Hacking Zoom video conferencing using its smart display
According to a recently released report, the smart monitors of hardware company DTEN, a major hardware provider for Zoom video conferencing service, is affected by a vulnerability that, if exploited, would allow a hacker to cause failures in Zoom sessions, hijack video streams and even collect notes written on the whiteboard of these devices, assure ethical hacking specialists.
The vulnerability was discovered last July by
security firm Forescout researchers during an investigation looking for bugs in
devices for video conferencing systems.
In total, ethical hacking researchers
discovered five vulnerabilities, of which three have already been corrected,
while two remain active, although there appears to be no indication of exploitation
in the wild. “The hardware is being widely used to replace many older
models of screens in video conferencing rooms,” Forescout specialists say.
One of the main drawbacks discovered during the
investigation is that the DTEN system stores your whiteboard notes in an Amazon
Web Services (AWS) bucket apparently exposed on the public Internet. In
other words, customers could have accessed PDF files on slides, screenshots,
and notes prepared by other participants by simply changing the numbers at a
previously used URL.
In addition, DTEN does not have HTTPS web
encryption enabled on the client server to protect the connections of any
malicious user. In the first instance, DTEN had fixed these failures on October
7, although similar inconveniences arose a few days later. “For any threat
actor, exploiting these vulnerabilities could be really easy,” says Elisa
Constante, forescout’s researcher.
During the investigation, two different ways in
which an attacker with access to the same network as the compromised DTEN
device could manipulate video conferencing systems to monitor all audio and
video sources were also detected, in addition to the possibility of taking
control of some of them.
If that’s not enough, a hacker can access the
network remotely by exploiting other known vulnerabilities; if access is
gained, it is possible to trigger many other attack variants, assay the ethical
hacking specialists of the International Institute of Cyber Security (IICS).
Another reason these kinds of failures are
considered high serious is the presence of devices developed by DTEN in many of
the major private companies and government agencies, such as the U.S.
Department of Justice (DOJ).
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.
Gloss