Categories: Technology

“Zoombombing” — an exaggerated phenomenon, not a vulnerability.

Why is the exclusive focus on Zoom, when the same “flaw” impacts almost all popular video conferencing apps?

In this Coronavirus era, as if daily news briefings on the pandemic-related deaths weren’t enough, a new wave of “zoombombing” stories has been dominating headlines. In the U.S., politicians are even urging federal authorities (FTC for one) to take rigid action against Zoom, accusing the company of making hightenend claims about user privacy and security. As a Security Researcher then, I had to look more into this!

Wikipedia defines Zoombombing or Zoom raiding as “the unwanted intrusion into a video conference call by an individual, which causes disruption.” The moniker gained notoriety during the COVID-19 crisis when many depend on Zoom for conferencing, remote schooling and working from home.

How is it done?

The concept is simple. Video conferencing apps depend on numeric meeting IDs to let participants join — this is customary for almost all apps: GoToMeeting, Webex, Skype, Joinme, Google Meet, and not something unique to Zoom. Some apps may allow for organisers to create meetings without requiring participants to enter additional security parameters (a PIN or a password, for example) when joining. How frustrating is it already for the participant to key in a meeting ID — especially when dialing in, let alone having to deal with a PIN on top.

A malicious actor who is able to either guess (enumerate) several meeting IDs consecutively, or has prior knowledge, simply joins an active Zoom meeting which is in progress, and posts lewd content in the meeting: pornography, obscene sounds, spam, etc.

The idea is to troll the participants and invite ridicule into the meeting, while some other blackhat hackers might choose to do this to educate people about security flaws in their daily workflow, albeit unethically.

Image Credit: Sky News: Boris Johnson’s Twitter feed shows the prime minister taking part in a virtual cabinet Zoom meeting with the meeting ID (539–544–323) atop the window raising security and privacy concerns.

British PM Johnson tweeted a screenshot (which is still up) of virtual cabinet meeting taking place over Zoom, which drew further attention of some, calling the tweet a “security risk,” since it exposed the meeting ID.

Scapegoating Zoom

In all this noise and security by press, however, Zoom got scapegoated because of its sheer popularity and widespread user preference across multiple domains: business, education, social groups — not because zoombombing is in itself an exploitable security vulnerability unique to Zoom. The custom of letting participants join video conferences via meeting IDs, often without imposing PIN requirements, is nothing novel and has been practiced for decades…

Zoom even has security features to deter or prevent “zoombombing” altogether, such as screening participants prior to letting them join, or restricting a meeting only to certain logged in users. It is then the lazy or technologically inept meeting organisers who are not leveraging Zoom’s complete set of features, and not the product itself that’s flawed.

Recent headlines which steer people’s attention towards Zoom smell more of a smear campaign designed by Zoom’s competitors rather than a major cause for concern.

My professional opinion is, “zoombombing” is not even an exploitable security vulnerability, strictly speaking in a typical cybersecurity context. It’s being misunderstood as such by a layperson.

It’s analogous to using any digital product out of the box — such as your WiFi router, without properly configuring it, and then later complaining that you got hacked because you didn’t setup a password. Simply switching your WiFi router brand in that case, would do no good to protect you, should you continue to engage in the complacency of not setting up a WiFi password!

Protecting yourself

Always make sure your meeting IDs and links are shared only with the participants who are authorised to join them. For extra precaution, consider using PINs or passwords, on top. That way even if a malicious party is able to guess the meeting ID, the PIN serves as an extra layer of deterrent. A video conferencing organiser should also consider screening participants before letting them join a meeting — this can also be done seamlessly by keeping a meeting restricted to only a few people (logged in users).

In conclusion, a “flaw” that impacts almost all video conferencing apps, or has at some point, is now being uniquely attributed to Zoom, and this is misleading to users as it creates a false sense of security. Moving to a different conferencing app won’t safeguard you against “zoombombing” unless commonsense security measures are enforced by the meeting organiser.

© 2020. Ax Sharma (Twitter). All Rights Reserved.
Originally appeared on dev.to.

Ax Sharma

Ax Sharma is an Indian-origin British security researcher, journalist and TV subject matter expert with a focus on malware analysis and cybercrime investigations. His areas of interest include open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

Recent Posts

Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…

12 months ago

Rogue WordPress plugin: Threat hunters uncover credit card skimming campaign targeting e-commerce sites

Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…

12 months ago

Albanian Parliament and telco ‘One Albania’ suffer cyber attacks

The Assembly of the Republic of Albania and telecom company One Albania have recently fallen…

12 months ago

Carbanak Banking Malware Resurfaces with Updated Tactics in Ransomware Attacks

The banking malware Carbanak has resurfaced with updated tactics, incorporating attack vendors and techniques to…

12 months ago

Theme park giant Parques Reunidos hit by a ransomware cyber attack

One of the world's largest theme park operators, Parques Reunidos has disclosed a cybersecurity incident.…

2 years ago

Phishing kit screenshots your email domain on the fly to appear real

Phishing kit used by multiple hacked sites generates a log in page on the fly…

2 years ago

This website uses cookies.