In the cyber world, as elsewhere, bad guys have an annoying tendency to do bad things. And so if you leave yourself open you will be punished. This is the thinking behind the latest report from the cyber security research team at Check Point, disclosing a vulnerability in the software behind video conferencing platform Zoom, one that has been fixed but which left its vast user base open to unwanted guests.
Get started on your cybersecurity degree at American Military University.
But, despite the fix, users remain at risk. That software issue was Zoom’s fault—and they patched it when it was disclosed last year. But the new report highlights a different and more serious issue, one that still leaves Zoom’s soaring user base wide open to attack. Worse, it’s the users themselves at fault with this one.
Zoom has confirmed Check Point’s findings. A spokesperson told me that “the issue was addressed in August of 2019,” adding that “the privacy and security of Zoom’s users is our top priority—we have continued to add additional features and functionalities to further strengthen our platform. We thank the Check Point team for sharing their research and collaborating with us.”
Zoom has become the go-to video conferencing platform, easy to use, relatively glitch free across multiple platforms. And so it’s no surprise the company’s revenues are flying—85% up, year-on-year last quarter, as is its customer base, which is up 67%. And it’s this ease of use that has been the driving force. We saw the same approach a lifetime ago, when Google took over the world of search by making life nice and simple. It’s a proven recipe. But that ease of use has a downside. Yaniv Balmas, Check Point’s head of cyber research, describes it to me as “a double-edged sword.”
Accessing Zoom requires a meeting ID, a 10-11 digit number, nice and long to prevent brute force attacks and to enable an unlimited number of simultaneous discussions and unique personal IDs that can be set and kept. “We found a way to enumerate all meeting IDs to see which ones are valid,” Balmas tells me, “Once we get a valid ID we can enter the chat—we have no idea whose chat we are going into.”
This makes for a completely opportunistic vulnerability, the exploit cannot be targeted, it’s haphazard, attackers trying their luck. “But think of that from a cyber crime perspective,” Balmas says, “it matches the profile, it’s opportunistic but it works.” He calls this “Zoom roulette.”
To give an idea of the mischief that can be achieved, Balmas confessed that in testing the exploit they were able to hit some interesting landing pages for in-process meetings. The researchers didn’t enter any calls, “but we were just one click away.” Balmas tells me that “one was HP and another was Victoria’s Secret—we were just one click away from a Victoria’s Secret chat. Who knows what we would have seen there.”
The vulnerability itself, the issue that has been patched, is relatively low-level on the threat spectrum. Scanning for valid meeting IDs, pinging IDs to find those that are real. Zoom has patched both those now, there is no way to return valid IDs en masse and scanning for IDs will see a device blocked.
But the more serious security risk remains open.
Zoom enables meeting owners to set passwords. Unless you have that password, you cannot enter the call. The company advises people to use the security feature, if not all the time then certainly for large or sensitive meetings. A key part of the response to this report was that advice, a focus on the security built into the architecture.
But we are all lazy and complacent when it comes to anything that makes ease of use even a little more difficult. I reported last weekend on the lack of WhatsApp PIN use that has seen a raft of “stupidly simple hacks” on people’s accounts. It’s the same issue.
“For sensitive meetings, set a password,” Balmas says. “But nobody ever does. This is the main takeaway from this research.” He also recommends validating everyone entering a chat, but accepts that if you have a password then the issue is resolved. And so, the platform and its simplicity is open to attack, but it’s not Zoom’s fault, the security tools are in place, it’s just we’re choosing not to use them.
“And so it should be a concern for users of Zoom,” Balmas warns. “Be aware that these types of attacks are possible. Be careful what you say on Zoom.”
This is especially true where meetings are large, making it near impossible to spot or validate new entrants. And where a meeting owner uses the same personal meeting ID each time, once someone knows that, they can ping your meetings whenever they like. Make your passwords different each time to protect against this.
I never set Zoom passwords, I say, as my Check Point discussion ends.
“Me neither,” admits Balmas, the cyber expert who has just talked me through the issue. Somewhat ironically, we are speaking over Zoom. A Check Point meeting with no password. And therein lies the issue. Ease of use versus security. That double-edged sword.