If you hadn’t heard of video conferencing software Zoom before we entered these unprecedented times, I am sure you have at least heard it mentioned by now.
I’m also going to assume that you’ve heard of it because of recent security issues and concerns surrounding it’s use.
With most office-based workers in the UK and even globally now working remotely from home due to COVID-19, video conferencing application’s such as Zoom have become immensely popular and popularity brings along its own issues.
With Zoom now under the microscope its security is being scrutinised by skilled security researchers as well as the bad guys.
Back in 2019 Jonathan Leitschuh found a vulnerability in the Mac version of the Zoom client that could allow a remote attacker to force a user to join a video call with the video camera active. This was due to a web server running on the local machine after a successful install of the Zoom client. Even if the Zoom client was uninstalled the web server remained allowing any website to interact with the local webserver.
Fast forward to 2020 during the global pandemic we’re all facing, the Zoom client was found to be vulnerable to a UNC path injection within its chat feature. In terms of mitigation for the specific issue most organisations that run corporate firewalls should already be blocking the necessary port which SMB utilises. However, with more people working from home they might not have the same protection in place. Home users can make changes to their local security policies and registry settings, but this may not be the easiest option for those that are non-technical.
This could potentially allow an attacker to steal a Microsoft Windows users’ password hash for later cracking.
What is a password hash I hear you say?
Well, password hashing is the act of transforming a plaintext password into a complicated string of random characters.
Ok, so an attacker won’t get my password they’ll get a random bunch of characters, that doesn’t seem too bad.
Whilst that is true that’s not the danger here the problem is that password cracking has become very accessible over the years with affordable Graphical Processing Units (GPU’s) in today’s gaming PC’s being able to perform thousands of guesses a second against the captured hash. Weak passwords could be found within seconds with the right list of words and hardware.
Amongst these issues Zoom users have also faced attacks called Zoom bombing/Zoom raiding, Zoom bombing/raiding is the act of random internet trolls joining meetings and showing inappropriate content to other participants via screensharing which default settings allow. Public Zoom links are found easily on social media platforms and it is those that are being abused.
To make things worse a piece of software has surfaced which automates the process of finding non-password protected Zoom meetings.
What are Zoom doing about all of this?
It’s not all bad, let’s not forget that at the beginning of the COVID-19 outbreak Zoom announced that it was providing its videoconferencing software to K-12 schools for free.
Zoom have also been fully transparent with their recent statement pledging that “Over the next 90 days, we are committed to dedicating the resources needed to better identify, address, and fix issues proactively. We are also committed to being transparent throughout this process. We want to do what it takes to maintain your trust.”
How can I limit risk and keep my meeting safe?
There are a few things that you can do when hosting events to help minimise any risk associated.
Meeting Links – Generate a random meeting ID for each meeting and always ensure that a password is set for both computer and phone meetings and only share your meeting link with people that you trust.
Waiting Room – Make use of the waiting room feature this will ensure that all participants are put into the waiting room before the meeting starts the host can then admit them one by one.
Screen Sharing – Ensure that screensharing is set to “Host-Only” this will disable participants from being allowed to share their screen to the rest of participants.
Participant Management – Only allow signed-in users to join, this ensures that only participants with the email they were invited through can join.
Chat function – Disable file sharing within the chat unless this is specifically needed and remind users not to click on links unless they are sure they know what the link is for.
These are just a few tips that you can utilise to help reduce any risk associated with running the Zoom software, should you need any further advice regarding any information in this article or securely working from home please do not hesitate to contact us.
Bridewell Consulting also offer a password auditing service in which we export a copy of your hashed passwords and attempt to crack them giving you a detailed breakdown of the quality of passwords being used throughout your organisation which also gives you evidence of whether your current password policies are adequate or not.
Written by James Smith – Head of Penetration Testing and Principal Consultant