DeepSec 2023 Talk: Zero-Touch-Pwn: Abusing Zoom’s Zero Touch Provisioning for Remote Attacks on Desk Phones – Moritz Abrell
Cloud communication platforms like Zoom have become a fundamental aspect of modern communication and are widely used in daily work. However, in certain scenarios, traditional endpoints such as desk phones or analog gateways are still required. Today, these devices can be integrated with most major cloud communication providers through the use of their provisioning services, which centralize configurations and firmware.
This session is about a security analysis of the Zoom “Zero Touch Provisioning” method with certified hardware. It will reveal several vulnerabilities that, when combined, allow an attacker to remotely compromise arbitrary devices, enable massive eavesdropping on conversations or rooms, remote control of devices, or using them as a pivot point to attack the adjacent corporate network.
Be curious about the details of hard-coded cryptographic material, improper authentication, lack of immutable root of trust, exposure of sensitive information and unverified ownership.
We asked Moritz a few more questions about his talk.
Please tell us the top 5 facts about your talk.
- Traditional devices, such as desk phones will be attacked with novel techniques by abusing state of the art cloud communication services.
- The analyzing process and the technical details of the found vulnerabilities will be covered
- The talk is intended to inspire future research of such provisioning services
- Supposedly protected sensitive information like passwords will be extracted and decrypted
- Resulting attack scenarios and risks will be demonstrated in a practical way
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
I came across an interesting article about the provisioning of devices [1]:
“For phones that support Zero-Touch Provisioning, you can automatically provision your phone without having to configure provisioning in the phone’s web interface.” Especially the parts “automatically” and “without having to configure” aroused my interest.
Why do you think this is an important topic?
Since i could prove that such attacks can pose a significant security risk to companies of all sizes, this talk/topic should be on everyone’s watch list.
Is there something you want everybody to know – some good advice for our readers maybe?
You should attend this talk if you are interested in reverse engineering, exploit development or novel techniques. Be curious about the details of hard-coded cryptographic material, improper authentication, lack of immutable root of trust, exposure of sensitive information and unverified ownership.
A prediction for the future – what do you think will be the next innovations or future downfalls for your field of expertise / the topic of your talk in particular?
More research should be done in this field to cover more/other cloud (provisioning) services in combination with endpoints such as desk phones or media gateways. The need for simple deployment but the greatest possible compatibility carries the potential for further or similar problems, which could result in practical attacks and pose concrete security risks for companies of all sizes.
Moritz Abrell is an experienced IT security expert who has been passionate about the field since his early days. As a Senior IT Security Consultant and Penetration Tester for the Germany-based pentest company SySS GmbH, he specializes in the practical exploitation of vulnerabilities and advises clients on how to remediate them. In addition, he regularly conducts security research and has a keen interest in delving deep into soft-, hard- and firmware. His research has been presented at various national and international IT security conferences such as DEFCON, HackCon, Hacktivity, Standoff, IKT and ITG-ITSec.