As the coronavirus pandemic forced millions of people to stay home over the past two months, some working some not. Employees have several applications to choose from that allow VoIP including video – Zoom, GoToMeeting, Skype, and many others. In particular, Zoom’s popularity skyrocketed as it became the video meeting service of choice for both personal and business use. The platform saw daily meeting participants surge to 300 million daily meeting participants in April. As Zoom and other communication software use increased, hackers found ways to exploit vulnerabilities.
Zoom CVEs – Anything from XSS to Remote Code Execution
The Zoom software isn’t new, but its own popularity after COVID lockdowns put it on the map as an attack vector. When vulnerabilities are found in software, they are published as Common Vulnerabilities and Exposures (CVE) so that the developer can remedy the issue. Several Zoom CVEs were published in 2020, with the worst in 2020 allowing an attacker to take over a user’s microphone and camera. Other older 2019 CVEs indicated that an attacker could launch remote code on a targeted user’s device, inject cross-site scripting (XSS) code, and escalate privileges on a remote computer.
With access to a user’s camera and microphone, an attacker could listen in on conversations and obtain private data from the organization’s employees. This issue would allow corporate espionage or disclose data about private intellectual property. Governments and other big organizations have been using Zoom to collaborate, so the implications from Zoom vulnerabilities can be huge.
The issue with Zoom displays the significance of choosing the right software for work functions. Although the business can use specific software, users on their own devices will install random applications and use it for personal reasons. This opens more risk to organizations data should it be stored and used on a user’s personal device. Vulnerable conferencing software is just one attack vector that could be used to eavesdrop on data and listen in on intellectual strategies during meetings.
Brute Forcing IDs
When an online conferencing appointment is set up in Zoom, a random ID is generated containing 9 to 11 digits. By creating a fixed number length, numbers can be brute forced. Brute forcing IDs involves “guessing” the right number running scripts that iterate through possibilities until the right one is found.
After obtaining an ID, attackers can join a Zoom meeting and listen to conversations. Attackers can also send messages to participants including malicious links. Since Zoom asks you to identify yourself before joining, the attacker can also pretend to be someone related to the organization.
In addition to brute-force attack vulnerabilities, the company also advertised end-to-end encryption, which was found to be untrue. Zoom uses transport encryption, which protects data as it’s transferred but not on the local device. This issue leaves data vulnerable on the user’s local advice including smartphones on iOS and Android.
Zoom’s CEO Eric Yuan admitted that Zoom was never intended to be a large-scale communication application. It was meant for quick meetings between individuals, and it’s a free platform for simple collaboration. Its boost in popularity is the major reason it became a target for attackers, but Zoom faces several lawsuits due to its poor cybersecurity including violations over California’s Consumer Privacy Act. Zoom have announced security updates in response to these vulnerabilities.
Protecting Corporate Data
As employees continue to work from home, organizations must still protect customer data. This can be difficult when users are at home and use their own devices. There are plenty of other collaboration tools and VoIP applications available, and for highly sensitive information communication should be used with secure software with true end-to-end encryption. Using different communication software isn’t the only step you can take to protect data.
In many of the recent exploits, attackers send users malicious links to trick them into disclosing data including private credentials. You can train users to always be aware of the dangers of phishing and check links for legitimacy before entering user credentials. Instead of clicking links, it’s better to type the website directly into the browser before entering private credentials and information.
Company email filters can stop malicious links and attached documents, which reduces risks of phishing. If users connect to the local network from their home and use corporate internet connectivity, the organization can also use DNS filtering to block malicious links. DNS filtering stops users from accessing these malicious sites by performing a lookup on the site’s DNS and blocking should it be found on a blacklist.
User training and the right email cybersecurity stops users from opening malicious sites. If your organization uses an insecure form of communication, it’s time to evaluate your current VoIP solution and find one that completely secures users from attackers.
TitanHQ is committed to providing safe and secure email and internet usage for our customers, partners and their users, now more than ever. Please get in touch, let us know how best we can support your efforts during this challenging time.
Sign-up for email updates...