The extra Zoom setting you may not know about to control access for phone-in attendees

What if I told you, that your Zoom meeting password does not apply to users calling in by phone?

Over the past several weeks the rest of the world has found out about the Zoom video conferencing system.  In this time of crisis, it has become essential for work, school, and even play. However, people have also been finding out about the security and privacy issues related to Zoom. I'm now going to share one more with you.

Trusted CI staff have discovered that, by default, meetings that have been protected with a meeting password do not require the password for users calling in by phone. There is an extra setting to control by-phone access and we think that this extra setting may not be not known by many Zoom users. Users who call in using one of the Zoom gateway phone numbers will not normally be prompted for a password. This potentially leaves sensitive meetings vulnerable to eavesdropping. Although this issue isn't a vulnerability in Zoom, it allows the users setting up meetings to create a vulnerability in their own meetings. It is a user interface and security awareness issue.

In order to enable password protection for by-phone users, you must locate the setting "Require password for participants joining by phone" as shown below, which in some interfaces may be located in the advanced settings.

Screenshot of the extra "by phone" setting to consider to protect a meeting

A second closely related issue is that enabling this "Require password for participants by phone" setting does not immediately change the configuration of existing meetings that have already been set up. The owner of the meetings must go into each meeting configuration, edit the meeting, and then save it without making any changes to the meeting. According to our observations, this regenerates the meeting and applies a phone password to the meeting. The phone password will be automatically generated and become part of the meeting invitation. You would then share this new password and meeting invite with your meeting participants who need it.

Trusted CI's test of faking a number

A third issue to be aware of here is that phone number caller id information can be faked. Although this is not new by any means, there has been little to no warning about this in relation to using Zoom. This vulnerability isn't Zoom's fault as the flaw exists in the design of the phone system.

However, because of this, you should not use a phone number in the participants list to authenticate a participant. A malicious user could change their number to that of an authorized user to avoid detection.

During our research into these issues, we found that most of the existing documentation outside of the Zoom website itself does not mention the "Require a phone password" extra setting that must be applied. Similarly, it is not obvious that this must be done when creating a meeting and setting a password, as there is no feedback from the interface that this must be done or that your meeting will not be fully protected.

The Zoom meeting password interface, showing no indicators of an extra by-phone setting.

Several of our security colleagues were also unaware of this extra "Require a password for by-phone users" setting, suggesting that the setting is unknown to most Zoom users.

Our recommendations for Zoom, the company,  is to add some type of indication near the meeting password setting that informs users that there is an additional setting for controlling access by phone and that Zoom should inform their existing install base about these issues.  Alternatively, this option should be enabled by default.

How Trusted CI discovered the issues

On February 26th, 2020, Mark Krenz set up a meeting with a colleague on the COSMIC2 science gateway project and set a meeting password to try to protect the meeting. When the colleague called in by phone, Mark asked the user if they needed a password to get in, which to his surprise, they did not. Mark then performed further testing of the issue with the help of Trusted CI members including Andrew Adams, Shane Filus, Ishan Abhinit, and Scott Russell. It was quickly found that changing the "require password by-phone" setting did not set it on existing meetings and that the existing meetings needed to be edited and re-saved. The team above wrote up a security report to send to Zoom, which was done so on March 6th through the hackerone.com website, which acts as a gateway for submitting such reports to companies. This meant that there was then a 30 day embargo on releasing this information to the public. During this time, the COVID19 crisis began to unfold in the western countries and people started heavily using Zoom. This almost immediately led to many reports of various unwanted incidents within Zoom meetings, so called Zoombombing,  and other vulnerabilities being discovered and announced. During this time we discussed the issue internally, met with Zoom to discuss the issue, and provided our recommendations for a way forward. We also monitored the media for any signs that this was being exploited, but found no direct evidence that it was being exploited. We also looked for these recommendations in news reports that were surfacing over the past month and found none that directly mentioned this issue.

Related links:

• https://zoom.us/security
• https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/
• https://blog.zoom.us/wordpress/2020/03/27/best-practices-for-securing-your-virtual-classroom/
• https://www.nbcboston.com/news/local/fbi-warns-of-zoom-bombing-after-2-mass-schools-have-web-conferences-hijacked/2099692/
• https://www.forbes.com/sites/anthonykarcz/2020/03/29/do-these-4-things-to-keep-hackers-out-of-your-zoom-call/#149f3040486e
• https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/

Tips for avoiding "Zoombombing"

As COVID-19 has necessitated increased use of telecommuting solutions, there have been instances of public Zoom meetings getting hijacked, or "Zoombombed," by malicious actors. Zoom has posted a blog with many helpful tips to prevent unintended access to your meeting and/or meeting controls.

The most important tip is to prohibit open access to the screen sharing feature during your meeting. You can disable this setting in your account profile:

• Log into your Zoom account
• Click the "Settings" tab on the left side of the screen
• Search for "Screen Sharing"
• Under "Who can share?" change the setting from "Participants" to "Host Only" (see screenshot below)
• Save your changes

And when hosting a public meeting, do not use your personal Zoom Meeting ID. Create a separate meeting event for any link you share publicly.

Recommendations for reducing cybersecurity risk while working remotely

You're probably aware of the COVID-19 / coronavirus pandemic. As the pandemic continues to unfold, our research and security communities will be increasingly impacted.  Numerous conferences have been canceled, and it has already been made public that two people who attended the cybersecurity conference, RSA, tested positive for coronavirus. Many institutions are now recommending or even requiring students and employees to work from home. While you may already be prepared to deal with one or two staff members working remotely or being out sick, most organizations are unprepared for the majority of their staff suddenly being in these categories.  Thus, Trusted CI would like to share some critical risks that we think are relevant to this situation and provide recommendations for how to mitigate them over the coming weeks.  Here are some questions to help you consider these risks.

Do you have all the passwords you need?
As people switch to working from home or go on extended leave, they may take passwords with them that other staff do not have. Do they normally keep the superadmin password on a sticky note on their monitor and now can't access it? This is a good opportunity to quickly review who has access and that they will have the necessary credentials for working remotely. We recommend the use of password managers (such as KeePass, 1Password, LastPass, etc.) to keep passwords securely stored and readily accessible through online means.

How will backups be handled?
Backups may require physical presence to change disks or tapes, but may be difficult to manage remotely. Still, these backups are essential for being able to make a proper recovery from a security incident. You may first want to check with your institutional IT group to see if they have the ability to manage these backups for you to reduce the need to travel to work.

Is your regular office environment's physical space being monitored and access controlled?
Reduced staffing at your facility may increase the risk of unauthorized/unmonitored physical access to your systems and information. Locking doors is recommended and checking with your institutional security for their practices will help you understand what is being monitored and how unauthorized access is determined.  Consider letting your custodial staff know your plans as normal security procedures such as locking doors may lapse during crisis mode and become a problem. On the upside, the chances of tailgating happening in the next few weeks is near zero.

Are you leaving unpatched workstations running?
Some staff may need to leave desktop or workstation systems in an unattended office for a long period of time. If these systems are not running services required for normal operation, it is recommended that these systems be turned off to avoid them becoming a liability if a critical vulnerability is released while away. Upon returning to the office, you should enforce an immediate vulnerability scan on these systems and patch as necessary. Check with your local institutional IT staff to make sure this would not interfere with their operations as they may expect systems to be kept running to remotely backup and patch computers.

Do you have enough redundancy of staff?
Redundancy of staffing is always important, but with the coronavirus threat, there is an increased chance of redundant staff being affected as well, leading to lack of coverage. We recommend designating additional staff to be prepared to act in a maintenance or security role, if needed, as an additional redundancy.

Do you have a secure channel to communicate?
When direct interpersonal communications are no longer possible for sharing of sensitive  information, the need for having a secure online communication channel increases. We recommend that identifying a secure channel that can be used (for example, Signal, SMIME, PGP/GPG, or another one recommended by your institution) and testing this channel with your staff in advance of any need to use it.  This becomes especially important when you forgot to share an important password with other staff and have no way of securely communicating it.

Will you be able to meet without your normal teleconferencing?
Demand for videoconferencing is expected to be at an unprecedented high as online classes and meetings begin to utilize it. It is possible that your normal video conferencing meetings will be disrupted or unavailable for a period of time. It is recommended that you identify an auxiliary method of holding such meetings. Also, if you are not doing so already, set a password on your teleconferencing meetings if possible and test that it works to prevent unauthorized access.

Can you perform all the steps in an incident response remotely?
Now would be a good time to review your security incident response plan to ensure that all the steps can be performed remotely, and if not, come up with an alternative approach.

Do you have enough VPN licenses?
One common method of providing remote access for employees is through a virtual private network (VPN).  However, the increased remote activity could mean a shortage of VPN licenses, so now would be a good time to check the number of available licenses and ensure that it matches with the expected load over the next few weeks.

Is there a bastion host you can use for remote access?
Those who use SSH, RDP or similar for accessing servers remotely may want to consider the use of a bastion host to provide a control point. This is a safer alternative than opening up direct remote access ports on internal systems. However, rather than rushing to set up a new bastion server, instead look for an existing one that has been provided by your institutional IT or ask for their recommendations.

Do you have a secure working space at home?
For many, the next couple weeks may mean sharing your working space with family who are also working or attending school remotely. It's important to consider the potential for sensitive information in meetings to be overheard across meetings happening simultaneously. If you haven't already, it would be a good idea to find or setup an isolated space in your home for holding such meetings.

Be aware of new phishing tactics and scams.
There have been reports that attackers are taking advantage of the fear and demand for information about COVID-19 to spread malware. One such attack is the "Coronavirus map", which "had weaponized coronavirus map applications in order to steal credentials such as user names, passwords, credit card numbers and other sensitive information that is stored in the users’ browser".

There are also additional resources that we've found online for raising your awareness about cybersecurity issues during the coronavirus threat that we're including in the list below:

• The World Health Organization's cybersecurity advice
• REN-ISAC: Maintaining IT Services During a Health Incident
• Coronavirus and the Cybersecurity Threat Landscape
• EDUCAUSE's COVID-19 resources page
• CDC's recommended steps to prevent illness