The Zoom Security Vulnerabilities to Join Your Every Meeting
Over the past 3 months, Zoom, a video conference solution, jumped from 10 million active users to 200 million users. Any software solution that has a large user base, becomes a target for attackers, in a simple equation where the more users on a platform, the larger the number of successful attacks achieved using the platform. This is the situation in many software domains; in cybersecurity, there are more evasion techniques used in the wild to undermine and bypass the more commonly used security tools. The same rule applies to OS platforms; Windows, the most common OS platform in the market, is also the most targeted.
And Zoom is no exception. This same pattern has been noticed with Zoom’s rapid jump in its user base. During 2018-2019, only three security vulnerabilities in Zoom were exposed, while over the past few weeks many more were observed:
- Bruteforce: An attacker can perform a brute-force attack by entering a meeting they’re not invited to by finding an open meeting ID to connect to.
The problem: A problematic product design was implemented, with a weak ID mechanism.
The solution: Approve only valid users to join a call.
- Data leakage: Zoom shared information with Facebook.
The problem: Manipulated usage of a Facebook SDK.
The solution: Zoom has removed the relevant SDK that shared information with Facebook. Other protection measures can include limiting connectivity to Facebook from the workspace.
- End-to-end encryption: Zoom is not performing E2E encryption.
The problem: Attackers can perform Man-in-the-Middle attacks while hearing or watching live calls.
The solution: An E2E encryption is to be incorporated into Zoom. As an alternative, either a VPN can be used to a secured location (although ISPs would still be able to inspect the traffic) or alternatively, monitor for network attacks in the internal network. Android, Chrome OS, and iOS devices can be protected by Deep Instinct from these and other various network attacks.
- Un-secured network route: Zoom calls are routed through China.
The problem: Countries like China which intercept the traffic of its citizens, can now hear or watch calls of any participant, even if they are not located physically in China.
The solution: Zoom has fixed this unsecured network route by changing the traffic route, so it doesn't pass through China.
- Credential theft: Zoom has a common vulnerability in UNC links.
The problem: Attackers can steal Window’s credentials.
The solution: Zoom has fixed this security vulnerability.
- Dropping technique: Zoom can be installed on macOS devices in a way that lets it skip the need to insert a root password by the user.
The problem: By modifying the Zoom installer, an attacker can hitch additional malicious tools to the installation.
The solution: By using Deep Instinct, devices are protected from any malicious file that can be dropped as part of a Zoom installation. Deep Instinct can even scan the Zoom installer that might contain malicious files inside, before the installation itself happens.
- Code injection: Zoom gains access permissions to use webcam and microphone.
The problem: An attacker can inject itself into Zoom in order to get permissions to these resources.
The solution: By using Deep Instinct, devices are protected from various code injection techniques.
The security vulnerabilities listed here are not particularly unique to Zoom and many of them may also be found within other video conferencing tools as well, like Microsoft Teams and Google Hangouts. However, the critical factor is to have a robust security tool in place that works to eliminate many of these potential threats.