07-April-2021, min readtime

Computest hackers able to take over laptops due to serious vulnerabilities in Zoom

Daan Keuper and Thijs Alkemade Computest Security's win USD 200,000 in prestigious international hacker competition.

Zoetermeer, April 7, 2021 - Two Dutch ethical hackers from Computest Security, Daan Keuper and Thijs Alkemade, have found serious vulnerabilities in Zoom. By exploiting the vulnerabilities, a user's laptop or PC can be taken over, almost without the user having to be involved, let alone noticing the hackers are inside. The findings of Keuper and Alkemade are of such importance that they could present this at the prestigious hacker contest Pwn2Own, part of the security conference CanSecWest. Zoom rewarded the find with a so-called 'bug bounty' of USD 200,000.

During their research into Zoom, Keuper and Alkemade found a number of so-called zero-day vulnerabilities in the Zoom client. This is installed by users on a PC or laptop in order to be able to use the video conferencing service. The hackers of Computest Security managed to execute random code on different systems of various selected targets who were willing to cooperate. They were then able to almost completely take over the system and perform actions such as turning on the camera, turning on the microphone, reading emails, checking the screen and downloading the browser history. For this, there is no user interaction needed.

Keuper: “Zoom took the headlines last year because of various vulnerabilities. However, this mainly concerned the security of the application itself, and the possibility of watching and listening along with video calls. Our discoveries are even more serious. Vulnerabilities in the client allowed us to take over the entire system from users. A serious privacy issue with which we qualified to participate in Pwn2Own and ultimately won."

Working from home tools are an attractive target

The Computest Security hackers presented their findings at the international Pwn2Own hacker contest, part of security conference CanSecWest. Many large tech companies such as Microsoft, Adobe and Tesla have been participating in Pwn2Own for some time to have their solutions subjected to the tests of ethical hackers. As people have started working from home en masse as a result of the pandemic, the tools that are supporting them in doing so have become an attractive target for hackers. Therefore, the conference organization added the new category Enterprise Communications this year. Zoom was included as part of the program for the first time.

Reward for ethical hackers

The main theme of the competition is taking over systems within a very limited time by means of vulnerabilities that are not yet known (zero-day). If it turns out that the vulnerabilities are indeed unknown and the importance of the find is high enough, the hackers have a chance of winning rewards or bug bounties. Zoom awarded USD 200,000 to the ethical hackers who actually managed to find a vulnerability. In 2012, Keuper already participated together with a former colleague Joost Pol. They were allowed to present their hack of an iPhone on the international stage. With this, he won a prize of 30,000 Euros.

To investigate vulnerabilities of great social importance Computest Security has set up its own research lab; Sector 7. “With our own lab we want to stimulate innovation within the company and show that we have the best hackers in house, but even more ensure a stronger security awareness throughout the entire chain,” says Chris Hazewinkel, CEO of Computest Security. “More and more business and consumer products are connected. Due to the ease of use, these are also widely adopted. As we have also seen with our previous research into IoT security in the automotive sector, the security level often leaves much to be desired. Exposing these types of vulnerabilities in Zoom also indicates that organizations must be critical in any situation when deploying new tools.”

About Computest Security

Computest Security offers a complete portfolio in the field of cybersecurity and performance. The company is part of Computest and supports organizations and institutions with independent advice & implementation in the field of risk management, continuous preventive security, information security and governance control. More information: http://www.computest.nl/en/.

More information:

Chantal Schepers
06 235 099 23

This website works best with JavaScript enabled