Three vulnerabilities were discovered in Cisco’s Webex video-conference software which made it possible for hackers to eavesdrop on meetings as “ghost” attendees.
The interlopers were able to view, listen, and more without being seen by the organizer or any of the attendees.
At its peak, Webex hosted up to 4 million meetings in a single day.
It is believed that the attackers were able to:
- Join a meeting as a ghost, in most cases with full access to audio, video, chat, and screen-sharing capabilities
- Maintain an audio feed as a ghost even after being expelled by the meeting leader
- Access full names, email addresses, and IP addresses of meeting attendees, even when not admitted to a conference room
The vulnerabilities were discovered by IBM Research and the IBM’s Office of the CISO, which analyzed Webex because it’s the company’s primary tool for remote meetings.
The attackers were able to gain access to meetings when Webex establishes a WebSocket connection between the user and the server.
“By manipulating some of the key fields about an attendee sent over a WebSocket when joining a meeting, the team was able to inject the carefully crafted values that allow someone to join as a ghost attendee,” IBM researchers wrote in a post published on Wednesday. “This worked because of improper handling of the values by the server and other participants’ client applications. For example, injecting null values into ‘Lock’ and ‘CB_SECURITY_PARAMS’ fields caused an issue.”
They went on to say that “a malicious actor can become a ghost by manipulating these messages during the handshake process between the Webex client application and the Webex server back-end to join or stay in a meeting without being seen by others. In our analysis, we identified the specific values of the client information that could be manipulated during the handshake process to make the attendee invisible on the participants’ panel. We were able to demonstrate the ghost attendee issue on MacOS, Windows, and the iOS version of Webex Meetings applications and Webex Room Kit appliance.”
“Even with the best practices, a host could still find themselves in a meeting with a guest who is unwanted and needs to be removed, whether it’s someone who has crashed the meeting (e.g., ‘Zoombombed’) or a participant who walked away from their computer and forgot to disconnect. Either way, the host has the power to expel attendees, but how do you know they are really gone? It turns out that with this vulnerability, it is extremely difficult to tell. Not only could an attacker join meetings undetected or disappear while maintaining audio connectivity, but they could also simply disregard the host’s expel order, stay in the meeting and keep the audio connection.”
The only indication participants would have that a ghost had sneaked into a meeting is a beep when the ghost joins.
The discovery comes as work-from-home routines have driven a more than five-fold increase in the use of Webex between February and June.
Cisco is working on rolling out a fix for the vulnerabilities, which are tracked as CVE-2020-3441, CVE-2020-3471, and CVE-2020-3419.
The below video takes a deeper dive into the vulnerabilities and how they are fixing them: