Cequence Security is a US-based security startup that pays extra attention to the security of applications, researchers there designed and automated a bot that scans lists of active conferences. They successfully breached unprotected meeting rooms as a result, exposing a fault in Cisco Webex and Zoom’s conferencing platforms. The US-based firm first made Cisco and Zoom aware of the exposure back in July, letting them know one of the APIs used for Webex makes it easy for anyone to identify meeting IDs so they can eavesdrop on calls at their convenience.
Cisco has since warned end-users about the flaw exposed by the automated attack, which lets anyone with a link join in on meetings and possibly obtain valuable enterprise information. According to a recent Tech Crunch article, Cequence warned about the fault in their systems, which they promptly fixed.
How Is This Even Possible?
There are several reasons for the flaw the researchers found in the popular conferencing offerings, including a limited number of meeting IDs, users not protecting meetings with a password, and more. The one saving grace is that meeting attendees are announced in both conferencing platforms.
Cisco maintained that it was not ‘aware’ the fault was used for malicious purposes, while Zoom said it was ‘grateful’ for the researchers’ information. Zoom added, they were able to put more security measures in place to mitigate the risk of malicious intrusion on private meetings.
In a recent Cisco TV web series, Director of Cisco Webex Security, Niraj Gopal, opened up about the changing work environment, in which employees rely on robust collaboration software to connect them. We’re now talking about a more mobile workforce, which has seen a bump in the number of mobile workers who exist worldwide. Addressing security the potential for security breaches, Gopal reassured users – Webex was ‘highly’ encrypted to secure data, further stating:
“That key is only available to those who are in that space. You can take that key management service and host it in your data center”
Gopal added, “you get the flexibility, agility, and speed of the cloud with the security of an on-premises solution.”
Advice From a Security Expert
Jonathan Knudsen is a Senior Security Strategist at Synopsys, who offered a piece of advice to help end-users avoid these kinds of intrusions. According to Knudsen
“Some rudimentary user education would help people make better choices. For example, when running an online meeting, make sure you can identify all users who have joined”
He stressed the point – if you want information from your meetings to stay confidential, it is key to use a password to protect against intruders. Further providing insight, he commented, ‘you should protect meeting recordings with similar vigilance.’
Knudsen also wrote, recording files should not be on unauthenticated servers, and end-users should protect links to recorded meetings with ‘some form of authentication.’ This advice is something I recommend every enterprise using third-party conferencing tools to adhere to – it could mean keeping private information where it belongs.
