Zoom Hot-Mic Bug: Is China Listening?

Zoom users on macOS have noticed the microphone stays on after a meeting has ended. This only came to light after a privacy change was made in macOS Monterey, but it appears the problem has been in the code for a long time.

Has Zoom been sending your audio to China? The company says not—or, rather, the company says something that appears to say “not,” but on closer inspection could mean almost anything. (As a reminder, the NASDAQ-listed company doesn’t really look like a U.S. firm: A large number of Zoom’s engineers are in China, and the company’s naturalized CEO was born in China—with family still living there, subject to the whims of the CCP.)

After the previous Zoom scandals, people aren’t so trusting. In today’s SB Blogwatch, we hope Ian Betteridge was right.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: ЧЕРНОБЫЛЬ: ДЕРЕВНЯ ДЛЯ ЛОСЕЙ.

Hot-Mic Bug or Spyware Feature?

What’s the craic? Michael Simon reports—“Zoom is leaving the microphone on after a meeting”:

Users are reporting the problem persists
Numerous … Mac users running Monterey are reporting that the Zoom app is triggering the microphone light indicator even when a meeting isn’t taking place. [The] app is opening the microphone—as evidenced by the orange dot indicator—with the only way to stop it to quit the app after you get off the call.

A Zoom spokesperson said the company “has determined that this bug did not result in audio data being transmitted back to Zoom’s platform.” Zoom pushed out an update on December 27 … that reportedly resolved the issue … but users are reporting the problem persists.

If at first you don’t succeed? Try, try again, says Emma Roth—“Update Zoom on Mac”:

Accused of misleading users
If you’re using Zoom on a Mac, now’s the time to make sure it’s updated to version 5.9.3. … Zoom first attempted to fix the bug in a December 5.9.1 update … but it looks like this solution didn’t work for everyone. … You can update Zoom on a Mac by opening the Zoom desktop client, clicking your profile picture in the top-right corner of the window, and selecting “Check for Updates.”

Users have been complaining about the issue since December. … This obviously raised some privacy concerns, given Zoom had a serious privacy vulnerability on Macs in the past. In 2020, the company was accused of misleading users about offering end-to-end encryption when it really didn’t.

Oh, you forgot about all that kerfuffle? Allow Nathan Wasson to remind you—“The App Is Still Spying On You”:

A new scandal
Zoom has repeatedly come under fire, whether for playing fast and loose with the definition of end-to-end encryption, sharing user data with Facebook undisclosed, installing a hidden web server on customers’ Macs, publishing then back-tracking a claim of 300 million daily active users, or suppressing U.S. calls about Tiananmen Square at China’s behest. … The video conference company now has a new scandal on its hands.

Firm’s got history, fam. So John S ain’t buying it:

I don’t believe them either that this was just a “bug”—especially after their shady shenanigans leaving a running web server on your computer, even after uninstalling the Zoom app.

But assuming this was just a bug—not an evil spyware feature—what went wrong? dgatwood makes an educated guess:

More a battery life concern
AFAIK, it is activated and deactivated by having an active CoreAudio processing thread that is taking input from the microphone. So what this means is that they failed to stop their CoreAudio processing thread.

It’s more a battery life concern than a privacy concern, as long as that data isn’t going anywhere. But as long as that light is on, you can’t be sure that it isn’t.

What can we learn from this? Heed tgsovlerkhgsel’s teachings:

Web is good enough
This kind of thing is why software I don’t fully trust only runs in my browser. … There is little reason to run native apps, which nowadays are often just an outdated browser with a packaged web app anyways.

Google Meet, Microsoft Teams, and even Zoom have demonstrated that web is good enough if they want it. If you try to force me to install a native app, that’s a strong signal that the app is going to do something against my interest.

A bit too tinfoil-hatty? Nope, Fred Daggy agrees:

Follow the money
Agreed, Zoom haven’t worked out the business model. They see the lovely revenue from snooping and measuring users that the big boys rake in. “How can we monetise this user?” Oh, simple, keep listening.

Never put down to malice what can be put down to incompetence, BUT always follow the money. Sadly, my company has chosen to use Zoom for telephony and is in the process of rolling it out.

But but but … “Zoom has determined that this bug did not result in audio data being transmitted back to Zoom’s platform.” Jonners88 wonders what the spokesdriod isn’t saying:

Seems like weasel words from Zoom, who seem worryingly shifty.

Meanwhile, Not Jony Ive is not a happy bunny:

Zoom is and has always been a ****show.

And Finally:

What’s living in the Chernobyl exclusion zone? (subtitles on)

Hat tip: Mudface

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Chris Montgomery (via Unsplash; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 545 posts and counting.See all posts by richi

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)