Now patched by Cisco, three flaws in Webex would have given intruders full access to a meeting without being seen, says IBM.
With the coronavirus lockdown and the shift to remote working, organizations are more dependent than ever on virtual meeting and video conference tools. That's why such tools need to be safe and secure and protected from abuse. And they need to be quickly patched when security vulnerabilities are discovered. Three flaws found in Cisco's Webex platform could have allowed people to secretly "ghost" meetings without being seen.
As described in a blog post published Wednesday, IBM Research discovered the three flaws and quickly shared its findings with Cisco, which then created and deployed the necessary patches to fix them. The patched vulnerabilities would have affected Webex and Webex meetings as follows:
- Join a Webex meeting as a ghost. This flaw would have let someone join a meeting with full access to audio, video, chat, and screen sharing capabilities without being seen on the participant list.
- Stay in a Webex meeting as a ghost after being expelled. This flaw would have allowed an intruder to remain in a Webex meeting as a ghost even after being expelled.
- Gain access to information on meeting attendees. This one could have let a person view the full names, email addresses, and IP addresses of participants from the meeting room lobby without even being admitted to the call.
In response, Cisco released security advisories on the three vulnerabilities. For now, IBM and Cisco have agreed to limit information about these vulnerabilities until all patches have been made available to users.
Cisco has patched the cloud-based services for Webex, where no user action is required. For customers who run an on premises version of Webex software, the company has issued patches for Webex Meetings Server. Webex users should view the following Common Vulnerabilities and Exposures (CVEs) to learn more about the flaws and Cisco's fixes:
- CVE-2020-3441—Cisco Webex Meeting Information Disclosure Vulnerability
- CVE-2020-3471—Cisco Webex Meetings and Cisco Webex Meetings Server Audio Information Exposure Vulnerability
- CVE-2020-3419—Cisco Webex Meetings and Cisco Webex Meetings Server Information Disclosure Vulnerability
IBM has also released this YouTube video with more information about the flaws and interviews with members of the research team.
Until being patched, the security holes affected scheduled meetings with unique meeting URLs and Webex Personal Rooms. Personal Rooms can be more prone to attack because they're based on a combination of the room owner's name and the organization name. The vulnerabilities could also be further exploited through social engineering, open source intelligence (OSINT), and cognitive overloading techniques, according to IBM.
The vulnerabilities work by taking advantage of the handshake process used by Webex to establish a connection between meeting participants. Normally, a Webex client and server "shake hands" by exchanging messages about the attendees, application, meeting ID, and other details.
By exploiting the discovered flaws, an intruder can ghost a meeting by manipulating the exchanged messages during the handshake process. For its analysis, IBM said that it was able to demonstrate this ghosting problem in MacOS, Windows, and the iOS version of Webex Meetings applications, and in the Webex Room Kit appliance.
SEE: Zoom vs. Microsoft Teams, Google Meet, Cisco WebEx and Skype: Choosing the right video-conferencing apps for you (TechRepublic download)
To better protect their virtual meetings, organizations and users should consider the following recommendations from IBM. These tips are directed toward Webex but also apply to other virtual meeting and collaboration tools.
Test new collaboration tools for security. Before selecting and implementing a collaboration tool within an organization, test it to make sure it's secure and properly configured.
Evaluate confidential call policies. Employees should evaluate the sensitivity of meetings when they're first scheduled. This can help determine what security practices are needed.
Use unique meeting IDs. If you're concerned about the sensitivity of your call, use a unique meeting ID instead of the standard personal meeting room name, which is often a predictable combination of the company and individual's name.
Implement meeting passwords/PINs. Use passwords or PINs so that only invited participants can enter your meeting.
Roll call. Start meetings with a simple roll call to make sure you know who is on the call. This can help identify participants using their phone numbers instead of a profile name, similar to what non-member meetings allow.
Turn on notifications. Keep tabs on who enters the meeting room and take advantage of both visual and audio notifications, so nothing goes unnoticed.
End suspicious calls. If you think your meeting has been compromised, the best thing to do is end it immediately. And if you can't do this immediately, notify and mute all participants so they are aware of the situation and know not to divulge any further information. After the call is ended, report the issue to the platform vendor and report it to your company's legal and security teams.
Lock meetings. Set meetings to automatically lock at the beginning of each call. This will require attendees to request admittance to enter the room before joining.
Restart meetings for back-to-back calls. When you have back-to-back meetings in the same room, make sure to start a fresh meeting between each call.
- Dark Web: A cheat sheet for professionals (TechRepublic)
- Video teleconferencing do's and don'ts (free PDF) (TechRepublic)
- RFP templates and guidebook (TechRepublic Premium)
- Remote working 101: Professional's guide to the tools of the trade (ZDNet)
- Tech history: Check out our coverage (TechRepublic on Flipboard)