Cisco cries foul over security flaw in Zoom Connector
.jpg)
Cisco slammed rival Zoom for a security lapse that left the management portals of many video devices exposed to the public internet. It's an unusually public spat between two of the industry's leading video conferencing providers.
The dispute revolves around Zoom Connector, a gateway that connects standards-based video devices to the Zoom cloud. In addition to providing a management portal for the hardware, the service makes it possible to join Zoom meetings with one click.
The Zoom Connector previously allowed anyone with the correct URL to access the admin portal for Cisco, Poly and Lifesize devices from the public internet without login credentials, according to Cisco. That would have let a hacker commandeer a company's video systems, potentially allowing them to eavesdrop on conference rooms.
Zoom released a patch last week that password-protected access to the control hub via those URLs. But in a blog post this week, Cisco said the quick fix did not go far enough, alerting customers that Zoom's connector service did not meet Cisco's security standards.
To create the connector, Zoom built a link between the Zoom cloud and a Cisco web server running within a corporate network, said Sri Srinivasan, general manager of Cisco's team collaboration group. The configuration provides a point of access to the endpoints that lies outside the network firewall.
"You don't want to have firewall settings open for a management interface of this sort, even [when] password-protected," Srinivasan said.
Similarly, in a statement Tuesday, Lifesize said it considered Zoom Connector an unauthorized integration "built in an inherently insecure way." However, the company concluded that the security flaw spotlighted by Cisco did not put customers in immediate risk.
In a statement Tuesday, Zoom said it considered the issue fully resolved. While insisting customers were safe, Zoom said it did advise companies to check device logs for unusual activity or unauthorized access.
Zoom added that it was not aware of any instances of hackers exploiting the vulnerability. The URLs necessary to access a device's management portal are long and complicated, similar to a link to a Google Doc or an unlisted YouTube video. Most likely, a hacker would have needed to first gain access to an admin's browser history to exploit the flaw.
Zoom has come under fire before for security shortfalls. Experts criticized the vendor in July for quietly installing a web server on Mac computers. The software left users vulnerable to being forcibly joined to a meeting with their video cameras turned on.
Cisco has raised issues with Zoom about the connector in the past, but only became aware of the URL vulnerability on Oct. 31, Srinivasan said. A customer who wished to remain anonymous reported the problem to Cisco and Zoom around the same time, he said. Zoom patched the issue on Nov. 19, one day after Cisco said it contacted the company about the problem.
Adding fuel to the fire, Zoom has been using the Cisco logo on its connector's admin portal. Cisco said this likely led customers to believe they were accessing a website supported by Cisco.
"This has been going on for a long, long time," Srinivasan said. "Now, we know better to make sure we check everything Zoom does."
But it seems unlikely Zoom will heed Cisco's directive to obtain certification of the service. The vendor has a financial stake in the matter, as it charges customers $499 per year, per port for Zoom Connector.
Zoom has emerged in recent years as perhaps Cisco's biggest competitor in the video conferencing market. Eric Yuan resigned as Cisco's vice president of engineering to start Zoom in 2011. Yuan was one of the chief architects of the Webex video conferencing software that Cisco acquired in 2007.
In the coming months, Cisco is planning to release a SIP-based integration for Zoom and other leading video conferencing providers. The technology would let users join third-party meetings with one click from a Cisco device.
Cisco already supports SIP-based interoperability. But taking advantage of it requires businesses to build an integration themselves or pay for a third-party service. Srinivasan said the forthcoming SIP integration would eliminate the need for a service like Zoom Connector
source searchunifiedcommunications
Industry: Unified Communications
Latest Jobs
-
- Senior Presales Consultant | Managed Security Services | London
- London
- N/A
-
Senior Presales Consultant – Managed Security Services Location: London-commutable (Hybrid) A well-established cyber consultancy is seeking a Senior Presales Consultant to drive growth across its managed security services / advisory portfolio. This hybrid role bridges commercial and technical expertise supporting solution design, shaping customer proposals, and guiding conversations from scoping through to delivery. Key experience: Background in managed security services, including SOC operations and threat detection Strong knowledge of cloud and on-prem security tooling (SIEM, EDR, IAM) Penetration testing Proven ability to translate technical concepts into clear business value Confident in customer-facing engagements and pre-sales delivery Experience contributing to bids, proposals, and RFI/RFP responses To find out more contact me on 07884666351 Visa sponsorship is unfortunately not available for this role.
-
- New Business | Cyber Security | Overlay sales (UK Based- London commutable)
- London
- N/A
-
New Business Sales Hunter needed | Cybersecurity (UK Based- London commutable) Are you looking for uncapped commission, a fun and sociable team that drives success with no politics? If so...You must Have a demonstrable history of sales success in Cyber Security Follow Weatons law. The role: Seeking a proven New Business Sales Hunter to join an established, successful and expanding team. New business focused - £500-750 GP Sell a blend of security services & professional services. Ideal experience selling some or all of the following Cyber strategy & risk management Managed detection & response (MDR) Penetration testing Compliance & audit support You: Strong cybersecurity/IT services sales track record. Confident selling into mid-market & enterprise. UK based - London commutable Hunter mindset, full sales cycle ownership. Don't just send an email to apply give me a call on 07884666351
-
- New Business Sales Hunter | Cyber Security (UK Based)
- London
- To attract the right person
-
New Business Sales Hunter needed | Cybersecurity (UK Based) Are you looking for uncapped commission, a fun and sociable team that drives success with no politics? If so...You must Be UK based - and able to achieve UK SC clearance. (sorry no visas) Have a demonstrable history of sales success in Cyber Security Follow Weatons law. The role: Seeking a proven New Business Sales Hunter to join an established, successful and expanding cyber security firm. New business focused - £1m GP year one target (ramped). Sell a blend of security services & professional services. Ideal experience selling some or all of the following Cyber strategy & risk management Managed detection & response (MDR) Penetration testing Compliance & audit support You: Strong cybersecurity/IT services sales track record. Confident selling into mid-market & enterprise. UK based - London commutable 1x per week. Hunter mindset, full sales cycle ownership. Don't just send an email to apply give me a call on 07884666351