Skip to main content

Zoom vulnerability would have allowed hackers to eavesdrop on calls

Zoom vulnerability would have allowed hackers to eavesdrop on calls


Check Point Research says it figured out which random numbers were valid Zoom calls

Share this story

Getty Images/iStockphoto

Cybersecurity research company Check Point Research says in a report out today that it found security flaws in videoconferencing platform Zoom that would have allowed a potential hacker to join a video meeting uninvited and listen in, potentially accessing any files or information shared during the meeting. While Zoom has addressed the issue, the report raises deeper concerns about the safety of videoconferencing apps that require access to microphones and cameras.

Each Zoom call has a randomly generated ID number between 9 and 11 digits long that’s used by participants as a kind of address to locate and join a specific call. Check Point researchers found a way to predict which were valid meetings about 4 percent of the time, and it was able to join some, says Yaniv Balmas, Check Point’s head of cyber research. (They didn’t dive into the meetings themselves, Balmas stressed. Rather, they ended the calls at the “waiting room” screens.)

“It was sort of like Zoom roulette,” Balmas told The Verge. “The implications would be, if you’re having a video chat and have multiple members joining, you may not notice if someone who isn’t supposed to be there is sitting there listening to you.”

Since Zoom conference calls can accommodate “tens of thousands” of participants in one meeting, according to the company’s May IPO, it would not be hard for an attacker to sneak into a Zoom call unannounced if there were no screening measures in place.

Check Point didn’t find a way to connect a Zoom meeting ID with a specific user. So even if a bad actor gained access to a random meeting, they wouldn’t necessarily know whose meeting it was before they joined the call. The researchers didn’t find that someone accessing a Zoom meeting would have access to other users’ cameras or microphones.

Check Point disclosed the vulnerability to Zoom, and it says the company responded quickly to fix the issue. It replaced the randomized generation of meeting ID numbers with a “cryptographically strong” one, added more digits to meeting ID numbers, and made requiring passwords the default for future meetings. (A Zoom call with Check Point to discuss the research did not require me to enter a password before joining, however.)

It’s no longer possible to scan for random meeting IDs the way the Check Point researchers did; each attempt to join will load a meeting page, and repeated attempts to try to scan for meeting IDs will temporarily block that device from the platform.

A Zoom spokesperson said the issue Check Point identified was addressed in August, adding that privacy and security of its users was its top priority. “We thank the Check Point team for sharing their research and collaborating with us,” the company said.

San Jose-based Zoom, founded in 2011, has a market cap of just under $20 billion and customers in more than 180 countries. The company said during its third quarter earnings announcement last month that its customer base included 74,000 businesses of meaningful size, measured as a business with more than 10 employees.

Last summer, security researcher Jonathan Leitschuh discovered a zero-day vulnerability in Zoom on Macs that could have allowed a bad actor to hijack a user’s camera and live feed. The company eventually stopped using the local web server that created the vulnerability, but not after first defending it as a “low-risk” situation.

Balmas said the Check Point researchers were focused specifically on Zoom and its meeting ID numbers and did not investigate whether the vulnerability would be present in other video chat programs like Google Hangouts or Skype. But he cautioned that any videoconferencing platform has inherent risks, even if users take necessary safety precautions.

“We didn’t look at [other videoconferencing platforms], but what we found here is a shout out to them,” he said. “You must look out for these kinds of things, for ways that unauthorized users can gain access, for any application that has access to your microphone or camera.”

Today’s Storystream

Feed refreshed 5:33 PM UTC Striking out

Andrew Webster5:33 PM UTC
Look at this Thing.

At its Tudum event today, Netflix showed off a new clip from the Tim Burton series Wednesday, which focused on a very important character: the sentient hand known as Thing. The full series starts streaming on November 23rd.

The Verge
Andrew Webster4:28 PM UTC
Get ready for some Netflix news.

At 1PM ET today Netflix is streaming its second annual Tudum event, where you can expect to hear news about and see trailers from its biggest franchises, including The Witcher and Bridgerton. I’ll be covering the event live alongside my colleague Charles Pulliam-Moore, and you can also watch along at the link below. There will be lots of expected names during the stream, but I have my fingers crossed for a new season of Hemlock Grove.

Andrew Webster1:05 PM UTC
Looking for something to do this weekend?

Why not hang out on the couch playing video games and watching TV. It’s a good time for it, with intriguing recent releases like Return to Monkey Island, Session: Skate Sim, and the Star Wars spinoff Andor. Or you could check out some of the new anime on Netflix, including Thermae Romae Novae (pictured below), which is my personal favorite time-traveling story about bathing.

A screenshot from the Netflix anime Thermae Romae Novae.
Thermae Romae Novae.
Image: Netflix
Jay PetersSep 23
Twitch’s creators SVP is leaving the company.

Constance Knight, Twitch’s senior vice president of global creators, is leaving for a new opportunity, according to Bloomberg’s Cecilia D’Anastasio. Knight shared her departure with staff on the same day Twitch announced impending cuts to how much its biggest streamers will earn from subscriptions.

Tom WarrenSep 23
Has the Windows 11 2022 Update made your gaming PC stutter?

Nvidia GPU owners have been complaining of stuttering and poor frame rates with the latest Windows 11 update, but thankfully there’s a fix. Nvidia has identified an issue with its GeForce Experience overlay and the Windows 11 2022 Update (22H2). A fix is available in beta from Nvidia’s website.

External Link
If you’re using crash detection on the iPhone 14, invest in a really good phone mount.

Motorcycle owner Douglas Sonders has a cautionary tale in Jalopnik today about the iPhone 14’s new crash detection feature. He was riding his LiveWire One motorcycle down the West Side Highway at about 60 mph when he hit a bump, causing his iPhone 14 Pro Max to fly off its handlebar mount. Soon after, his girlfriend and parents received text messages that he had been in a horrible accident, causing several hours of panic. The phone even called the police, all because it fell off the handlebars. All thanks to crash detection.

Riding a motorcycle is very dangerous, and the last thing anyone needs is to think their loved one was in a horrible crash when they weren’t. This is obviously an edge case, but it makes me wonder what other sort of false positives we see as more phones adopt this technology.

External Link
Ford is running out of its own Blue Oval badges.

Running out of semiconductors is one thing, but running out of your own iconic nameplates is just downright brutal. The Wall Street Journal reports badge and nameplate shortages are impacting the automaker's popular F-series pickup lineup, delaying deliveries and causing general chaos.

Some executives are even proposing a 3D printing workaround, but they didn’t feel like the substitutes would clear the bar. All in all, it's been a dreadful summer of supply chain setbacks for Ford, leading the company to reorganize its org chart to bring some sort of relief.

Spain’s Transports Urbans de Sabadell has La Bussí.

Once again, the US has fallen behind in transportation — call it the Bussí gap. A hole in our infrastructure, if you will.

External Link
Jay PetersSep 23
Doing more with less (extravagant holiday parties).

Sundar Pichai addressed employees’ questions about Google’s spending changes at an all-hands this week, according to CNBC.

“Maybe you were planning on hiring six more people but maybe you are going to have to do with four and how are you going to make that happen?” Pichai sent a memo to workers in July about a hiring slowdown.

In the all-hands, Google’s head of finance also asked staff to try not to go “over the top” for holiday parties.