Hacking Zoom video conferencing using its smart display

According to a recently released report, the smart monitors of hardware company DTEN, a major hardware provider for Zoom video conferencing service, is affected by a vulnerability that, if exploited, would allow a hacker to cause failures in Zoom sessions, hijack video streams and even collect notes written on the whiteboard of these devices, assure ethical hacking specialists.

The vulnerability was discovered last July by security firm Forescout researchers during an investigation looking for bugs in devices for video conferencing systems.

In total, ethical hacking researchers discovered five vulnerabilities, of which three have already been corrected, while two remain active, although there appears to be no indication of exploitation in the wild. “The hardware is being widely used to replace many older models of screens in video conferencing rooms,” Forescout specialists say.

One of the main drawbacks discovered during the investigation is that the DTEN system stores your whiteboard notes in an Amazon Web Services (AWS) bucket apparently exposed on the public Internet. In other words, customers could have accessed PDF files on slides, screenshots, and notes prepared by other participants by simply changing the numbers at a previously used URL.

In addition, DTEN does not have HTTPS web encryption enabled on the client server to protect the connections of any malicious user. In the first instance, DTEN had fixed these failures on October 7, although similar inconveniences arose a few days later. “For any threat actor, exploiting these vulnerabilities could be really easy,” says Elisa Constante, forescout’s researcher.

During the investigation, two different ways in which an attacker with access to the same network as the compromised DTEN device could manipulate video conferencing systems to monitor all audio and video sources were also detected, in addition to the possibility of taking control of some of them.

If that’s not enough, a hacker can access the network remotely by exploiting other known vulnerabilities; if access is gained, it is possible to trigger many other attack variants, assay the ethical hacking specialists of the International Institute of Cyber Security (IICS).

Another reason these kinds of failures are considered high serious is the presence of devices developed by DTEN in many of the major private companies and government agencies, such as the U.S. Department of Justice (DOJ).