The Verge reports that a group of security professionals were able to use brute-force attacks to access sensitive details about almost 2,400 Zoom meetings in a single day.
An automated tool developed by security researchers is able to find around 100 Zoom meeting IDs in an hour and information for nearly 2,400 Zoom meetings in a single day of scans, according to a new report from security expert Brian Krebs.
Security professional Trent Lo and members of SecKC, a Kansas City-based security meetup group, made a program called zWarDial that can automatically guess Zoom meeting IDs, which are nine to 11 digits long, and glean information about those meetings, according to the report.
In addition to being able to find around 100 meetings per hour, one instance of zWarDial can successfully determine a legitimate meeting ID 14 percent of the time, Lo told Krebs on Security. And as part of the nearly 2,400 upcoming or recurring Zoom meetings zWarDial found in a single day of scanning, the program extracted a meeting’s Zoom link, date and time, meeting organizer, and meeting topic, according to data Lo shared with Krebs on Security.
The number was so high it led Zoom to wonder whether its action in requiring passwords by default is not working.
“Passwords for new meetings have been enabled by default since late last year, unless account owners or admins opted out. We are looking into unique edge cases to determine whether, under certain circumstances, users unaffiliated with an account owner or administrator may not have had passwords switched on by default at the time that change was made.”
Additionally, The Intercept reports that Zoom’s encryption appears to have serious flaws.
Meetings on Zoom, the increasingly popular video conferencing service, are encrypted using an algorithm with serious, well-known weaknesses, and sometimes using keys issued by servers in China, even when meeting participants are all in North America, according to researchers at the University of Toronto […]
They conclude […] that Zoom’s service is “not suited for secrets” and that it may be legally obligated to disclose encryption keys to Chinese authorities and “responsive to pressure” from them.
The university also discovered that the form of encryption used is weaker than Zoom claims, and is a particularly poor implementation of the weaker standard.
The company claims that Zoom meetings are protected using 256-bit AES keys, but the Citizen Lab researchers confirmed the keys in use are actually only 128-bit. Such keys are still considered secure today, but over the last decade many companies have been moving to 256-bit keys instead.
Furthermore, Zoom encrypts and decrypts with AES using an algorithm called Electronic Codebook (ECB) mode, “which is well-understood to be a bad idea, because this mode of encryption preserves patterns in the input,” according to the Citizen Lab researchers. In fact, ECB is considered the worst of AES’s available modes.
The company is responding, but if you’re not already using one of the many alternatives out there, the latest Zoom vulnerabilities may persuade you to do so. Among my tech friends, Whereby seems to be a popular choice.
FTC: We use income earning auto affiliate links. More.