Cisco reveals another Zoom vulnerability
After we witnessed, what I believed to be an upward trend of collaboration companies actually collaborating, the recent news of yet another flaw in Zoom’s system caught me off guard. In a blog post titled, “Our focus on security in an open collaboration world,” Sri Srinivasan, SVP/GM, Team Collaboration Group, Cisco, set the record straight. They will not sacrifice end-user security for connectedness. He wrote:
“Interoperability and openness should never be a trade-off with security, and our users shouldn’t believe they need to sacrifice one over the other. Interoperability and security can and should work in unison, and this requires today’s software companies to work with some basic norms on how we collectively secure our mutual customers”
Srinivasan was responding to yet another verified weakness in Zoom’s conferencing platform. For me, this signified the dawn of a new era in workplace collaboration, which could shake up the market more than we expect, going into 2020. Collaboration mega brands have worked together in recent months, with news coming from Microsoft Ignite, Dreamforce, and other major tech conferences of collaboration software/hardware developers working together.
Today, what we’ve seen, I believe, could signify a paradigm shift. Companies like Cisco could, as a result, become even more insular and less willing to step across the aisle to make the connected workforce a reality, reverting to a not-so-distant history of non-collaboration across the vendor landscape.
From Cisco’s response, it is clear they are, at best, frustrated with Zoom. Such faults in a system can lead to a lack of investor confidence, and a loss of profit due to a sort of trickle-down effect that occurs after security threats get exposed.
The reality is, Cisco and Zoom need each other to thrive in an ever-changing collaboration market. Slack, BlueJeans, and, Microsoft have all gained more traction in the past few months, giving the big brands a reason to be nervous in the game of dominating the collaboration sphere.
This is not the first time Zoom’s stirred the pot with Cisco. Back in July, we reported a US-based security startup made Cisco and Zoom aware of a dangerous exposure in one of Zoom’s APIs used for Webex. The threat made it easy for anyone to identify meeting IDs so they can eavesdrop on calls at their convenience. Zoom has since remedied the blunder.
Cisco says they were notified of another “Serious security risk with the Zoom Connector for Cisco on October 31, 2019.” They added, “We followed our well-established process to investigate the issue,” and went on to say, “We believe Zoom had also been notified on October 31, or thereabouts. On November 18, our CISO notified Zoom’s CISO of our findings and advised immediate action to address all security risks.”
In revealing the threat, Cisco effectively got out in front of the problem before it exploded in their faces. It also reinforced Cisco’s commitment to transparency and ensuring customers remain safe as hackers become increasingly more imaginative. Diving back into the dilemma, the Zoom Connector for Cisco is owned and operated by Zoom Video Communications. It connects their cloud to a customers’ internal network as well as Cisco Endpoints/Video Devices and, management interfaces. Srinivasan wrote on Cisco’s blog quite eloquently, so I will let him explain the problem in his words:
“Regrettably, the access (through a Zoom URL) for the Zoom Connector for Cisco hosted on zoom.us was accessible without authentication”
He went on to explain, the URL extended access to the device’s web interface by using Zoom’s on-premises API Connector to modify the Cisco web pages so users could access them from the Zoom URL outside their network.
The list of allegations went on, and there was even mention of a “Zoom landing page” that copied Cisco’s landing page, not excluding Cisco’s logo and branding. Cisco added, they believed Zoom did so with the intention of misleading customers to believe they’d arrived at Cisco’s website rather than a publicly accessible URL.
In a statement to UC Today, Zoom shared its thoughts on the matter:
“Recently, Zoom became aware of a resolved security issue with the Zoom Connectors for Cisco, Poly, and Lifesize, the products that connect Zoom’s cloud platform to these hardware conference room systems for enterprise management and a one-touch experience.
Under certain circumstances, if an account administrator had logged into the Zoom Connector section of zoom.us and managed a Cisco, Poly, or Lifesize device through the Connector, and if a third-party gained access to the administrator’s browser history, the vulnerability could allow the third-party to log into the device with administrator privileges. To our knowledge, no customer has been impacted by this vulnerability.
On November 19, we released a patch on Zoom’s backend that fully resolved this vulnerability. While customers did not need to take any action, last week we did alert any customer with a Zoom Connector that they should check their device logs in the Room Management section of their Administrator portal for any unusual activity or unauthorized access. The privacy and security of Zoom’s users is our top priority. We were glad we could resolve this matter to ensure the continued security of our platform.”
If you recall, Zoom’s Founder, Eric Yuan, previously worked for Webex. When Cisco acquired Webex, he parted ways because he didn’t like the direction Cisco was going in. You can view him as a sort of rogue ex-employee who is also friendly.
He recently sat down for an exclusive interview with UC Today Journalist and Presenter, Patrick Watson, to chat about collaboration industry trends. Something from that interview stuck out to me – the fact that Yuan said happiness is what he looked forward to in the mornings. He responded,
“I want to come to the office and see the happy faces of employees”
For me, his response came off as genuine. He even earned a lot of points in my book. Not to mention Zoom’s robust offering, which is used by millions of enterprise users daily. Nevertheless, Yuan appears to have two sides. Although he’s a nice guy, he remains on a mission to rule over Cisco’s empire.
Why did Cisco expose Zoom’s Achilles’ heel? I would say, to whip them into shape, and to let them know they will stop at nothing to ensure their customer-base always knows they are safe. They also want to send a message to customers that they should be able to enjoy the flexibility of the cloud and interoperability, which “Comes with zero compromises on security and data integrity,” according to Cisco.
Other prominent collaboration players have since criticized Zoom. Michael Helmbrecht, COO, Lifesize, recently said in an exclusive UC Today interview, organizations find it difficult to roll out Zoom organization-wide, because of what he calls a “Zoom Tax.” The most clever of them all, 8×8’s response. They released a free version of 8×8 Video Meetings, giving Zoom some major competition, and perhaps hoping to make them think twice about their pricing structure.