As per reports, Several vulnerabilities were discovered in Zoom’s Zero Touch Provisioning (ZTP) that allows threat actors to gain full remote administration of the devices resulting in activities like eavesdropping, pivoting through devices, and building a botnet with compromised devices.
In addition to this, threat actors can also reconstruct the cryptographic routines with AudioCodes devices to decrypt sensitive information like passwords and configurations that are available due to improper authentication.
Working on Zoom’s Zero Touch Provisioning
ZTP feature is used for the automatic provisioning of certified hardware like VoIP devices to ensure that they receive all the necessary information for operations. This information includes server addresses, account information, and firmware updates.
Zoom’s ZTP supports a wide range of devices and is one of the most reliable providers for integrating traditional devices. An IT administrator can use ZTP to assign a device to a user and set configurations which are then queried by the device at Factory settings.
ZTP uses a certificate-based authentication between the device and the ZTP which is also known as mutual TLS. This means that ZTP verifies the exact match of the MAC address with the requested configuration making it hard for threat actors to extract device certificates but there is no second authentication like one-time password or others.
Assigning a device is done through Zoom Phone’s administrative panel by adding MAC addresses. This means that a threat actor with necessary licences for using Zoom Phone can access arbitrary MAC addresses and put them in a self-defined configuration template.
The attacker controls a malicious C2 server and stores the malicious firmware package. The server is made to request by adding the device on the Zoom account that downloads the firmware package with an evil configuration resulting in a complete takeover of the device.FREE Webinar
API Attacks Have Increased by 400% – Understand the Fundamentals of Protecting Your APIs with a Positive Security Model – Register Now for a Free WebinarRegister Now
A complete report has been published about this threat vector and other information by the SySS package and was presented at the BlackHat USA 2023.