Check Point Research Found Vulnerabilities in Zoom Video
Cyber security firm Check Point Research identified a technique which would have allowed a threat actor to potentially identify and join active meetings of people that use tools and technology by Zoom Video Communications.
Zoom is a leader in modern enterprise video communications, it provides an easy cloud platform for video and audio conferencing, collaboration, chat, and webinars across mobile devices, desktops, telephones, and room systems.
Check Point Research posted the details of the vulnerabilities online, and were also disclosed to Zoom. In response, Zoom introduced a number of mitigations, so this attack is no longer possible.
Zoom Meeting IDs are composed of 9, 10 or 11 digits. The problem was that if you hadn’t enabled the “Require meeting password” option or enabled Waiting Room, which allows manual participants admission, these 9-10-11 digits were the only thing that secured your meeting i.e. prevented an unauthorized person from connecting to it.
The security researchers were able to predict ~4% of randomly generated meeting IDs, which is very high chance of success.
Check Point Research contacted Zoom in July 2019 as part of a responsible disclosure process and proposed the following mitigations:
- Re-implement the generation algorithm of Meeting IDs
- Replace the randomization function with a cryptographically strong one.
- Increase the number of digits\symbols in the Meeting IDs.
- Force hosts to use passwords\PINs\SSO for authorization purposes
Zoom representatives responded quickly and below is the list of changes that were introduced to the Zoom client\infrastructure following the disclosure:
- Passwords are added by default to all future scheduled meetings.
- Users can able to add a password to already-scheduled future meetings and received instructions by email on how to do so.
- Password settings are enforceable at the account level and group level by the account admin.
- Zoom will no longer automatically indicate if a meeting ID is valid or invalid. For each attempt, the page will load and attempt to join the meeting. Thus, a bad actor will not be able to quickly narrow the pool of meetings to attempt to join.
- Repeated attempts to scan for meeting IDs will cause a device to be blocked for a period of time.