Check Point Software Technologies today revealed that it discovered a cybersecurity flaw that potentially allowed cybersecurity criminals to eavesdrop on video calls provided by Zoom.
Yaniv Balmas, head of Cyber Security Research for Check Point, said Zoom resolved the issue last fall, but no one can know for sure if cybercriminals might have figured out how to compromise Zoom video calls on their own using the same technique.
Check Point researchers discovered a way to guess Zoom IDs by automatically generating a number of potential ID combinations until a verified ID was created which allowed them to join meetings that were not password-protected. Check Point claims to have been able to join the meeting pages of conference calls hosted by employees of Victoria’s Secret and HBO, and researchers were able to predict ~4% of randomly generated meeting IDs, which is a very high chance of success.
Once informed of the flaw, Zoom made passwords the default for all future scheduled meetings. Users can now also add a password to already scheduled future meetings and password settings are enforceable at the account level and group level by the account administrator. Zoom also no longer automatically indicates if a meeting ID is valid or invalid. For each attempt, the page will load and attempt to join the meeting. That means a bad actor will not be able to quickly narrow the pool of meetings to attempt to join. Finally, repeated attempts to scan for meeting IDs will cause a device to be blocked for a period of time.
Balmas said Check Point researchers there are most likely many other “hacks” that can be employed to gain access to communications services. IT organizations should assume that, given the sensitive nature of many of the conversations occurring on these platforms, a bad actor is eavesdropping. In many instances, those bad actors might simply have compromised the credentials of any one of the meeting participants. Those bad actors are frequently individuals who work for nation-states and are employed specifically to find ways to hack services such as Zoom as part of well-funded cyber espionage campaigns, he noted.
The fact that a communication service delivered via the cloud can be hacked should not deter users from employing these applications, said Balmas, noting the productivity benefits of such applications are too great to ignore. However, users should not assume those communications are entirely private—attendees should watch what they say and share using these platforms, he said.
Regardless of how organizations employ communications services, the attack surface that needs to be defended has expanded in a new direction that many cybersecurity teams might easily overlook, Balmas pointed out. The challenge cybersecurity teams now face is not only educating users on the potential dangers but also keeping track of the latest hacks to compromise the integrity of those services.