![](\"https:\/\/media.wired.com\/photos\/61e1f7de50297725e779e751\/master\/pass\/Security-Zoom-Zero-Touch-Vulnerabilities-1225504303.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Lily Hay Newman| Date: Tue, 18 Jan 2022 17:04:27 +0000<\/strong><\/p>\n Lily Hay Newman<\/a><\/span><\/span><\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n Most hacks require<\/span> the victim to click on the wrong link or open the wrong attachment. But as so-called zero-click vulnerabilities<\/a>\u2014in which the target does nothing at all\u2014are exploited more and more<\/a>, Natalie Silvanovich of Google's Project Zero bug-hunting team has worked to find new examples and get them fixed before attackers can use them. Her list now includes Zoom<\/a>, which until recently had two alarming, interactionless flaws lurking inside.<\/p>\n Though fixed now, the two vulnerabilities could have been exploited without any user involvement to take over a victim's device or even compromise a Zoom server that processes many users' communications in addition to those of the original victim. Zoom users have the option to turn on end-to-end encryption for their calls on the platform, which would keep an attacker with that server access from surveilling their communications. But a hacker could still have used the access to intercept calls in which users didn't enable that protection.<\/p>\n \u201cThis project took me months, and I didn't even get all the way there in terms of carrying out the full attack, so I think this would only be available to very well-funded attackers,\u201d Silvanovich says. \u201cBut I wouldn\u2019t be surprised if this is something that attackers are trying to do.\u201d<\/p>\n Silvanovich has found zero-click vulnerabilities and other flaws in a number of communication platforms, including Facebook Messenger<\/a>, Signal, Apple's FaceTime, Google Duo<\/a>, and Apple's iMessage<\/a>. She says she had never given much thought to evaluating Zoom because the company has added so many pop-up notifications and other protections over the years to ensure users aren't unintentionally joining calls. But she says she was inspired to investigate the platform after a pair of researchers demonstrated a Zoom zero-click<\/a> vulnerability at the 2021 Pwn2Own hacking competition in April.<\/p>\n Silvanovich, who originally disclosed her findings to Zoom at the beginning of October, says the company was extremely responsive and supportive of her work. Zoom fixed the server-side flaw and released updates for users' devices on November 24. The company has released a security bulletin and told WIRED that users should download the latest version of Zoom.<\/p>\n Most mainstream video conferencing services are based at least in part on open source standards, Silvanovich says, making it easier for security researchers to vet them. But Apple's FaceTime and Zoom are both fully proprietary, which makes it much harder to examine their inner workings and potentially find flaws.<\/p>\n \u201cThe barrier to doing this research on Zoom was quite high,\u201d she says. \u201cBut I found serious bugs, and sometimes I wonder if part of the reason I found them and others didn\u2019t is that huge barrier to entry.\u201d<\/p>\n You likely join Zoom calls by receiving a link to a meeting and clicking it. But Silvanovich noticed that Zoom actually offers a much more expansive platform in which people can mutually agree to become \u201cZoom Contacts\u201d and then message or call each other through Zoom the same way you would call or text someone's phone number. The two vulnerabilities Silvanovich found could only be exploited for interactionless attacks when two accounts have each other in their Zoom Contacts. This means that the prime targets for these attacks would be people who are active Zoom users, either individually or through their organizations, and are used to interacting with Zoom Contacts.\u00a0<\/p>\n Organizations that use Zoom have the option of routing their communications through the company's servers or establishing and maintaining their own server through Zoom's \u201con-premises\u201d options. Managing a Zoom server can help groups that need control for industry or regulatory compliance, or simply want to be in charge of their own data. But Silvanovich found that the vulnerabilities could be exploited not only to target individual devices, but to take control of these servers.<\/p>\n The concept of exploiting interactionless bugs<\/a> is not new in offensive hacking, and recent attacks show how effective it can be. Examples have mounted in recent months<\/a> of governments around the world purchasing<\/a> and abusing targeted hacking tools<\/a> and spyware to surveil<\/a> activists, journalists, dissidents, and others. The underlying flaws have also proven to be more common than you might think in services that people rely on worldwide.\u00a0<\/p>\n \u201cWith each project, I keep thinking this is the thing that\u2019s going to make me done with messaging or done with video conferencing,\u201d Silvanovich says. \u201cBut then I or other people start to look at new avenues and it keeps going.\u201d<\/p>\n