
‘War Dialing’ tool exposes Zoom’s password problems - feross
https://krebsonsecurity.com/2020/04/war-dialing-tool-exposes-zooms-password-problems/
======
cs702
One positive thing about all these horrendous security flaws that have been
recently discovered in Zoom, due to its popularity, is that the company seems
to be taking them seriously, recently instituting a feature freeze to focus on
fixing them: [https://blog.zoom.us/wordpress/2020/04/01/a-message-to-
our-u...](https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/)

As a consequence, I suspect Zoom's security is more likely than not to improve
going forward... although it will surely take a long while. Security is
_Capital-H Hard_.

Also, I cannot think of any other multi-video-conferencing solution that "just
works" and has been as thoroughly stress-tested and attacked by bad actors in
the wild at such a large scale. If Zoom does a decent-to-good job fixing all
the security issues, it looks likely to continue to dominate its market.

~~~
RobotCaleb
Why do people keep saying it just works? It just works if you install their
app, probably. But audio doesn't work at all in Firefox. That's not really
just works for me.

~~~
wutbrodo
Yea, Hangouts is a lot more "it just works" than Zoom is for me. That being
said, the quality of the actual calls on Zoom is _way_ better than Hangouts.

~~~
devin
I mean, I don't really know how "consistently high call quality" is not the
most important feature of any video chat application. My experience on
hangouts has always been garbage. Delays, choppy sound, my machine starts
going insane while rendering other people's live video. It may just work in
the sense that you can immediately use it, but if even 20% of the time you use
it the call quality sucks, then it's a crap product IMO.

~~~
wutbrodo
> It may just work in the sense that you can immediately use it, but if even
> 20% of the time you use it the call quality sucks, then it's a crap product
> IMO.

"it just works" doesn't mean "its a superior product". I use Zoom over
hangouts whenever I'm on a call with more than ~3 people, but automatic gcal
integration + being fully functional from a browser means that hangouts makes
more sense sometimes.

(I also don't have nearly the amount of issues you do with hangouts. The
biggest problem for me is how much worse they handle crosstalk, which isn't an
issue when there are only a couple of people on a call.

------
crazygringo
I worked in videoconferencing for a while. When it comes to meeting
identifiers, striking the right balance between ease of use and security is
really hard.

On the one side, maximum ease-of-use is a name or code short enough for
someone to say over the phone. "Here, just jump into the videoconferencing
meeting 'mikefred' or 'john10' or '39584'". That works particularly well for
small meetings where it's immediate obvious if someone else joins and you can
stop talking and ask them who they are and kick them out if they shouldn't be
there.

On the other hand is long random identifiers in a space large enough they're
impossible to guess. If you're joining a meeting from a link then nobody
cares, but if you're telling someone over the phone or typing it into the
phone it _sucks_. (And you are _very often_ needing to jump from one form of
communication to videoconferencing, where there's no way to "just paste a
link" into the initial form.)

There's also no real difference between a short meeting name plus password and
a long meeting name, except that passwords tend not to be displayed on screen
so it's even harder to find it to tell someone over the phone.

Also there's another big issue in how easy or convenient you make it for
people from within your domain/company to join, versus outsiders. Half the
company wants to make it harder for outsiders to join (for security), the
other half (salespeople) want it to be easier.

The only solution, unfortunately, is educating users to understand the
differences. Zoom already has most if not all the necessary options, even
modes like "waiting room". But the same options will never work for every
meeting. Whoever hosts a meeting needs to understand the options. There's just
no substitute.

~~~
kelnos
This is a really good point, and I actually sympathize with how difficult it
is for Zoom to strike the right balance here.

If the only method of operation here were for people to invite others by
copy/pasting a URL, and the invitees' only method of joining were to click on
that link, then long UUIDs or such would be just fine.

But Zoom lets you dial in audio-only from a regular phone. You simply just
cannot use "long random string" as an identifier if you're expecting someone
to punch it into a telephone keypad. Even having an 9- to 11-digit meeting
code plus say a 6-digit passcode would be a burden for some people, though
it's really the only way to do that portion of it right.

Now, one thing I do _not_ cut Zoom any slack for is having an API where you
can request validity and status of any meeting ID, without any rate limits
placed on it. That's Security 101 right there.

~~~
giovannibajo1
Meet has a 10-letters ID for meetings over HTTP and a 9-numbers ID (like zoom)
for phoning in. It sounds complicated but in practice every Meet invitation
has a single-tap phone link that dials the correct number _and_ input the
conference ID after a pause, all encoded in the link. It works flawlessly and
so it doesn’t matter if that number is different from the concernce URL you
click on a computer.

~~~
ars
You are assuming a cell phone that calls in. But lots of people dial in
manually from an actual telephone.

~~~
sagarm
Do you have any statistics on "actual phone" usage? I'd imagine it's very low
these days.

------
motohagiography
This is what technical debt gets you.

I really don't know that zoom has a lot or much at all, but I do know that the
number of viable solutions to this could be taken off the table internally
because they probably made tech debt commitments in their architecture during
their scale up phase that prevents bolting on obvious fixes. I have a lot of
sympathy for their position. They aren't evil or bad, but they could do a
massive mea culpa PR coup on the level of the netflix culture deck if they did
a case study retrospective about the effect of tech debt on scale at critical
moments.

It's also a product management fail, where that lack of transparency on
encryption is what a project-manager would pull, where a smarter product
manager would have weighed the cost of losing their e2e-crypto compliance
market.

I can also see why they have security issues because today, security people
are on a much longer tailed skill distribution than they were 10y ago and it's
hard to listen to most of us. Getting someone to approach it as, "ok, we get
that a 9-digit key is literally your product selling UX advantage, let's see
what else we can do" is exceedingly rare. Privacy has massive brand
implications. Remember blackberry? They launched a new flagship tablet product
while their CEO got into an issue with government surveillance and the story
became about their risk in India and Asian markets and not whatever that
product was called. Zooms story is becoming about privacy problems too.

PMs need to be smarter about this.

~~~
softwaredoug
I think you overestimate the reliability of the alternatives.

Zoom focused all their early engineering muscle on reliability. When we build
new products, we don't have infinite resources to attack every front
simultaneously. We have finite resources to prove a concept, and we incur debt
in just about every other dimension.

Now that everyone is using them (precisely because of reliability) the
emphasis becomes other things - UX, security, etc.

Tech debt is what the 2nd generation of engineers gets to complain about after
the 1st gen made the product succesful at something.

~~~
motohagiography
That last statement, I'm there with you on. Tech debt is necessary, it could
even be renamed "tech leverage," because that's what a lot of it is.

My thing is that there are tons of potential ways to mitigate zoombombing,
even incrementally, and that they haven't or chose not to indicates it's
because there were cost barriers to doing it. It has the tech debt smell, and
it's what I've seen in other orgs.

~~~
aembleton
Do any of those potential ways impact on the ease of use of Zoom? Do they make
it harder to join a meeting?

~~~
motohagiography
There is a basic information problem, where good people have it and bad people
don't. You don't need cryptographicaly strong approaches, you just need speed
bumps that impose costs on specific classes of attacker that disrupts their
economy of scale. It's not a secrecy solution, it's an economic nudge.

Then there are ones with vs. without user interaction.

Without user interaction:

\- rate limit join attempts so that you at minimum need proxies or a botnet to
guess room names.

\- do a simple entropy measurement of multiple attempts and rate limit
anything that exhibits symmetry or monotonicity.

\- add a "correct battery horse staple" style key to the url instead of or in
addition to the 9 digit pin so the link is not easily guessable, but still has
the mnemonic quality for people entering it manually.

\- static personal room ID's only work with a passwd/token (not pin) whereas
ephemeral ones can be chosen from a much larger search space. (yes, just add
entropy)

\- free sessions limited to 40mins or whatever should select from a name space
large enough it will take a botnet to hit even one ephemeral session in the
40min timeframe.

\- separate the invite link from the login link so that session owners can
specify that the user needs to click from their email invite so it gets bound
to the browser, and you zoom can set a token before redirecting them to the
live session.

with user interaction:

\- Obvious one would be a user PIN for ephemeral room IDs.

\- Next obvious would be to choose a real security protocol and key management
scheme
([http://www.lsv.fr/Software/spore/index.html](http://www.lsv.fr/Software/spore/index.html))

Rest of user interactive ones is exercise to the reader, as those are all
solved problems.

The challenge is that they require keeping logical state at the application
layer, which is specifically the kind of complexity you avoid in your scale-up
architecture - and it burns you down the road.

------
varelaz
TLDR: With 17 digits meeting password is not needed at all. If meeting will be
17 numbers it will be the same as to protect 11 length digit number with 6
digit password. So basically that's the trade off. One could say that password
is not the same as meeting ID, but usually they both sent in one email/message
and lifetime and protection for them is equal. Also it's easier to input one
number than 2 different.

~~~
diebeforei485
Please don't think of this in entropy terms alone. There is a massive
usability difference between the two.

~~~
jascii
I'm not sure I understand your point. The usability of clicking a link stays
equal regardless of the amount of digits in the ID. Adding a password reduces
the usability.

~~~
dewey
An important Zoom feature is that you can dial in from a regular cell phone /
landline and conference phones. That's one of the selling points of Zoom.

~~~
antoncohen
But when joining a Zoom call from your phone you dial a number, then enter the
meeting ID. The meeting ID has the same number of digits as a US phone number,
but it isn't the number you dial. The calendar invites generated by Zoom
format the number + meeting ID in such as way that a user can tap them and it
will dial the number _and_ enter the meeting ID.

Basically, in both cases (computer/app or dial-in), increasing the number of
digits of the meeting ID has very little impact on the users. Forcing a user
to enter a password after joining (which is just more digits) does impact the
user.

~~~
kube-system
>Basically, in both cases (computer/app or dial-in), increasing the number of
digits of the meeting ID has very little impact on the users.

It is a frequent use-case that people join meetings from devices that are not
running a calendar application, or the calendar does not have the meeting
invite.

For example: conference rooms.

------
Twirrim
I feel a little bit sorry for the Zoom devs. All of a sudden there are a _lot_
of eyes on Zoom. Every design decision and mistake are under a big microscope,
while also presumably having to deal with some major scaling.

~~~
tpmx
It's a ~2k person company with a market cap of $34B. So the valuation is $17M
per employee.

I don't feel sorry for them.

Also: this crisis is giving them vast amounts of marketing for free.

I'm based in Sweden. I was just vaguely aware of Zoom until a few days ago -
now I suddenly hear of them all of the time from Late Night hosts on Youtube.

~~~
Twirrim
The developers are still people. Doesn't matter the size of the company, it's
still a bunch of individuals who are likely suddenly dealing with a lot of
stress and pressure that could never have been predicted, or have opportunity
to scale up their engineering to meet.

~~~
tpmx
Yeah.. no.

Only on HN could these winners become "victims".

~~~
jeffhuys
> Only on HN could these winners become "victims".

Maybe because the users on here have an unique perspective on developers /
development?

------
kardos
Zoom is pretty lucky to get so much free security scrutiny. I hope they make
the most of it and fix all of these issues..

~~~
floatingatoll
Three of the big issues reported in the past week have also been corrected in
the past week, so they’re certainly trying.

------
catalogia
> _" KrebsOnSecurity is not naming the companies involved"_

This chart suggests that one of the companies they found was an aerospace
company: [https://krebsonsecurity.com/wp-
content/uploads/2020/04/zward...](https://krebsonsecurity.com/wp-
content/uploads/2020/04/zwardialmeetingsbyindustry.png)

I wonder if this is related to the news yesterday that SpaceX has banned the
use of Zoom.

~~~
moftz
SpaceX seems big enough that they pay for a self-hosted meeting suite. I've
worked at a couple places that use WebEx that is self-hosted. You can only
access it via dialing the number (from any phone) or by being on the VPN to
see the shared presentation. Trying to log into the public version of WebEx
gives you an unknown user error. Someone could still wardial their way into
the call but it would require getting the non-public phone number and guessing
the meeting number AND possibly guessing a meeting password.

------
0xff00ffee
It's 1985 all over again: I'm in my bedroom running a ProDOS wardialer on my
300/1200 baud AppleModem; I have found zero computers, but it is fun watching
the numbers flick past, hoping that I, too, can discover a WOPR and start
global thermonuclear war.

~~~
softwaredoug
Yeah but this time, it’s an easy as guessing a world leaders zoom meeting, and
tricking them into believing something preposterous

~~~
chefandy
Modern Version: "Shall we play a game?" "Love to" "‼To play Global
Thermonuclear War, you must first update your flash player. Click here‼️"

~~~
the_af
An even _more_ modern version:

"Shall we play a game of Global Thermonuclear War?"

"Sure!"

"Updating Steam client... It seems you're connecting from a new device! Please
check the 2FA code sent to your email... Downloading more updates... Here are
some popups about unrelated games... Please register an account with MS Game
Live!... Downloading patches... [error in wopr.dll]"

------
rsync
Shout outs to l0pht and cdc, but not to Minor Threat[1] ?

[1]
[https://en.wikipedia.org/wiki/Chris_Lamprecht](https://en.wikipedia.org/wiki/Chris_Lamprecht)

------
devit
Not a good idea to use 9 to 11 digit long IDs with no password requirement by
default; they should have used at least 128-bit random ids, i.e. 21 character
long base64-encoded strings.

~~~
umvi
Yeah but then it sucks for people calling in to have to punch in a 21+
character long meeting ID

~~~
josteink
> Yeah but then it sucks for people calling in to have to punch in a 21+
> character long meeting ID

I may be out of touch with the average biz-guy, but how many people are
realistically calling in manually, over traditional phone-lines these days?

Is it really a significant percentage?

~~~
randycupertino
Working in global research, 40% of our ROW (rest of world) sites and vendors
use landline or cell pones to join our meetings, depends on their
institutional security and IT settings.

~~~
lonelappde
Smart phones can dial a long code in software. Only dumb phones and landlines
can't

~~~
kube-system
Some smartphones, using some applications, and some input devices, can dial
some long codes.

Jim from sales who is dialing in from his company's oddball calendar app over
Bluetooth on the infotainment system in his rental car probably can't.

------
saagarjha
Not having password protection enabled seems like an unfortunate default, but
I guess it's not that surprising given the number of "barriers" that Zoom
attempts to bypass when you join a call.

------
jascii
I always wondered why teleconferencing systems don't incorporate a workflow
where people connecting in need an approval from the organizer before actually
entering the meeting.

~~~
zwily
Most do, but in Zoom it’s off by default. (Waiting room)

~~~
bronson
And it’s a responsibility/pain for the facilitator when it’s on. Often they‘ll
be caught up in the meeting and leave anyone who arrived 3 minutes late to
spend the rest of the meeting waiting to be admitted.

------
kerng
Maybe naive, but why doesnt Zooom do something like SSO? Why is the identity
of attendees not validated? Wouldn't that solve the problem?

~~~
hrrsn
Then they'd need to charge extra for the SSO tax ;)

[https://sso.tax](https://sso.tax)

------
fock
I think a tool which is basically yet another webchat-solution but tries too
push their omnipotent app onto you, no matter what, has some issues beyond
security. All the "user"-friendly execution looks like some 2002 nigerian
adware. I guess userfriendly is really easy if your app can never be closed
(not sure about that), can't be uninstalled and you nag the user twice to
actually really start that app before allowing to use a runtime under his/her
control.

------
heipei
Oh the number of times I've been on 20+ people Zoom meetings which were
interrupted after a minute by someone asking "Hold on folks, who is the phone-
user who just dialed in?" Or whenever someone connected who had the wrong nick
set (happened on Linux) and hadn't turned the video on yet, which basically
meant the conversation stopped until the new arrival had identified himself.

------
elwell
Chatroulette Zoom Edition

------
twistedpair
Why doesn't Google Hangouts/Meet have this issue?

~~~
beckingz
Hangouts has this issue as well.

------
momo156
zoom is not showing real effort to hunker down on privacy. and can feel its
consequences as its stock is already down by 8% over the week

------
andrewstuart
How hard is this for them to fix?

~~~
diebeforei485
Generating a random 6-digit passcode for each meeting by default? Not hard at
all.

Rate-limiting incorrect password attempts could take a bit longer to
implement, but still not a particularly difficult problem to solve.

~~~
chrismarlow9
I never understood "presenter will let you in" security. It's based on someone
letting me in if they recognize my recorded name and that I work there? Surely
that wont backfire in a world where everyone post every detail about every day
of their life online. I mean who even uses LinkedIn anyway?

~~~
JadeNB
You can also require users to be authenticated (through SSO or other
mechanism) before they log in, which could defeat some impersonation attempts.

------
TheDesolate0
wow! haven't heard that term in a while.

we used to do this looking for modems to dial into.

~~~
aembleton
I remember WarDriving - driving around to pick up WiFi SSIDs. That was about
20 years ago.

------
_bxg1
[deleted]

~~~
saagarjha
That wasn't really arbitrary code execution.

------
markthethomas
[https://unicorn.computer/zoom-wins-malware-of-the-year-
march...](https://unicorn.computer/zoom-wins-malware-of-the-year-march-2020)

------
afrcnc
Hey... I created a tool that can hack Zoom meetings faster.... let me tip
Brian Krebs about it and advertise it to the world.

I don't understand why this article exists. It's like a beacon for all the
bored skidz now.

