Edgescan’s Senior Security Consultant, Guram Javakhishvili, gives his take on the Zoom debacle. Guram stresses that he is not ‘sponsored by Zoom’ 😊.
First of all, nothing is bulletproof and anything can be hacked. We all make mistakes and learn from them. That’s how and why we improve and update software on a regular basis.
Question is: on what basis are other blog posters or researchers assuming that there’s RCE, UNC Path Injection, weak or no E2E encryption and many other vulnerabilities which have been mentioned over the past few weeks? If they have been testing or targeting Zoom systems in its production environment without penetration testing authorisation then that is illegal and unethical. I believe most of these blog posts are just repeating unethical researchers unauthorised publications.
A brief clarification on a few of the vulnerabilities recently posted and my personal thoughts on them:
Zoom video recordings accessible to the public
This is a user issue. There is an option within the Zoom admin panel where you can set video records to be private, public or only accessible by call participants. If you are not aware of current settings, better check before recording. If recording is set to ‘Public’ then anyone with access to the link will be able to see the video content.
By default, users tend to leave ‘Public’ enabled and then if they post the link somewhere or even access the link through the shared browser (since the encrypted key of the video record is contained in URL) it will stay in browser history and whoever has access to the machine will be able to access it.
Zoom bombing (attackers can brute force ID and Password)
Even if you had valid password and ID, you still start a call in a ‘waiting room’ until host admits you. You can basically do nothing in the waiting room, and there is no way you can bypass until the host admits you to the meeting.
Also, I’m not too sure about brute-forcing since Zoom uses WAF protection Cloudflare. This needs a little bit of tuning (I would have thought, Zoom allowed multiple failed login attempts without blocking joiners, since participants might get password or id wrong) but again this can be enhanced from admin panel if one is familiar with the settings.
Again, user awareness – choose to use complex passwords, you can always set this yourself if you wanted to be safe.
UNC Path Injection
UNC Path is possible with other modern applications too, not just Zoom. MS Outlook does also allow UNC Path as hyperlink. So what? We have never abandoned Outlook for this. Nevertheless, Zoom already addressed this and latest release does not allow UNC Path anymore.
Zoom does not support E2E Encryption
Zoom acknowledges encryption problems and they proactively worked on this to address E2E encryption issues. Zoom indeed always supported TLSv1.2 for all its communications but there was a weak cryptographic cipher. A single AES-128 key is used in ECB mode by all participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption.
It should be mentioned that even if third-party deliberately disables E2E encryption and initiates a meeting but then if guest joins with E2E encryption enabled then this feature gets enforced and communication for both parties become encrypted.
Inconsistent Application of Security Policy
Advice to Zoom team and Zoom users on anomalies with file sharing, recording and, screenshare and remote controlling:
- File Sharing
File share can be disabled from Zoom admin panel and people from your organisation will not be able to transfer files during Zoom chat/meetings. However, if a third-party host has this function enabled, it is possible to send files to all participant users (guests). If participants have file share disabled by their Admin and they can’t send files, they will still be able to receive and download files from third-party host, which increases the risk of being sent malware or other malicious files.
If the Recording feature is disabled from your organisation’s Zoom Admin, and someone from your organisation is hosting a meeting, the recording feature will not be available for any party, including third-parties. However, if a third-party host has this function enabled, then this function is available for all meeting participants (your organisation and third-party).
- Screenshare + Remote Controlling
I would recommend reviewing the use of this function and disabling if not required.
By default, ‘Remote Control’ feature is not disabled and locked by administrators. Enabling Remote Control function for your organisation’s participants or host users increases the risk of your members permitting third-parties to potentially take remote control over an internal host system and possibly accessing unintended information or your organisation’s network resources.
It should be noted that an end-user must still grant permission to allow remote controlling of their system.
Most importantly, testing or using third-party software unethically is illegal and authorisation should be sought prior to any activity. EternalBlue targeted thousands of Windows systems and more than 200K organisations suffered as a result of EternalBlue vulnerability but no one abandoned Windows systems and still use it. Whatsapp also suffered from some serious vulnerabilities but we still use them. As long as Zoom is taking actions on all security concerns and tries to resolve issues as soon as possible, that’s the main thing.
Zoom free version comes with limited administrative access and might not give you full control over security controls and settings. If you choose to use a free licence you accept that it will not have the full range of features as the paid version. If you want those features, pay for them.