23-July-2021, min readtime

Computest Zoom hackers: “We just want to get on with the technical stuff”

Ethical hackers from the Dutch company Computest recently made the news by exposing serious vulnerabilities in Zoom. They got to present their findings at the prestigious Hacker competition Pwn2Own and were also awarded a so-called 'bug bounty' of 200,000 dollars by the organisers. Security is one of the pillars of Computest, but the firm does much more. Who are the people behind it?

One of the two hackers in the competition was Thijs Alkemade, who together with his colleague Daan Keuper found a number of zero-day vulnerabilities in the Zoom client. They succeeded in running a random code on different systems belonging to selected ‘victims’ (who were actually lending their cooperation). They were then able to take over the systems virtually completely and perform actions such as turning on the camera, turning off the microphone, reading e-mails, watching what was happening on the screen and downloading the browser history.

Digging deep into Zoom communication

“We’d been working on our investigation since February", says Thijs. “This is a different type of vulnerability than the one that came to light in early 2020. In that instance, it involved Zoom bombing; breaking into meetings you are not invited to. Our focus was elsewhere. The challenge was to hack a computer via communication with Zoom.We dug deep into the application. A week before the competition in April, we submitted a report detailing various vulnerabilities to the organisers, Zero Day Initiative.”
Unfortunately, Thijs is not allowed to give many details about the hack."Immediately after the competition we were sat down with people from Zoom in a disclosure room. They were very positive about our work. They had just been handed the report, but they made clear that they wanted to start work on it straightaway. Have the problems since been resolved? We’ve not heard anything about it."

Performance testing for peak load

Although Computest has recently hit the headlines with high profile hacks (for instance, Thijs gained access to the Apple iCloud accounts of other users by taking advantage of the TouchID feature for logging onto websites), the company does much more than that. “We started out sixteen years ago doing performance testing”, says CEO and founder Hartger Ruijs. "We still do that, running stress, load and ddos tests among others." An example of the latter is the work the Zoetermeer-based IT firm has done for Talpa, AFAS software and Amber Alert. It also tests different streaming services. In the case of Talpa, they subjected the digital platform for The Voice to a series of intensive tests which demonstrated that the online environment could handle a peak load of two million simultaneous users. This large-scale performance test set a new record for Computest and Talpa.

Happy staff, happy customers

The company, which originated as a group of friends, now has nearly a hundred employees. Hartger founded Computest based on the idea that happy techies make for happy customers. “We just wanted to get on with the technical stuff. We have now become a bit more commercial, but that is still our basic attitude. We do cool things for clients that we can't always talk about for reasons of disclosure. So taking part in Pwn2Own is a way for us to show what we can do." Chris Hazewinkel, responsible for the security side of Computest, adds: "Last year, we set up our research team. Not with the aim of making money, but to make the world a little bit safer. Pulling off a Zoom hack like the one we did was great, and the competition element meant we were really buzzing about it. But we look into a lot of other things too, for example vulnerabilities in domotics and the automotive world."

DevOps department

Computest offers customers all the services needed to facilitate good security, such as pen testing and the technology around that. However, as an organisation Computest is much more than that. Hartger: "We have two divisions: Computest Security and Computest DevOps. With Security, we offer a complete portfolio in terms of cybersecurity and performance. We support companies and institutions with independent advice and implementation in the areas of risk management, continuous preventative security, information security and governance control. Within DevOps, our goal is to send out the very best DevOps specialists. All of them are socially-minded techies with good communication skills. By providing supervision and support, they enable their clients or the teams they are part of to grow in the DevOps process."

Discoveries sometimes the result of spontaneous research

In short, Computest is a professional, multifaceted organisation. Nevertheless, social engagement and enthusiasm are at the heart of their work. “There's a lot going on in terms of security”, says Thijs. “You'll often find me on a Friday afternoon, after I have completed all my tasks, trying to work something out. For example, exactly how an app or website works. Sometimes I come across things that really demand a closer look. It's actually quite common to find vulnerabilities. Lots of things we end up investigating with our research team result from spontaneously looking into how something works." Hartger agrees and is able to cite various examples. “We once hacked a Volkswagen. We never got paid for that, by the way. That's okay, because we do it for the greater good. Another example is when I was having some work done at home and I noticed the lack of security in the way the installers were working with domotics applications. So Daan from our research team conducted an investigation and he did find various vulnerabilities in the domotics applications.”

Many sites vulnerable to cross-site scripting

Although Thijs often finds issues when he sets his mind to it, in recent years companies have generally take a step forward in terms of security. "For example, many organisations now know how to protect themselves against SQL injection. You do still find you can gain access to individual accounts because password resets haven't been properly designed, and I also come across a lot of sites that are vulnerable to cross-site scripting, which involves adding bits of JavaScript so you can take over accounts." Automated testing quickly reveals many vulnerabilities. For the past three years, Computest has been using the tool Marvin_ for this purpose. "The idea behind it is that it is a daily, automated scan which you can use to compare today's output with yesterday's. By automating and then performing triage, we not only save a lot of time, we are also able to quickly identify the big, high-impact issues."

Intensive training process

Computest is busy looking for new IT talent – mid-level and senior DevOps specialists and ethical hackers, for example (“if we can find them”), but also junior specialists who have to complete a tough training process. "It's best if people already have a technical background", says Chris. "For example in IT or business information systems.Having security as a specialism is great, of course, but that also goes for programming. After all, if you can write good code, you can also pull stuff apart."

The training process for junior security specialists begins with a test, followed by various shadow tests. “We always run tests twice and see if our junior specialists perform them in the same way. They need to run successfully multiple times, across multiple applications. We have various quality controls and checks to keep quality high. It usually takes around six months to complete the training process."

Social nerds

Thijs has been working at Computest for five years now. "My interest in the firm goes back to when I read an article on digital security. I have a background as a programmer, I did a Masters in Maths & IT. After I found a vulnerability in Start Encrypt, a program that issues SSL certificates, we decided I should devote part of my time to research. Last year, we set up the full-time research department Sector 7.”

Computest is now looking for talent across virtually all its disciplines. “From incident response engineers to pen testers and all the roles related to DevOps, such as developers, testers and scrum masters”, says Hartger. “We are growing fast in every area and we are facing a shortage of people. The type of person that suits our company well is a social nerd. If you like the technical stuff but you also like doing social things, this is a good place for you."

At the Developers Summit 2021, Computest gave a talk about how it hacked Zoom. Watch the video.

This website works best with JavaScript enabled