Zoom fixes security flaw that could have let hackers join video conference calls

A security vulnerability in one of the world's most commonly used enterprise video conferencing tools could have allowed hackers to eavesdrop on private business meetings.

Zoom is used by over 60% of Fortune 500 companies and over 96% of the top 200 universities in the US. These organisations use the conferencing tool as a means of easily conducting remote meetings, complete with live audio and video feeds, as well as screen sharing and file transfers.

However, researchers at cybersecurity company Check Point found it was possible to exploit the way Zoom generated URLs for virtual conference rooms and use this to eavesdrop on meetings. By using automated tools to generate random meeting room IDs, researchers found that they could generate links to genuine Zoom meetings without password protection 4% of the time during tests.

And while the random generation of URLs means this trick couldn't be used for targeted attacks against a particular organisation, if attackers found a room of interest, they could keep returning, unless a password was added later. 

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

While it would be possible for members of the virtual room to notice that the attacker had joined the call, often these meetings are very busy, so one more member might not raise alarm bells.

"The additional member would be visible by others in the meeting if they look at the 'participants' window in Zoom. But in many cases, Zoom conferences can have 10 or more participants, so the hacker may not be noticed in a large list," Alexander Chailytko, cybersecurity research and innovation manager at Check Point, told ZDNet.

Not having a password for meetings was the default setting for scheduled meetings using Zoom, but following the disclosure of the vulnerability by Check Point, the teleconference software provider fixed the issue with a security update and added new functionality – including adding passwords by default for meetings, additional cryptography, and disabling the ability to randomly scan for meetings to join.

Check Point said Zoom responded to the disclosure "very seriously" when it was made in August 2019 and that communications over the issue were very swift. While it's unknown if the vulnerability has been used in the wild, the update means it can no longer be abused. 

"The privacy and security of Zoom's users is our top priority. The issue was addressed in August of 2019, and we have continued to add additional features and functionalities to further strengthen our platform. We thank the Check Point team for sharing their research and collaborating with us," a Zoom spokesperson told ZDNet. 

SEE: Hacker leaks passwords for more than 500,000 servers, routers, and IoT devices

In order to counter the potential for cyber criminals exploiting any form of teleconferencing software by using any potential vulnerabilities in other platforms, it's recommended that businesses ensure that calls are password protected.

"As a minimum users should always use password protection for conferences, so even if an individual inadvertently stumbles on a conference ID, they cannot join without the password," said Chailytko.

MORE ON CYBERSECURITY

• This mysterious hacking campaign snooped on a popular form of VoiP software
• What's your organization's cybersecurity strategy? TechRepublic
• Amazon's Alexa could be tricked into snooping on users, say security researchers
• Lasers can seemingly hack Alexa, Google Home and Siri CNET
• Hotel's in-room assistants could have been used to spy on guests