Apr 112017

I’m considering purchasing a ZOOM B3n bass effect processor, one of the nice features is the program that allows you to edit/load patches via a PC..  vs. having to do so on the device itself.   Being a security minded geek, I downloaded the software and took a look.

After installation, first thing it does is REQUIRE an active internet connection.  No explanation, it’s not in the system requirements..  So a little work with wireshark and a little snooping around, it’s downloading files from www.zoom.co.jp and placing them in %USERPROFILE%\AppData\Local\ZOOM Guitar Lab.

This appears to be some poor attempt at providing auto updating capabilities.  The first ‘conversation’ is via TLS however they do not appear to be authenticating the server certificate, AND the subsequent downloads .. at least some.. are happening via HTTP connection and appear to not be signed.

Poison DNS servers and reverse engineer their server protocol (likely trivial), and you have an easy way to deploy anything to everyone who uses this software.

Maybe not a likely target, however If you are concerned about your DAW being corrupted by malware, I’d suggest installing in a virtual machine as well as your DAW.  Turn off updating in the installation on your DAW (in Help menu, deselect “Notify when the new version of ZOOM Guitar Lab exists” and  “Notify when the new version of firmware exists”).

Let it do it’s update on the virtual machine, then copy the VM %USERPROFILE%\AppData\Local\ZOOM Guitar Lab to the same folder on your DAW.  That should get you the updates without any bad stuff (unless bad stuff was to installed in that folder of course).