Zoom is responding to a torrent of revelations about security and privacy issues in its platform. But enterprise concerns about application security holes and data privacy shouldn’t be limited to one platform.
For the makers of the Zoom virtual meeting platform, the past month is a vivid reminder of the old saying “be careful what you wish for.”
On the one hand: the extreme social distancing policies that accompanied the emergence of COVID-19 as a global pandemic turned Zoom from a “popular remote conferencing platform” to a “must-have application” in a matter of a week or so. That’s been good for business—to say the least. The company’s stock price has more than doubled since early November.
On the other hand, all that attention and all those millions of new users attracted lots of scrutiny—from online miscreants and curious security researchers, who have uncovered weaknesses and exploitable flaws in Zoom. In the past few days, for example, reports have highlighted the growing phenomenon of “Zoom bombing,” in which online trolls are joining and disrupting Zoom sessions for everything from elementary school classes to AA meetings. That prompted the FBI to issue a warning to schools and businesses conducting online meetings.
At the same time, independent security researchers have waded into the Zoom platform and discovered a wealth of security and reliability issues. That includes a report that disclosed a UNC path-injection vulnerability in the Zoom client for Windows that could allow a remote attacker to steal local Windows credentials using a malicious link.
To look at the coverage, one might easily conclude that Zoom is a uniquely insecure application: thrust by circumstances into the spotlight and then left to wilt under the klieg lights of public attention. But enterprises worried about the security warnings surrounding Zoom would do well to expand their gaze to other applications that are already in widespread use within their environment and take heart in Zoom’s proactive response over the past few days.
Same Stuff, Different Crisis
This much is true: the kinds of problems discovered in the Zoom application are not uncommon, nor are they limited to virtual meeting platforms. Take the UNC path injection flaw reported this week. According to a write-up by researcher Matthew Hickey (@hackerfantastic), the flaw could allow a malicious actor to trick a Zoom user into connecting to a remote server using the SMB (Server Message Block) file-sharing protocol. In the process, the Zoom user would unwittingly transmit her Windows login name and NTLM password hash to that remote server. An attacker could then use offline cracking tools like Hashcat to reveal the user’s password. Depending on the complexity of the password (and many Windows users continue to use weak passwords) that could take anywhere from minutes to months.
Compromising a user on a local machine might not seem like a big haul. However, as we’ve noted: even low-level, local credentials can be used in conjunction with tools like Mimikatz to forge Kerberos “Silver Tickets” as part of a privilege escalation and lateral movement campaign. So—”yes”—path injection is a real concern, especially given the nature of Zoom: which invites hundreds or more remote users to gather, interact and swap links via chat, etc.
But it's not as if Zoom is the only application sporting a path-injection flaw. In just one recent example, researchers from the firm Navisec demonstrated a nearly identical flaw in Microsoft Outlook using URI links back in July. Path-injection attacks are commonly launched against platforms like Microsoft Access as well, often using links in phishing email messages. In other words: these kinds of attacks are already a real threat to your organization via applications you are already using.
Privacy Concerns
The second tranche of damning reports on Zoom have addressed the privacy of Zoom sessions. Reporting by Joe Cox and Motherboard revealed that Zoom’s iOS mobile application was sending session and a unique device identifier including (rough) location data to Facebook via a Facebook SDK (software development kit) that was used by the Zoom iOS app; the SDK was used to allow Facebook users to log into Zoom using their Facebook account. User data like usernames and passwords or other information wasn’t transmitted, but Zoom subsequently pulled the Facebook SDK from its iOS application.
That’s distressing. But it goes without saying that Zoom is hardly the only application provider leveraging the “Login with Facebook” feature. Any application that offers it to users can be presumed to have exposed the same kinds of data to Facebook as Zoom is alleged to have exposed.
More damning was the report by The Intercept that Zoom’s claims to offer “end-to-end” encrypted video sessions were, essentially, marketing. Pressed to explain whether an end-to-end encryption feature actually enabled end-to-end encryption, Zoom told Intercept reporters Micah Lee and Yael Grauer that, in fact, video sessions were merely secured with TLS—Transport Layer Security—the same level of protection given to encrypted websites. The difference between end-to-end encryption and TLS is vast. It means that Zoom, as the provider, has access to the unencrypted video. That could leave Zoom sessions subject to requests from law enforcement or government agencies.
Both reports are concerning. But, again, neither are that unusual these days. Sure, platforms like WhatsApp, Telegram and Facebook offer end-to-end encryption for messaging. But it is the exception rather than the rule. And even then, governments (including the U.S. government) have proposed and even enacted laws to prevent the use of such encryption or undermine it with government sanctioned “back doors” designed to stop terrorists, sex traffickers and others. So, if your conclusion reading the Zoom coverage is that lack of end-to-end encryption is a deal breaker for your organization, you’re going to need to have an uncomfortable and one-sided conversation with most of your current application providers.
Zoom’s Real Message for Enterprises
As respected security researchers have pointed out: there is a problem with piling on to Zoom’s very real security flaws—especially now that everyone is using Zoom as a substitute for human-to-human interaction. By hyping the flaws with Zoom without providing context for them (that is: that they’re not unique to Zoom), the security community may scare organizations off of essential technology, or even send unwitting users rushing into the arms of equally flawed—or even less secure alternatives.
We need to look at the risk specific applications pose and help voice a message of how people can leverage technology and be safe.
Dave Kennedy (@HackingDave),
TrustedSec
Yes: there are real risks to using Zoom and other virtual meeting platforms. But there are clearly many benefits as well, especially in a time of “social distancing” and mandatory, pandemic-inspired lock downs. The best response is not to panic, but to take a sober view of the situation: removing security risks where you can (say: by applying available software patches) and mitigating them where no fix is available. In the case of Zoom, the company has been responsive to researchers who have raised issues with its platform.
For the problem of trolls and “Zoom bombing,” the company published a guide to securing Zoom meetings from unwanted guests. It has issued special guidance for educators on securing virtual classrooms. On the privacy front, Zoom has updated its privacy policy, clarified its privacy policy for schools using Zoom for remote learning and corrected the language that describes the company’s use of encryption. For the UNC path injection flaw, administrators can change Windows to block SMB connections to external servers, blocking transmission of hashed passwords off of a network.
The bigger challenge for companies is to step back and look not just at Zoom but all the other “Zoom-like” applications your employees and business partners are using to conduct business. That includes other remote meeting platforms like Google Hangouts, Skype and GoToMeeting. It also should encompass Slack, Microsoft Meetings, GSuite and more.
As with Zoom, it is worthwhile to assess the risk those applications pose: what data and resources they have access to; what third party services they share data with; how secure they are; and what new attacks they may enable. Rather than throwing the application “baby” out with the bathwater, organizations can deploy proven strategies like enforcing strong and unique user passwords and “user least privilege” to prevent attackers from compromising end user accounts and gaining a foothold in your environment.
Read our blog to learn more about the threat of identity infrastructure attacks and QOMPLX’s approach to securing sensitive environments.