Vulnerabilities during the Pandemic - absentee-neptune/Senior-Capstone GitHub Wiki

Vulnerabilities During the Pandemic


With the Covid-19 Pandemic, nearly everyone has found themselves having to work from home or study from home. This has created intricate problems that arise based on the security of home routers, as well as the software that is used for both education and communication from home.

Router Vulnerabilities

Of the most common home routers from the most common brands on the market in the US, the majority have at least a few vulnerabilities associated with them if not more. Of all the routers on the market, 127 of them are affected in some way by these vulnerabilities, with a few models of routers having up to 53 critical CVE vulnerabilities publicly listed. With this many potential threat vectors and more people than ever working and studying from home, this makes the home network an enticing new territory for malicious actors to lurk in. The most common attack on the home network that can be associated with home router vulnerabilities, would still be the man in the middle attack, which is aimed at stealing and manipulating a user's personal data.

Canvas Vulnerabilities

One of the other possible threat vectors to the home network outside of the router itself would be the LMS or Learning Management Systems such as Canvas and Blackboard. For our project, we took a look at Canvas specifically since it’s the LMS of choice for Champlain College. Canvas has access to both the student and instructor’s computer files, google drive files, and computer screen. Canvas has posted CVE’s for its software since 2017 for the public to see, with the most critical of them being a vulnerability where a malicious actor may XSS script on the Canvas site itself. This XSS vulnerability can result in denial of service to the users as well as the potential execution of harmful javascript.

Zoom Vulnerabilities

Another common form of communication that saw a steep increase due to quarantine and the work and study from the home environment was Zoom. Used as a meeting platform for education, work, and everything in between, Zoom was an early and headline-making target for malicious actors. As an application, it has access to a user's microphone, camera, and computer screen. Zoom lacks any end-to-end encryption in its connection, allowing for it to be an easy target for ‘Zoom Bombing’ where a user not authorized to be in a meeting gains access. This vulnerability is a smaller piece of Zoom's greater risk for man-in-the-middle attacks, stemming from its lack of encryption. There was also a vulnerability where a user's camera could be accessed and turned on, which was patched out on every version but OSx for Mac. The most worrying vulnerability of all however was that on previous versions of Windows such as 8 and below, malicious actors could execute code remotely on a targeted computer using the port that Zoom used.

Zoom has had more vulnerabilities appear in the events of the pandemic. Most of which are derived from the Zoom Appstore. This appstore contains a variety software plugins that can be used to "enhance" the meeting environments. The most concerning of these vulnerabilities included CSS enabled softwares. These 2 apps contained in the Zoom appstore are the webhook clients enabling the people to insert links that have enabled CSS attributes. This further allows malicious actors to change incoming and outgoing links in a zoom meeting to create Cross Site Scripting attacks with built in Zoom features. These features do not require the "victims" to have the app installed nor activated. This allows the malicious actor to generate the Webhook and create a Cross Site Scripting attack with no coding or additional input from the user. This method is widely available and due to the lack of coding can be executed by someone with little to no computer experience, making it a very high level threat to most users. Additionally, the threat to the "victims" is rather high as it can lead to loss of credentials or the financial information.

Additionally, in the vulnerabilities discovered recently, there is an active vulnerability discovered from data mining the software. This vulnerability exploits a hole in the presenting function of the Zoom meeting software. This exploit must be executed from an external Organizational Unit. This has been scripted, it relies on forcing the present function and the accepting of a member into the zoom meeting platform to force the member off of the meeting while opening a software on the target computer. This creates an issue where the attacker can execute a script downloaded via a different means such as the webhook. This has also been proven to work from the Zero Day Initiative to open microsoft specific programs such as the calculator. (Calculator is a protected Microsoft Windows program, If you can open Calculator, you can pretty much open anything.) Since this exploit has been reported to Zoom by Zero Day Initiative, the company is currently working on a patch.

Other Zoom Apps present additional vulnerabilities and security concerns. These security concerns become raised due to the monitoring traffic associated with other apps. With certain monitoring software plugins such as Pivot, someone that joins a meeting with this plugin enabled would be able to capture the traffic throughout the meeting. This extends further to the software plugins that contain medical or financial information. Medical information such as that from the MeLL+ professional plugin is not end to end encrypted. This can show meeting information or perhaps medical messages sent between the client and doctor. This is concerning with the ease of setting up a MiTM attack on a client or even the medical practitioner. This raises concerns in the Telehealth communications and the ways it can effect everyday medical conferences.

The financial information plugins of the Zoom store are concerning as well. The introduction of a financial software on a meeting platform introduces a concern of vulnerabilities stemming from a MitM attack. A plugin similar to that of the Paypal plugin for Zoom raises concerns of having credit card information stolen. Paypal is known to be an insecure app to begin with. Many vulnerabilities in Paypal have been found throughout it's time as a service and this can extend to Zoom. Using a combination of the vulnerabilities mentioned above, it would be possible to create a paypal webhook or capture paypal traffic through a MitM attack linked to the Zoom Meeting Platform.

Google Meet Vulnerabilities

The other main form of communication used all throughout the pandemic was Google Meet, which came with its own security challenges. Google Meet like Zoom, has access to the user's microphone, camera, and computer screen. Due to the nature of how Google Meet functions, the users can set whatever they would like as the username, obfuscating what their actual identities are and allowing them to socially engineer their way into meetings. This ability to cloak their identities and true intentions also allows malicious actors to set up false phishing URLs and spoofed websites, for the theft of personal data. Malicious actors can create false google signs in pages that are used to lure users into giving away their credentials without close inspection.