Cisco cries foul over security flaw in Zoom Connector
Cisco slammed rival Zoom for a security lapse that left the management portals of many video devices exposed to the public internet. It's an unusually public spat between two of the industry's leading video conferencing providers.
The dispute revolves around Zoom Connector, a gateway that connects standards-based video devices to the Zoom cloud. In addition to providing a management portal for the hardware, the service makes it possible to join Zoom meetings with one click.
The Zoom Connector previously allowed anyone with the correct URL to access the admin portal for Cisco, Poly and Lifesize devices from the public internet without login credentials, according to Cisco. That would have let a hacker commandeer a company's video systems, potentially allowing them to eavesdrop on conference rooms.
Zoom released a patch last week that password-protected access to the control hub via those URLs. But in a blog post this week, Cisco said the quick fix did not go far enough, alerting customers that Zoom's connector service did not meet Cisco's security standards.
To create the connector, Zoom built a link between the Zoom cloud and a Cisco web server running within a corporate network, said Sri Srinivasan, general manager of Cisco's team collaboration group. The configuration provides a point of access to the endpoints that lies outside the network firewall.
"You don't want to have firewall settings open for a management interface of this sort, even [when] password-protected," Srinivasan said.
Similarly, in a statement Tuesday, Lifesize said it considered Zoom Connector an unauthorized integration "built in an inherently insecure way." However, the company concluded that the security flaw spotlighted by Cisco did not put customers in immediate risk.
In a statement Tuesday, Zoom said it considered the issue fully resolved. While insisting customers were safe, Zoom said it did advise companies to check device logs for unusual activity or unauthorized access.
Zoom added that it was not aware of any instances of hackers exploiting the vulnerability. The URLs necessary to access a device's management portal are long and complicated, similar to a link to a Google Doc or an unlisted YouTube video. Most likely, a hacker would have needed to first gain access to an admin's browser history to exploit the flaw.
Zoom has come under fire before for security shortfalls. Experts criticized the vendor in July for quietly installing a web server on Mac computers. The software left users vulnerable to being forcibly joined to a meeting with their video cameras turned on.
Cisco has raised issues with Zoom about the connector in the past, but only became aware of the URL vulnerability on Oct. 31, Srinivasan said. A customer who wished to remain anonymous reported the problem to Cisco and Zoom around the same time, he said. Zoom patched the issue on Nov. 19, one day after Cisco said it contacted the company about the problem.
Adding fuel to the fire, Zoom has been using the Cisco logo on its connector's admin portal. Cisco said this likely led customers to believe they were accessing a website supported by Cisco.
"This has been going on for a long, long time," Srinivasan said. "Now, we know better to make sure we check everything Zoom does."
But it seems unlikely Zoom will heed Cisco's directive to obtain certification of the service. The vendor has a financial stake in the matter, as it charges customers $499 per year, per port for Zoom Connector.
Zoom has emerged in recent years as perhaps Cisco's biggest competitor in the video conferencing market. Eric Yuan resigned as Cisco's vice president of engineering to start Zoom in 2011. Yuan was one of the chief architects of the Webex video conferencing software that Cisco acquired in 2007.
In the coming months, Cisco is planning to release a SIP-based integration for Zoom and other leading video conferencing providers. The technology would let users join third-party meetings with one click from a Cisco device.
Cisco already supports SIP-based interoperability. But taking advantage of it requires businesses to build an integration themselves or pay for a third-party service. Srinivasan said the forthcoming SIP integration would eliminate the need for a service like Zoom Connector
Industry: Unified Communications
- IDAM Business Analyst - Home based
- Upto £500 per day
IDAM Business Analyst is required for a global retailer who are currently going through a global transformation of their IDAM solution This would be a rolling 3 month contrat estimated to be at least for 12 months YOu will be responsible for Creating process roadmaps and company strategy for Identity Management. Analysing and defining the client's needs and conducting a gap analysis to define areas of improvement/weakness in order to provide solutions that are in line with security best practices. Managing stakeholders from both the business (application owners) & Technology (IT Risk, Audit). * IAM subject matter expertise. Creat process diagrams to explain and demonstrate the IAM framework to end-users. We are looking for an experienced Business Analyst who has been involved in an IAM transformation where they have moved the business from one vendor to a new vendor. Experience with any of these vendors would be advantageous, Saviyant, Sailpoint, Okta, OR IBM
- REMOTE Cyber Security Operations Engineer. UK
- United Kingdom
CH8196 REMOTE Cyber Security Operations Engineer. UK Internal opportunity. New position. Exclusive to DCL Search. You will be the hands on technical eyes and ears of the Cyber security capability actively working to ensure and enhance the adherence to ISO27001 and SOC 2 controls. You role will touch on the following o Security Monitoring- Threat Analysis, Maturing monitoring capability. Utilising SIEM tools o Vulnerability Management- Identifying threats to internal assets- working with internal teams to patch. § Cloud based vulnerability tool experience preferred. o Access Control Management- Mature policy and process of RBAC. Ideally AWS KMS experience. o Vulnerability Testing- Aiding with Pen test scoping in line with identified vulnerabilities. Working internally to plan and track remediation actions. o Security Incident Management- Triaging alerts, evidence capture, escalation, diagnose and fix. o Working within a Cloud based environment. Ideally AWS. o Security Patch Management Support & Assistance – Approach methods, solutions, and policy alignment. o Disaster Recovery planning o Change Management Any CLOUD SIEM experience highly desirable. Contact me today for more information Chris.Holt@dclsearch.com / 07884666351
- Senior Product Developer, Microsoft.NET, Remote working
- Upto €80,000 plus benefits
- Senior Product Developer, Microsoft.NET, Remote working
- Upto 65,000 plus benefits