World

Zoom Fixes Security Flaw Which Permitted Eavesdropping on Video Conferences

Video communications company Zoom has introduced a series of patches after it was revealed that a security flaw easily allowed potential hackers to join and eavesdrop on video meetings without an invitation.
Sputnik

Software and cybersecurity company Check Point Research announced Tuesday that Zoom has introduced “a number of mitigations” to strengthen its video and audio conferencing platform’s security after the research group identified a major privacy issue.

According to the cybersecurity research company’s release, one’s video conference could be accessed by a random user without a direct invitation if they simply manually entered a Zoom Meeting ID, which is a 9-, 10- or 11-digit number corresponding to a given conference.

To test out an infiltrator’s ability to access an active meeting, Check Point researchers automated the process of guessing random 9-, 10- and 11-digit Zoom Meeting IDs and managed to “predict ~4% of randomly generated Meeting IDs.”

While there is a “require meeting password” option, it is not always selected by users of Zoom, which include Uber, Delta Air Lines, 60% of Fortune 500 companies and 96% of the top 200 US colleges and universities, reported The Hill.

With Zoom being utilized by such large organizations, meetings sometimes comprise thousands of people and are not necessarily being routinely monitored by the conference creators.

“It was sort of like Zoom roulette,” Yaniv Balmas, head of cyber research at Check Point, told The Verge earlier this week. “The implications would be, if you’re having a video chat and have multiple members joining, you may not notice if someone who isn’t supposed to be there is sitting there listening to you.”

After identifying the glaring vulnerability, Check Point contacted Zoom in July 2019 and proposed a number of mitigations, including a restructuring of its Meeting ID algorithm, replacing the randomization function of the IDs and forcing hosts of meetings to create a password, PIN or similar type of verification.

“We didn’t look at [other similar platforms], but what we found here is a shout out to them,” Balmas said. “You must look out for these kinds of things, for ways that unauthorized users can gain access, for any application that has access to your microphone or camera.”

Discuss