Why is the exclusive focus on Zoom, when the same “flaw” impacts almost all popular video conferencing apps?
In this Coronavirus era, as if daily news briefings on the pandemic-related deaths weren't enough, a new wave of “zoombombing” stories has been dominating headlines. In the U.S., politicians are even urging federal authorities (FTC for one) to take rigid action against Zoom, accusing the company of making hightenend claims about user privacy and security. As a Security Researcher then, I just had to look more into this!
Wikipedia defines Zoombombing or Zoom raiding as “the unwanted intrusion into a video conference call by an individual, which causes disruption.” The moniker gained notoriety during the COVID-19 crisis when many depend on Zoom for conferencing, remote schooling and working from home.
How is it done?
The concept is simple. Video conferencing apps depend on numeric meeting IDs to let participants join — this is customary for almost all apps: GoToMeeting, Webex, Skype, Joinme, Google Meet, and not something unique to Zoom. Some apps may allow for organisers to create meetings without requiring participants to enter additional security parameters (a PIN or a password, for example) when joining. How frustrating is it already for the participant to key in a meeting ID — especially when dialing in, let alone having to deal with a PIN on top.
A malicious actor who is able to either guess (enumerate) several meeting IDs consecutively, or has prior knowledge, simply joins an active Zoom meeting which is in progress, and posts lewd content in the meeting: pornography, obscene sounds, spam, etc.
The idea is to troll the participants and invite ridicule into the meeting, while some other blackhat hackers might choose to do this to educate people about security flaws in their daily workflow, albeit unethically.
Image credit: Sky News—Boris Johnson’s Twitter feed shows the prime minister taking part in a virtual cabinet Zoom meeting with the meeting ID (539–544–323) atop the window raising security and privacy concerns.
British PM Johnson tweeted a screenshot (which is still up) of virtual cabinet meeting taking place over Zoom, which drew further attention of some, calling the tweet a “security risk,” since it exposed the meeting ID.
Scapegoating Zoom
In all this ‘noise’ and security by press, however, Zoom got scapegoated because of its sheer popularity and widespread user preference across multiple domains: business, education, social groups — not because zoombombing is in itself an exploitable security vulnerability or risk unique to Zoom. The custom of letting participants join video conferences via meeting IDs, often without imposing PIN requirements, is nothing novel and has been practiced for decades…
Zoom even has security features to deter or prevent “zoombombing” altogether, such as screening participants prior to letting them join, or restrict a meeting only to certain logged in users. It is then the lazy or technologically inept meeting organisers who are not leveraging Zoom’s complete set of features, and not the product itself that's flawed.
Recent headlines which steer people’s attention towards Zoom smell more like a smear campaign designed by Zoom’s competitors than a major cause of concern.
My professional opinion is, “zoombombing” is not even an exploitable security vulnerability, strictly speaking in cybersecurity terms. It’s being misunderstood as such by a layperson.
It’s analogous to using any digital product out of the box — such as your WiFi router, without properly configuring it, and then later complaining that you got hacked because you didn’t setup a password. Simply switching your WiFi router brand in that case, would do no good to protect you, should you continue to engage in the same complacency of not setting up a WiFi password!
Protecting yourself
Always make sure your meeting IDs and links are shared only with the participants who are authorised to join them. For extra precaution, consider using PINs or passwords, on top. That way even if a malicious party is able to guess the meeting ID, the PIN serves as an extra layer of deterrent. A video conferencing organiser should also consider screening participants before letting them join a meeting — this can also be done seamlessly by keeping a meeting restricted to only a few people (logged in users).
In conclusion, a “flaw” that impacts almost all video conferencing apps, or has at some point, is now being uniquely attributed to Zoom, and this is misleading to users as it creates a false sense of security. Moving to a different conferencing app won’t safeguard you against “zoombombing” unless commonsense security measures are enforced by meeting organisers.
© 2020. Ax Sharma (Twitter). All Rights Reserved.
Previously published at https://medium.com/@_ax/zoombombing-an-overblown-phenomenon-not-a-vulnerability-9a3331536c54
