18 Jun The Ultimate Zoom Hack Takes Home A Six-Figure Prize
Pwn2Own’s competition reveals a gaping security hole in the videoconferencing platform
Melbourne, Australia – Jun. 18, 2021
Months of research, preparation and coding had made them extremely confident in their viable Zoom exploit chain, but that didn’t stop Daan Keuper and Thijs Alkemade from holding their breaths until the day they were finally able to demonstrate their zero-day vulnerability.
Its debut at this year’s Pwn2Own competition in April — organized by the Zero Day Initiative and still available for streaming online — would pit them and the world’s best hackers against a range of commercially available products, with 23 entries targeting 10 different products in categories including web browsers, virtualization engines, servers, enterprise communications tools, and local escalation of privilege.
It was the first time Zoom had been offered as a potential target platform, due to its new ubiquity as the engine-room of 2020’s working from home revolution, and the decision to focus on the platform was made partly because the pair knew that their competitors would be starting from the same point in developing their exploit.
“We thought if every security researcher had to start with their research from that moment on, why don’t we give it a shot?’” Keuper — a one-time teenage ethical hacker who is currently head of research at Dutch firm Computest Security — told Cybercrime Magazine as he and Alkemade, a fellow security researcher at the firm, recounted what would ultimately become a $200,000 windfall.
Cybercrime Radio: Ethical Hackers Won $200,000 at Pwn2Own
Interview with Daan Keuper & Thijs Alkemade
They started researching Zoom in January and, he explained, “rather quickly we identified the vulnerabilities we needed for our exploit chain. But building the actual exploits took quite some time to make sure that the bits and pieces would fall into place, and would work reliably enough for the competition.”
“We spent most of the time finalizing our exploits and making sure that we would win the competition if we participated.”
Yet even as they spent months finalizing and refining their three-stage chained exploit, Keuper admits that it was “very nerve-wracking” waiting because they knew their competitive advantage could evaporate at any moment.
“During the entire time you do the research,” he said, “or up until the point your exploit is run during the competition, we knew Zoom could patch any vulnerabilities they like — and we would be left with nothing.”
Zoom released four updates during the time the pair were refining their exploits but the vulnerability remained. Even the required sit-down with the vendor, in which winners walk the company’s developers through the vulnerability to make sure they weren’t already in the process of fixing the bug, confirmed that their approach was entirely novel.
The pair’s successful compromise of the world’s most-used videoconferencing platform became an Internet sensation as they demonstrated how they could remotely take control of a remote PC or Mac running Zoom.
Previous hacks of Zoom meant “you could only watch a meeting that’s in progress,” Alkemade explained, “but with this one, you could permanently listen in on the microphone of a user — so you could listen to other meetings that user has, or people talking even when they’re not in the [Zoom] meeting. So, this is a very serious vulnerability.”
Benefiting vendors and users
Pwn2Own’s strict rules are not only designed to give ethical hackers a challenge to aim for, but also to help vendors by ensuring they are given the opportunity to patch the vulnerabilities — and to learn from people who spend the most time poking and prodding application security systems.
Vulnerabilities “are something that are inherently there when you develop software, and when you use software,” Keuper said. “So, it is all about how the vendor reacts to these vulnerabilities.”
Zoom handled the disclosure “in a very professional manner,” he added. “They come to this competition in order for security researchers to have a platform to notify Zoom about the existence of these vulnerabilities — because the vulnerabilities are there if Zoom knows about it or not.”
The competitions offer a lesson for end users, as well, since the vulnerability that the Computest team found is still exploitable on systems running earlier versions of Zoom — offering a reminder of the importance of regular and timely patching.
Given the expanding complexity of common applications, bug bounty competitions have become one of many ways software vendors stress-test their applications to minimize the number of vulnerabilities they ship with.
“Without this reward, we probably wouldn’t have looked at Zoom,” Alkemade said. “This competition specifically highlights how to turn a vulnerability into a complete exploit.”
“You will never find all of these vulnerabilities at once, but maybe you can think of some defensive measures that can be applied to make abusing these vulnerabilities harder in general.”
And while the exploit they created turned heads all over the world, this sort of effort is all in a day’s work for security researchers — who, Keuper said, have become partners in commercial software developers’ efforts to improve the security of their platforms.
“The only way to know if a system is secure is to actually test IT security,” Keuper said. “And this is the reason white-hat hackers are needed — because they have the skill and mindset to actually evaluate the security level of a specific device or network.”
Whether through formal bug bounty programs, competitions such as Pwn2Own or through direct outreach, he said, software companies should have strategies for reaching out to white-hat hackers whose work can be a major benefit.
“The industry has really shifted towards welcoming security researchers to look for vulnerabilities, and to invite them to look for vulnerabilities,” Keuper said. “The work of white-hat hackers is extremely important… because if you don’t know where your vulnerabilities are, you don’t really know where your risks are.”
– David Braue is an award-winning technology writer based in Melbourne, Australia.
Go here to read all of David’s Cybercrime Magazine articles.