Interoperability and openness should never be a trade-off with security, and our users shouldn’t believe they need to sacrifice one over the other. Interoperability and security can and should work in unison, and this requires today’s software companies to work with some basic norms on how we collectively secure our mutual customers.
Cisco has created a rich partner, developer, and integrator ecosystem so our customers have the flexibility and choice to super-charge their tools and workflows with our collaboration technologies, seamlessly. We are serious about interoperability with the tools you love and use every day. Some examples of the work we have done in this regard include our native integrations with Google, Apple, Microsoft, Slack and more.
This flexibility, choice, and interoperability, however, must come with zero compromises on security and data integrity.
Unsupported collaboration integrations could lead to increased customer risk. Compatibility and security can be challenging, and that is why we will only support third-party collaboration vendors who meet our security standards and who integrate with our products and services through our supported open APIs.
Zoom Connector for Cisco Issue: Interop between Zoom and Cisco Video Devices
Cisco was notified of a serious security risk with the Zoom Connector for Cisco on October 31st, 2019 and followed our well-established process to investigate the issue. We believe Zoom had also been notified on October 31 or thereabouts. On November 18th, our CISO notified Zoom’s CISO of our findings and advised immediate action to address all security risks. I am sharing the details of this issue as we are committed to transparency and to protecting our customers in the constantly evolving security landscape.
The Zoom Connector for Cisco, owned and operated by Zoom Video Communications, connects their cloud to a customers’ internal network and specifically a Cisco Endpoint/Video Device and its management interface.
What was the issue? Regrettably, the access (through a Zoom URL) for the Zoom Connector for Cisco hosted on zoom.us was accessible without authentication.
Issue details: Cisco Webex Devices can be managed through a web interface that provides management of configuration, status, logs, security and of integrations such as in-room controls and macros. The Zoom Connector for Cisco created a device specific URL hosted on the Zoom website for each endpoint configured in the connector. This URL provided access to the device’s web interface by using Zoom’s on-premises API Connector to modify the Cisco web pages so they could be accessed from the Zoom URL outside the customer’s network. Regrettably, this Zoom URL provided from their website was accessible without authentication. In addition, Zoom provided a landing page that copied Cisco’s landing page, including Cisco’s logo and brandings, misleading customers into believing they were on a Cisco webpage with Cisco security, rather than a publicly accessible URL.
The Zoom Connector for Cisco created the following critical security risks:
- The Zoom URL did not require credentials. Anyone with knowledge of the URL could access it from the public internet, allowing unauthenticated access to a Cisco Webex Device configured and managed through the Zoom Connector for Cisco. Once a person had the URL, they could reach the endpoint directly and control it, including creating a call from that endpoint to eavesdrop onto critical business meetings.
- Zoom exposed Cisco Webex Devices to perpetual administrative exposure by placing itself between the user and the Cisco interface, modifying the Cisco webpage using unsupported methods through a Zoom URL, thereby bypassing all Cisco Security norms. The Zoom URL did not expire during our testing period. Even when the Zoom administrator changed their password, the Zoom URL managing the Cisco Webex Device lived on.
- The Zoom URL link did not get revoked if the Zoom administration password was changed or upon deletion of a Zoom administrative user. Thus, an ex-employee would continue to have access to the devices through the firewall from the public internet, if they had the Zoom URL stored in their history.
On November 19th, 2019, Zoom released a “bug fix” that partially addressed the security issues and, after further communication from Cisco, provided an email with incomplete information on the security risks to their affected customers.
Our promise to our customers
At Cisco Webex, we live by secure, simple, and scalable principles. Over my decades in the software industry, I have learned that it is never acceptable to bypass security norms for the sake of convenience and simplicity. And when so much sensitive data is being shared through video conferencing, including the ability to use a device’s camera, security must be of utmost importance. That is the promise we at Cisco hold dearly for every one of our customers, and embodied by the steps we took for this issue:
- We take every notification seriously, especially from our customers.
- We engaged our Cisco Product Security Incident Response Team (PSIRT)and the Talos Security Intelligence and Research Group (Talos) to investigate this security risk. The Cisco PSIRT team is a dedicated, global team that manages the receipt, investigation, and public reporting of security vulnerability information related to Cisco products and networks. Talos is made up of leading threat researchers supported by sophisticated systems to create threat intelligence for Cisco products. Cisco has well established practices for investigating and reporting security issues (https://tools.cisco.com/security/center/resources/security_vulnerability_policy.html), and cooperates with industry in researching security issues.
- As I noted previously, these findings were shared with Zoom on November 18th, 2019.
- We all live in a heightened state of alert, ready to act proactively as and when notified. Each of us have, over the years, had our own issues and need to cooperate in the future for the sake of our mutual customers. We appreciate Zoom password-enabling these Zoom URLs starting November 19th, 2019. It is a good first step, but we need them to do more. We would like them to take additional steps to use our supported APIs and work with us to certify the solution so that we can secure our mutual customers effectively.
Call to action
If you are a customer using the Zoom Connector for Cisco, please review your administrative logs and analyze the usage to see if there was any breach as a result of the implementation described here.
At present, the Zoom Connector for Cisco is not a Cisco supported solution that meets our standards of enterprise-grade security. Our supported solutions meet the standards our customers expect out of Cisco by using our well documented open APIs.
You can continue to have your Cisco Webex Devices and Rooms connect to Zoom Meetings using standard supported methods like SIP as well as our XAPI’s documented here.
It is our promise to work with each of our customers to provide them the most secure configuration. Please reach out to us at psirt@cisco.com if you have further questions or if you need us to help secure your Cisco Webex Devices. We work with every partner who uses our APIs responsibly. We stand ready to work with Zoom, to have them use the supported APIs and get the solution certified through our official programs.
Learn More
Admins Achieve More with Webex: Reduce Cost by Integrating with Microsoft IT Tools and Enjoy Webex Native Security Capabilities
Do the Impossible: Deliver the Best Collaboration Experience and Secure Sensitive Data with Cisco’s Extended Security Pack
Cisco Unified Communications Manager Evolution — Is your Security up to the job?
Excellent, Cisco.
Thank you for always taking care of your customers’ security and technology assets.
Has Zoom owned up and issued a complete fix including accountability for this security lapse?