Since-introduced mitigations resolve issue
Zoom is a leader in modern enterprise video communications, it provides an easy cloud platform for video and audio conferencing, collaboration, chat, and webinars across mobile devices, desktops, telephones, and room systems.
And it is used in board, conference, huddle, and training rooms, as well as executive offices and classrooms.
Have you ever wondered if someone can eavesdrop on your company’s meetings and learn the details of your biggest secrets? Imagine a stranger sitting just next to you in the same room, exactly like a “fly on the wall”, when you are discussing your “next big thing.” You would never put yourself in such a vulnerable position, right?
Ever asked yourself how is your privacy protected while you use enterprise collaborative cloud based software like Zoom?
In this publication we describe a technique which would have allowed a threat actor to perform exactly that type of attack, allowing such actors to be visible to everything you say or show in such meeting.
All the details discussed in this publication were responsibly disclosed to Zoom. In response, Zoom introduced a number of mitigations, so this attack is no longer possible.
What have we seen?
You may already know that Zoom Meeting IDs are composed of 9, 10 or 11 digits. The problem was that if you hadn’t enabled the “Require meeting password” option or enabled Waiting Room, which allows manual participants admission, these 9-10-11 digits were the only thing that secured your meeting i.e. prevented an unauthorized person from connecting to it.
Our researchers we able to predict ~4% of randomly generated meeting IDs, which is very high chance of success, comparing to the pure brute force!
Mitigation
We contacted Zoom in July 2019 as part of a responsible disclosure process and proposed the following mitigations:
- Re-implement the generation algorithm of Meeting IDs
- Replace the randomization function with a cryptographically strong one.
- Increase the number of digits\symbols in the Meeting IDs.
- Force hosts to use passwords\PINs\SSO for authorization purposes
Zoom representatives were very collaborative and responded quickly to our emails. They made a number of changes to sufficiently address this vulnerability.
Read the full research at: research.checkpoint.com