Breaking News

SpaceX and Space Adventures Plan To Bring Tourists to Space by 2021 Facebook's Scape Acquisition Could Signal Move to Location and AR Dell Technologies Unveils New Systems For Data Analysis at the Edge Marshall Monitor Wireless Headphones Get Active Noise Cancellation Wi-Fi CERTIFIED EasyMesh Enhances Multiple Access Point Wi-Fi Network Quality

logo

Check Point Research Found Vulnerabilities in Zoom Video Communications

Check Point Research Found Vulnerabilities in Zoom Video Communications

Enterprise & IT 0

Check Point Research Found Vulnerabilities in Zoom Video

Cyber security firm Check Point Research identified a technique which would have allowed a threat actor to potentially identify and join active meetings of people that use tools and technology by Zoom Video Communications.

Zoom is a leader in modern enterprise video communications, it provides an easy cloud platform for video and audio conferencing, collaboration, chat, and webinars across mobile devices, desktops, telephones, and room systems.

Check Point Research posted the details of the vulnerabilities online, and were also disclosed to Zoom. In response, Zoom introduced a number of mitigations, so this attack is no longer possible.

Zoom Meeting IDs are composed of 9, 10 or 11 digits. The problem was that if you hadn’t enabled the “Require meeting password” option or enabled Waiting Room, which allows manual participants admission, these 9-10-11 digits were the only thing that secured your meeting i.e. prevented an unauthorized person from connecting to it.

The security researchers were able to predict ~4% of randomly generated meeting IDs, which is very high chance of success.

Check Point Research contacted Zoom in July 2019 as part of a responsible disclosure process and proposed the following mitigations:

  • Re-implement the generation algorithm of Meeting IDs
  • Replace the randomization function with a cryptographically strong one.
  • Increase the number of digits\symbols in the Meeting IDs.
  • Force hosts to use passwords\PINs\SSO for authorization purposes

Zoom representatives responded quickly and below is the list of changes that were introduced to the Zoom client\infrastructure following the disclosure:

  • Passwords are added by default to all future scheduled meetings.
  • Users can able to add a password to already-scheduled future meetings and received instructions by email on how to do so.
  • Password settings are enforceable at the account level and group level by the account admin.
  • Zoom will no longer automatically indicate if a meeting ID is valid or invalid. For each attempt, the page will load and attempt to join the meeting. Thus, a bad actor will not be able to quickly narrow the pool of meetings to attempt to join.
  • Repeated attempts to scan for meeting IDs will cause a device to be blocked for a period of time.

Related Posts

0 Comments

Leave a Reply

More information about text formats

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

BBCode

  • No HTML tags allowed.
  • You may use these tags: [abbr], [acronym], [b], [center], [code], [color], [define], [font], [h1], [h2], [h3], [h4], [h5], [h6], [hr], [i], [img], [justify], [left], [list], [node], [php], [quote], [right], [s], [size], [sub], [sup], [u], [url], [wikipedia], [youtube], [align], [link], [ol], [ul]
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.