What Happened: Cisco was notified of a serious security risk with the Zoom Connector for Cisco on October 31st, 2019 and followed our well-established process to investigate the issue. We believe Zoom had also been notified on October 31 or thereabouts. On November 18th, our CISO notified Zoom’s CISO of our findings and advised immediate action to address all security risks. I am sharing the details of this issue as we are committed to transparency and to protecting our customers in the constantly evolving security landscape.
The Zoom Connector for Cisco, owned and operated by Zoom Video Communications, connects their cloud to a customers’ internal network and specifically a Cisco Endpoint/Video Device and its management interface. The following represents the way the connector is setup to function and highlights the functional and security issues with the Zoom Connector for Cisco. For Cisco’s comments on the issue, please read yesterday’s post by Sri Srinivasan.
The Issue(s) Identified
The Zoom Connector for Cisco created the following critical security risks:
- The Zoom URL did not require credentials. Anyone with knowledge of the URL could access it from the public internet, allowing unauthenticated access to a Cisco Webex Device configured and managed through the Zoom Connector for Cisco. Once a person had the URL, they could reach the endpoint directly and control it, including creating a call from that endpoint to eavesdrop onto critical business meetings.
- Zoom exposed Cisco Webex Devices to perpetual administrative exposure by placing itself between the user and the Cisco interface, modifying the Cisco webpage using unsupported methods through a Zoom URL, thereby bypassing all Cisco Security norms. The Zoom URL did not expire during our testing period. Even when the Zoom administrator changed their password, the Zoom URL managing the Cisco Webex Device lived on.
- The Zoom URL link did not get revoked if the Zoom administration password was changed or upon deletion of a Zoom administrative user. Thus, an ex-employee would continue to have access to the devices through the firewall from the public internet, if they had the Zoom URL stored in their history.
On November 19th, 2019, Zoom released a “bug fix” that partially addressed the security issues and, after further communication from Cisco, provided an email with incomplete information on the security risks to their affected customers.
Analyst Take: Zoom has had a strong start since the company went public and has received a lot of acclaim for its ease of use. But at some point the company’s somewhat lackluster approach to security has to be a bigger focus of analysts and enterprises.
Earlier this year, I highlighted a massive Zero Day bug that Zoom had somewhat ignored and then swept under the rug until after its IPO. The company has seemingly since addressed the issue, but it is also easy to remember that Zoom took nearly 10 days to reply to the security researcher that discovered the bug and ultimately let the 90 day public disclosure period lapse. Not what I would call a best approach for handling security for a cloud app.
This time, on October 31, 2019, an unidentified 3rd party brought attention to an issue with the Zoom Connector for Cisco and notified Cisco (and likely Zoom) of the issue. Cisco investigated the issue and essentially found that users were able to access the Cisco device without authentication using the Zoom Connect for Cisco service.
Note: This issue also impacted 3rd party hardware from Lifesize and Polycom with the company’s similar connector products for those solution.
Authentication Should Be a Basic Function
This issue is shockingly simple. How in the world would an endpoint be setup to be accessed without any authentication? Even the worst home router setup would require a hacker to type Admin twice to gain access to the device. To me, this is a lack of attention to detail rather than a lack of capability. I have no doubt Zoom knows the importance of authentication. Furthermore, Zoom knows the importance of interoperability. The fact that the Zoom Connector for Cisco exists, in my opinion, is proof. Which again, is why I’m so alarmed that a bug like this could ever emerge. This is security 101.
A Partial Fix?
As of the 19th, it appears the bug was partially fixed. The specific vulnerability of not authenticating the device URL they create has been fixed. However, there are still issues with the overall security of the architecture which does not use Cisco’s supported APIs. Essentially, the way it is done today, Zoom uses the Web Interface as an API, and that is not the intended use of a Web Interface. Most users wouldn’t realize it is a degraded web interface, because it is setup to look like a Cisco interface. Let’s look a bit closer at that…
Update: Zoom is contesting that it does in fact use Cisco’s Native APIs. I have requested documentation from Zoom for more clarity the matter and upon receiving feedback and speaking to both parties I will provide further comment.
That Rather Questionable Web Interface
Another smaller, yet somewhat puzzling issue is the way Zoom approached the web interface for Cisco. Apparently, Zoom provided a landing page that copied Cisco’s landing page, including Cisco’s logo and branding marks, misleading customers into believing they were on a Cisco webpage with Cisco security, rather than a publicly accessible URL.
To me, this seems like a “Phishy” way to mislead customers making me wonder why the company would do that? It took some effort to emulate a Cisco web interface and the company lost its own opportunity to brand its “Connector” by handling it that way.
Cisco mentioned a degraded web interface, which maybe is why the Cisco branding would be used? To make it look like a degraded Cisco experience rather than a poor Zoom experience?
Zoom, Get it Together
I know enterprise applications in the cloud are growing in importance and Zoom has been overall well received. However, for the enterprise and its CISO/CIO that should be dialed in on security, it is starting to look like security just isn’t as important to Zoom as it needs to be. Between the handling of the Zero Day and this newest vulnerability, I’m bearish on Zoom as an “enterprise” solution until the company can show that it takes security as seriously as its more established enterprise counterparts like Cisco and Microsoft.
Enterprise ITDM’s should be watching the handling of this issue to make sure that Zoom prioritizes the patching of this issue to include authentication. With collaboration continuing to gain momentum and with the sensitive data that is shared over these platforms, companies should want to utilize proven secure collaboration platform to reduce risk of data breaches and the exposure such breaches may create.
A good enough approach to security isn’t good enough. Zoom has built a product that users like to use, if the company focuses on securing the product, it will make the product all that much better.
Read more Analysis from Futurum Research:
Futurum Research provides industry research and analysis. These columns are for educational purposes only and should not be considered in any way investment advice.