This site uses cookies to enhance your experience.  By continuing to visit this website, you consent to the use of these cookies. Click here to learn more about our privacy policy.

Sanfor Technologies Blog Background Image

Zoom Security Issues 2021 | Pwn2Own

2021-04-14
14
zoom-article-2COVID-inspired remote work has made communications technology companies like Zoom indispensable for business, connecting staff, customers, students, teachers and families. Zoom surged forward as the communications frontrunner in 2020, as the solution of choice for businesses and educational enterprises with remote workers or students. Founded in 2011 and launched in 2013, Zoom was perfectly positioned to take on the world of remote work – but there have been some Zoom security issues along the way.

What Zoom Security concerns were seen in 2020?

In 2020 we discovered Zoombombing, when an uninvited guest joins a Zoom meeting in an effort to disrupt, and sometimes just to get a few laughs, by introducing pornography, racism, profanity, or any number of “fun” things, into the unsuspecting Zoom meeting. This is often done using open or public Zoom meeting links, which are shared freely, allowing anyone to enter any meeting in progress, be it a college class, or a board meeting. Zoombombing is illegal in countries like the USA, but that hasn’t stopped teenagers, hackers, script-kiddies and threat actors from taking advantage of this option. Zoom wasn’t impressed by Zoombombing, and in early April 2020 announced a few new features designed to improve Zoom security including disabling the “Embed Password in Meeting Link for One-Click Join” and “Screen Sharing.”

Zoombombing is far from the only Zoom flaw, as Zoom security issues have been linked to phishing scams, espionage, brute force attacks and keystroke snooping. Zoom also introduced two-factor authentication in 2020, and updated its privacy policies, which were found lacking. But…Zoom security was not just a 2020 issue.

What Zoom Security Issues were Discovered in 2021?

By chaining together three different flaws in the Zoom software, attackers are able to gain complete control of a PC or Mac through the Zoom desktop application. Frighteningly enough, all the user needed to do to fall victim was have their Zoom application up and running. While some of these Zoom security flaws are well known and have been exploited before, this process brought new flaws to light.

How were 2021 Zoom Security Issues Discovered?

Dutch security researchers Daan Keuper and Thijs Alkemade were responsible for demonstrating the most recent Zoom security issue at the annual Pwn2Own: Vancouver 2021 – ironic as Zoom is one of the events biggest sponsors. Pwn2Own 2021 is a bi-yearly hacking competition, with 23 hacking teams targeting 10 products in different categories including web browsers, virtualization, servers, local escalation of privilege and enterprise communications. The Pwn2Own competition was streamed live on YouTube, Twitch and on their own site, and is designed to highlight the need for more robust security solutions. At 1pm on April 7th, Team Computest, made up of Mr. Keuper and Alkemade, “used a three bug chain to exploit Zoom messenger and get code execution on the target system – all without the target clicking anything.”

Is Zoom Safe to use?

Despite the seemingly endless Zoom security issues, Zoom is still considered safe to use, unless you are discussing or accessing business-critical information. Pwnn2Own rules state that software developers have 90 days to fix any flaws found in the competition, and Zoom has typically been pretty great at addressing issues. Zoom reached out directly to Tomsguide.com after the publication of their article saying,

"We thank the Zero Day Initiative for allowing us to sponsor and participate in Pwn2Own Vancouver 2021, an event highlighting the critical and skilful work performed by security researchers. We take security very seriously and greatly appreciate the research from Computest. We are working to mitigate this issue with respect to Zoom Chat, our group messaging product. In-session chat in Zoom Meetings and Zoom Video Webinars are not impacted by the issue. The attack must also originate from an accepted external contact or be a part of the target's same organizational account. As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust. If you think you've found a security issue with Zoom products, please send a detailed report to our Vulnerability Disclosure Program in our Trust Center."

What can you do about Zoom Security Issues?

Tomsguide.com suggests combatting Zoom security issues by using the Zoom browser interface and foregoing downloading the Zoom desktop app until further notice. Just skip past all Zoom suggestions to download the app.

PC Mag recommends you update your Zoom apps to access any new security options available, set a unique password and ID for all Zoom calls, create a waiting room for all people invited, and ensure that only the host can share their screen. Creating an “Invite-Only” meeting is another great way of limiting access to your Zoom meeting, and locking a meeting once is starts is common sense. Zoom has many features which can restrict who can post or chat and who can see what, but the responsibility to set the correct security settings still mainly falls to the meeting leader or host.

Why Sangfor?

Enterprise can’t rely on independent companies to ensure their network security. No customer will excuse the loss of their personal information, and no CEO will laugh off a security breach made possible by a 3rd party application used for convenience.  Zoom security issues are just one of billions of vulnerabilities and exploits loved by hackers the world over. Sangfor Technologies is an APAC-based, global leading vendor of IT infrastructure solutions specializing in Network Security and Cloud Computing. Visit us at www.sangfor.com to learn more about Sangfor’s Security solutions, and let Sangfor make your IT simpler, more secure and valuable.