Earlier this month, leading communication and collaboration brand Cisco warned all Webex users in enterprise companies about an automated online attack strategy that had come to light. The malicious system allowed outsiders to join meetings and listen to otherwise private conversations – often without the knowledge of the attendees.
Cisco published an “informational advisory” about an enumeration attack on Cisco Webex Meetings. This refers to a method where attackers can quickly and easily guess the numerical identifier that provided access to a Webex meeting. According to Cisco, the attack method was identified by the Cequence Security brand, which quickly warned Cisco that one of its Webex APIs had allowed an attacker access to meeting numbers for ongoing access to conferences.
With this attack method, criminals would be able to tell when certain meeting numbers are in use, and whether a password is required to join.
Are Your Conversations Really Private?
Obviously, privacy and security are two major concerns for businesses of all sizes today. When you host a video meeting or online conference, you expect that conversation to be private. At this time, Cisco has not released a patch for the reported issue, stating that the problem isn’t a vulnerability with Webex, but a configuration problem. However, the Cisco team has offered recommendations to ensure that attackers can’t abuse the problems with the API.
The US company that found the vulnerability, Cequence Security, has also said that the issue affects video collaboration vendor Zoom. The Zoom brand caused a stir back in July when it appeared to be ignoring a bug that made Mac users vulnerable to remote attacks. According to Cequence, the “prying eye” vulnerability is an example of a new kind of attack that specifically targets web-conferencing APIs with a bot that cycles through and discovers meeting ID information.
Cequence says that if users aren’t assigning passwords to their meetings, anyone could potentially view or listen in to an active meeting. While a lack of a password does make it easier for users to join a meeting quickly, it also leaves companies unprotected in the current collaboration landscape.
Protecting Your Conversations
In the case of Cisco, the Webex Meetings app uses a nine-digit identifier that participants can access to join meetings from desktops and smartphones. The security issues around this strategy really only affect meetings that aren’t password protected. If attackers were to join a meeting, they’d still appear as a participant and could be removed by the host. However, if an attacker attempted to join a password protected meeting, they wouldn’t be able to access the conversation in the first place.
Cisco notes that the default configuration requires passwords to set up meetings. Webex also offers randomly generated default passwords when setting up meetings that don’t mandate password protection.
