Interoperability and openness should never be a trade-off with security, and our users shouldn’t believe they need to sacrifice one over the other. Interoperability and security can and should work in unison, and this requires today’s software companies to work with some basic norms on how we collectively secure our mutual customers.
Cisco has created a rich partner, developer, and integrator ecosystem so our customers have the flexibility and choice to super-charge their tools and workflows with our collaboration technologies, seamlessly. We are serious about interoperability with the tools you love and use every day. Some examples of the work we have done in this regard include our native integrations with Google, Apple, Microsoft, Slack and more.
This flexibility, choice, and interoperability, however, must come with zero compromises on security and data integrity.
Unsupported collaboration integrations could lead to increased customer risk. Compatibility and security can be challenging, and that is why we will only support third-party collaboration vendors who meet our security standards and who integrate with our products and services through our supported open APIs.
Cisco was notified of a serious security risk with the Zoom Connector for Cisco on October 31st, 2019 and followed our well-established process to investigate the issue. We believe Zoom had also been notified on October 31 or thereabouts. On November 18th, our CISO notified Zoom’s CISO of our findings and advised immediate action to address all security risks. I am sharing the details of this issue as we are committed to transparency and to protecting our customers in the constantly evolving security landscape.
The Zoom Connector for Cisco, owned and operated by Zoom Video Communications, connects their cloud to a customers’ internal network and specifically a Cisco Endpoint/Video Device and its management interface.
What was the issue? Regrettably, the access (through a Zoom URL) for the Zoom Connector for Cisco hosted on zoom.us was accessible without authentication.
Issue details: Cisco Webex Devices can be managed through a web interface that provides management of configuration, status, logs, security and of integrations such as in-room controls and macros. The Zoom Connector for Cisco created a device specific URL hosted on the Zoom website for each endpoint configured in the connector. This URL provided access to the device’s web interface by using Zoom’s on-premises API Connector to modify the Cisco web pages so they could be accessed from the Zoom URL outside the customer’s network. Regrettably, this Zoom URL provided from their website was accessible without authentication. In addition, Zoom provided a landing page that copied Cisco’s landing page, including Cisco’s logo and brandings, misleading customers into believing they were on a Cisco webpage with Cisco security, rather than a publicly accessible URL.
The Zoom Connector for Cisco created the following critical security risks:
On November 19th, 2019, Zoom released a “bug fix” that partially addressed the security issues and, after further communication from Cisco, provided an email with incomplete information on the security risks to their affected customers.
At Cisco Webex, we live by secure, simple, and scalable principles. Over my decades in the software industry, I have learned that it is never acceptable to bypass security norms for the sake of convenience and simplicity. And when so much sensitive data is being shared through video conferencing, including the ability to use a device’s camera, security must be of utmost importance. That is the promise we at Cisco hold dearly for every one of our customers, and embodied by the steps we took for this issue:
If you are a customer using the Zoom Connector for Cisco, please review your administrative logs and analyze the usage to see if there was any breach as a result of the implementation described here.
At present, the Zoom Connector for Cisco is not a Cisco supported solution that meets our standards of enterprise-grade security. Our supported solutions meet the standards our customers expect out of Cisco by using our well documented open APIs.
You can continue to have your Cisco Webex Devices and Rooms connect to Zoom Meetings using standard supported methods like SIP as well as our XAPI’s documented here.
It is our promise to work with each of our customers to provide them the most secure configuration. Please reach out to us at email@example.com if you have further questions or if you need us to help secure your Cisco Webex Devices. We work with every partner who uses our APIs responsibly. We stand ready to work with Zoom, to have them use the supported APIs and get the solution certified through our official programs.
Admins Achieve More with Webex: Reduce Cost by Integrating with Microsoft IT Tools and Enjoy Webex Native Security Capabilities
Do the Impossible: Deliver the Best Collaboration Experience and Secure Sensitive Data with Cisco’s Extended Security Pack
Cisco Unified Communications Manager Evolution — Is your Security up to the job?
Last month our team celebrated the release of Webex Assistant for Devices in our fifth…
When world leaders come together, it’s important that communication is clear, precise and accurate. Aion…
As workplaces are becoming connected hubs for people to team up and collaborate, it is…
The world we live in has seen decades of transformation in only a couple of…
Webex on Chromebooks now available as a PWA Built as a Progressive Web Application (PWA),…
I recently traveled to New York to meet with customers at Cisco’s office at 1…