As nearly half the world population is confined at home due to the coronavirus pandemic, tens of millions of people have turned to the video conferencing app Zoom to catch up with friends, take school classes, and attend important work—and even government—meetings.
As millions of people pour onto a little-known platform, hackers around the world are researching it for the most severe security vulnerabilities, which they can then sell to the highest bidder, Motherboard has learned.
“I don’t have any free time. There’s a few Zoom zero-days in use. Industrial espionage is sky-high,” said a person who has worked in cybersecurity for years, who as others in this story requested to remain anonymous to talk about sensitive information.
Do you work in exploit development or trade zero-days? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at email@example.com, or email firstname.lastname@example.org
Zero-day exploits or just zero-days or 0days are unknown vulnerabilities in software or hardware that hackers can take advantage of to hack targets. Depending on what software they’re in, they can be sold for thousands or even millions of dollars. As companies have improved their security and made it harder to hack computers, phones, and apps, a relatively large segment of the cybersecurity industry has emerged: one where researchers work full-time looking for flaws to then sell to the highest bidder, be it a government or private hackers—or perhaps the company itself, since they’re offering rewards.
“Who doesn’t [have Zoom zero-days]?” jokingly said the source.
“Industrial espionage is making millions now. Zoom, GTM, WebEx…all meetings where you needed an insider to get in before [videoconference meetings became widespread],” he said.
Another person, who used to trade exploits and has kept tabs on his old customers and the market, said that there’s a lot of noise and interest, but not a lot of economic value in finding zero-days in video conferencing software like Zoom. The source said Zoom exploits go for $5,000 to $30,000. For comparison, companies like Zerodium that pay for vulnerabilities offer $50,000 for flaws in antivirus software, up to $500,000 for bugs in popular software like Chrome, and $2,000,000 for exploits that allow for full compromise of iOS and Android phones.
A third source also said he has seen increased interest in Zoom exploits.
Other people who develop and trade zero-days, however, have yet to see real interest, especially from government agencies.
“I asked my customers: ‘do you want Zoom 0days?’” a defense contractor with years of experience, told Motherboard. He said that his customers responded saying that nobody cared about Zoom until last month, and they are still not sure if they need exploits for it.
In the last few weeks, several security and privacy researchers, as well as journalists, have dug into Zoom, and found numerous issues. Motherboard found that the Zoom iOS app shared information with Facebook, and leaked people’s email addresses and photos. A former NSA hacker also found two zero-day exploits that he publicly disclosed to warn users.
Most of these issues are legitimate concerns, but they’ve led some to overreact and brand Zoom as “malware.” Or ban it completely, like the government of Taiwan and New York City have done.
As we wrote last week, Zoom isn’t perfect, but it’s probably OK to use it with your friends to do a virtual dinner party. It also makes sense that as more people use it hackers of all kinds will focus on it.
Subscribe to our new cybersecurity podcast, CYBER.