacemaker could slow the victim’s heart rate to the point of brain death and organ failure, or accelerate the rate and cause an  arrhythmia. A compromised insulin pump could overdose a victim with insulin. In each case, death is possible.

Outcomes

In the face of these dangers, how likely are these outcomes? In my judgement, possible but improbable.

First, Bluetooth has limited range. The attacker must be close to the victim. In most cases, in sight of the victim. Bluetooth can penetrate walls and other barriers, but not well. This is excellent news for potential victims because criminals have to identify their targets and get close to attack. This is not good, but much better than situations where the attacker can anonymously scan the network for potential victims and attack from the other side of the planet. An operational non-medical suggestion: if you use a vulnerable device, avoid broadcasting the fact to those around you.

Second, these vulnerabilities are not simple to exploit. An attacker has to be familiar with both Bluetooth technology and the implementation of the medical device in order to launch an attack. This eliminates casual criminals and script kiddies, but leaves the door open for military or government operations.

The upshot is that only significant targets are likely to become victims. Who is a target? Well, if you have upset North Korea and have a vulnerable embedded defibrillator, conceivably, North Korean cybercommand could send a highly trained operative to get within Bluetooth range of you and flub your defibrillator. Most people don’t fall in that class.

More likely, a criminal group might hack into a medical device supplier’s records and get a list of users of vulnerable devices, get within Bluetooth range and harass a few users, then demand ransom from the supplier. Might work, but regular ransomware is orders of magnitude less work and risk for the criminals.

Final Words

Given these circumstances, what would I do? Discuss it with my doctors. Persuade them to demand that device suppliers address the SweynTooth vulnerabilities. I would tell my doctor that I would rather avoid using a vulnerable device, but I would use one if the medical advantages justify the risk. Nevertheless, those attorneys who advertise on television will reap the benefits if victims start keeling over.

Securing Home Wi-Fi

Almost everyone knows that they should secure their home wi-fi network, but many people don’t realize that in addition to your wi-fi password, you should also set the password for your home network router. I promised at my presentation at the Ferndale Public Library on personal computer security that I would explain why and how to change your router password. This blog fulfills that promise.

On Saturday March 7 and 14, 3:00 pm , I will repeat the Ferndale presentations I gave on personal computer security and privacy online at the Lynden Public Library.

Your Wi-Fi Network Password

Today, establishing a password for your network is almost automatic. When you set up your home network with your network service provider, like Comcast, you are prompted to use a password, often printed on a label stuck to the modem-router combination supplied by your network service provider.

I suggest you change the supplied password to one of your own choice for two reasons: first if your provider has a dishonest employee (let’s face it – that does happen on rare occasions) they won’t have access to your network password. Consequently, if your provider has to work on your system, they’ll have to ask for the password. That may be a slight inconvenience, but I prefer it that way. The risk to using a unique network password supplied by your network service provider is not great, but setting your own password is easy, so I prefer to avoid the small risk.

Second, the provider-supplied password is random and hard to remember. Your home network press word is one you have to use infrequently but you do have to use it when you add a new device. I prefer a password I can remember instead of having to find the sticker, write the password down on paper, use it, then remember to destroy the paper so a neighbor kid won’t pick it up and run up my wi-fi bill streaming bandwidth-hog video games. A long nonsense phrase can be both hard to crack and easy to remember. Choose a phrase that doesn’t get hits on Google searches, like “3horsesdrank2muchcarrotjuice!”.

I would not try to store your wi-fi network password in a password manager. You might be able to do it, but it will probably be too awkward to bother with. Most password managers are not designed to interact with wi-fi sign-ons. Choose your phrase and write it down, then store the paper in a safe place. Unless you are gaga for network gizmos, you’ll only use your network password a few times a year, so you might forget it. If you have a home safe for your important papers, that might be a good storage choice. You should be aware that stolen wi-fi is a master hacker’s network access of choice. They’ve been known to use directional antennas to pick up insecure or loosely secured wi-fi from blocks away.

As a side note, your router may have a button you can push to avoid having to look up and type in the network password when you add a new device. This method is not totally secure if you have an attentive hacker in your vicinity. I choose not to use the button.

If you think you are being victimized by bandwidth thieves, change your network password and set up a device white list on your router. I’ll explain what I mean by a white list in another blog.

Having set your network password, there is another password that you should take care of: your router password. Router passwords are not part of your first line of defense. A hacker must first break into your network in order to make use of your router password, but if you leave the default password on your router , which it will be if you don’t change it, a hacker who breaches your network can do much more damage than one who can’t get to your router.

Routers

Your router is your connection to the Internet. It is a specialized computer that routes messages to and from the computers on your home wi-fi network to the rest of the network. As computers go, a home router is very good at what it does, but it could be replaced by an ordinary personal computer running special programs. Early home networks were often implemented by designating a PC as the local network router and loading it with routing software and extra network interface cards, but home routers are now so cheap and convenient, I don’t think anyone does that anymore. Today, most home routers are a combination device comprised of a modem, which transforms incoming signals on the wire connection to something usable by the home network, a wireless radio transmitter-receiver, and a router.

Typically, you access your home router today by logging on through a web browser. After you log on, you can change the way your home network interacts with the network and your network provider. The default settings on your router fairly effectively protect you from intrusion from the outside. Fresh out of the box, home routers are set up so that all interaction with computers outside the home network must originate from inside the home network. Although it may seem like the outside world is always sending you stuff, almost without exception, a computer on your home network has initiated an interaction and the outside world is responding to its requests. This fundamental pattern can be changed in many ways by changing the configuration of the router, sometimes for good reason. For example, some group interactive games require a different communications pattern. But criminals would like nothing better than to be able to send messages to your home devices at will. A bad guy with your router password could fix it so you can’t get to your own network or arrange to use your network to attack others. Changing your router’s password to something only you know ensures that only you can mess with it.

Changing a Router Password

Changing a router password is not difficult, but it could take you into unfamiliar territory. You may want to call in an expert to help you out. Never change anything but the router password if you do not fully understand what you are changing.

Overview

Here are the steps:

  1. Find your router default administrator name from the documentation that came with the router. Usually, the name is “admin” and the password is “password”, but not always.
  2. Determine the router IP address.
  3. Bring up the router in your web browser and enter the admin name and password.
  4. Navigate to the place where you can change the password.
  5. Change the password.
  6. Store it in your password manager. (Password managers handle router passwords just fine because you access them through your web browser.)

How To Determine Router IP Address

You can determine the router address from any device on your home network because the most basic requirement for connecting to the Internet is knowing the address of the router that controls the Internet connection. Some devices are easier than others. On a Windows 10 desktop, laptop, or tablet, bring up Settings (the gear symbol). Select Network & Internet, which will open the “Status” page. Towards the bottom of the page select “View your network properties.” You will see a page something like this:

Windows refers to the router IP address as the “Default Gateway.” On Apple, you can do something similar going to “System Preferences” and clicking on the “Network” icon and look for the “Router” label.

Router IP addresses are often “10.0.0.1” or “198.168.0.1”. If you want to skip finding the correct address, odds are good that you will get your router by trying these. If both fail, try “10.0.1.1” or “198.168.1.1”. Beyond those guesses, I’d take the long way and look up network properties.

Access Router with Web Browser

All you have to do is type your router IP address into the address line in your web browser, like this:

What will appear on the screen will depend on the router. You will probably be challenged for a username and password. If you haven’t changed them, they will be the factory-set default for the router. You can look them up in the documentation for your router. Most likely, they are “admin” and “password” or something equally obvious. You are likely to find documentation for your router, or router-modem combination online. Look for the make and model on the physical device and search online.

Change Router Password

At this point, you are on your own with your router documentation, although the steps to change the password will probably be obvious. If you use a password manager, it will probably offer to generate a random password and store it for you. I would consider taking the offer.

While you are logged on to your router, take a look around, although I would be cautious about changing anything unless you know what you are doing. Your router is the control center for your home network and the key to home network security. An intruder with access can open your network up to all sorts of mischief. That is why changing from the default password, which is accessible to anyone, is so important.

Ferndale Library Talks on Computer Security and Privacy

Last Saturday, 2/1/20, I gave a presentation on Personal Cybersecurity to a full house in the Ferndale Library main meeting room. The librarians had to chase us out because my grandson Christopher and I were still answering questions at five pm when the library closed. If you missed the first presentation, or want a chance to ask more questions, Chris and I are scheduled to give the same presentation at the Lynden Public Library on Saturday, March 7 2020 at three pm. (Notice that the Lynden presentation will be a half hour earlier than Ferndale.)

See the slides from the presentation and links to resources.

This Saturday (2/8/20 3:30p) I will be talking about a closely related subject, Online Privacy, again in the Ferndale Meeting Room. Online security and privacy are closely related subjects that sometimes overlap, but privacy is often harder to understand and the legal boundaries are less clear. Computer security is mostly about traditional criminal activities like fraud and theft in the computing environment. Online privacy, on the other hand, often involves activities that were legal before computing began to amplify the effects of these activities, which have now taken on sinister implications. As a result, current privacy legalities are less clear. Instead of criminals, privacy issues often involve legitimate businesses and disturbing situations where no current law is broken. In this presentation, I will clarify what is recorded today when you go online and live your daily life, what is done with the record, and what you can do to exercise some control. This presentation will be repeated in Lynden at three pm on Saturday, March 14 2020.