Event Details

Security Advisory: Insecure Default Dial-In Settings for Zoom Enterprise Users



By Itzik Kotler, SafeBreach CTO and Cofounder

October 14th, 2020

Zoom has addressed security concerns, specifically with Zoombombing, by implementing a passcode option when scheduling conference calls. Organizations have quickly adopted the feature and even mandated that all conference calls be set up with a passcode to ensure the confidentiality of their business. This Security Advisory addresses a related Zoom security flaw, due to misleading settings, that organizations should not overlook. In Zoom, the natural workflow for users is to enable the passcode requirement from their Zoom client, but this workflow addresses adding a passcode to the URL link only, and does not enforce or require a passcode for participants accessing meetings by phone. An additional step is needed to enable the passcode for phone dial-in participants. The user must enable, from the settings page in their Zoom web portal, the ‘Require passcode for participants joining by phone’ setting. This will prevent unwanted participants, aka Zoombombing, from joining the conference audio.

Zoom has addressed this design issue by turning this setting on by default for new accounts, but existing Zoom users need to be aware and make the correct configuration updates.

Affected Products:

Zoom Phone, Zoom Video Webinar, Zoom Rooms (aka. Enterprise) by default .

Details:

In Zoom it’s possible to set up a passcode to only allow invited people (i.e., via sharing a URL that includes the password) to join a given conference call. Here’s how a typical Zoom meeting invitation text would look like:

--

Join Zoom Meeting
https://<CUSTOMER>.zoom.us/j/<ID>?pwd=<ENCRYPTED PASSWORD>
Meeting ID: <ID>
Passcode: <PASSWORD>
One tap mobile
+16699006833,,<ID># US (San Jose)
+13462487799,,<ID># US (Houston)
Dial by your location
+1 669 900 6833 US (San Jose)
+1 346 248 7799 US (Houston)
+1 253 215 8782 US (Tacoma)
+1 312 626 6799 US (Chicago)
+1 646 558 8656 US (New York)
+1 301 715 8592 US (Germantown)
Meeting ID: <ID>
Find your local number: https://.zoom.us/u/kEAsSZEDM

--

However, by default, the passcode will not be enforced via the dial-in option. In other words, an attacker can dial in like any legitimate attendee (i.e., one tap mobile) and/or brute force the meeting ID (which sometimes it doesn’t change, in the case of PMI: Personal Meeting ID) and succeed in joining the conference call audio.

Zoom has addressed this issue by turning this setting on by default for new accounts only.

Timeline:

  • Initial reach out to Zoom on Friday, May 15, 2020
  • Vendor response on Friday, September 18, 2020
  • Advisory released in coordination with Zoom on October 14, 2020

Vendor Response:

The setting to require passcodes for dial-in users is now enabled by default for all new accounts.

To adjust this setting, users may:

  1. Log into the Zoom web portal and navigate to Settings.
  2. Toggle the “Require passcode for participants joining by phone” setting to on or off. When enabled, a numeric passcode will be required for people dialing into meetings by phone--if your meeting has a passcode. For meetings with alphanumeric passcodes, a numeric version will be generated.