Abstract:The authentication ceremony plays a crucial role in verifying the identities of users before exchanging messages in end-to-end encryption (E2EE) applications, thus preventing impersonation and man-in-the-middle (MitM) attacks. Once authenticated, the subsequent communications in E2EE apps benefit from the protection provided by the authentication ceremony. However, the current implementation of the authentication ceremony in the Zoom application introduces a potential vulnerability that can make it highly susceptible to impersonation attacks. The existence of this vulnerability may undermine the integrity of E2EE, posing a potential security risk when E2EE becomes a mandatory feature in the Zoom application. In this paper, we examine and evaluate this vulnerability in two attack scenarios, one where the attacker is a malicious participant and another where the attacker is a malicious Zoom server with control over Zoom's server infrastructure and cloud providers. Our study aims to comprehensively examine the Zoom authentication ceremony, with a specific focus on the potential for impersonation attacks in static media and textual communications. We simulate a new session injection attack on Zoom E2EE meetings to evaluate the system's susceptibility to simple voice manipulations. Our simulation experiments show that Zoom's authentication ceremony is vulnerable to a simple voice manipulation, called a VOICE-ZEUS attack, by malicious participants and the malicious Zoom server. In this VOICE-ZEUS attack, an attacker creates a fingerprint in a victim's voice by reordering previously recorded digits spoken by the victim. We show how an attacker can record and reorder snippets of digits to generate a new security code that compromises a future Zoom meeting. We conclude that stronger security measures are necessary during the group authentication ceremony in Zoom to prevent impersonation attacks.

VOICE-ZEUS: Impersonating Zoom's E2EE-Protected Static Media and Textual Communications via Simple Voice Manipulations

The Silent Manipulator: A Practical and Inaudible Backdoor Attack against Speech Recognition Systems

UltraBD: Backdoor Attack against Automatic Speaker Verification Systems via Adversarial Ultrasound

VocalLock

FenceSitter: Black-box, Content-Agnostic, and Synchronization-Free Enrollment-Phase Attacks on Speaker Recognition Systems

Towards Seamless Authentication for Zoom-Based Online Teaching and Meeting

EM-Whisperer: A Voice Injection Attack via Powerline for Virtual Meeting Scenarios

Manipulating Voice Assistants Eavesdropping via Inherent Vulnerability Unveiling in Mobile Systems

Zoom on the Keystrokes: Exploiting Video Calls for Keystroke Inference Attacks

You Can Hear But You Cannot Steal: Defending Against Voice Impersonation Attacks on Smartphones

Dangerous Skills: Understanding and Mitigating Security Risks of Voice-Controlled Third-Party Functions on Virtual Personal Assistant Systems

Motion Sensor-based Privacy Attack on Smartphones

Voiceprint Mimicry Attack Towards Speaker Verification System in Smart Home

Practical Attacks on Voice Spoofing Countermeasures

High-quality Speech Recovery Through Soundproof Protections Via Mmwave Sensing

BarrierBypass: Out-of-Sight Clean Voice Command Injection Attacks through Physical Barriers

Secure Voice Interactions with Smart Devices

Towards Vulnerability Analysis of Voice-Driven Interfaces and Countermeasures for Replay

Understanding and Mitigating the Security Risks of Voice-Controlled Third-Party Skills on Amazon Alexa and Google Home

Your Voice Assistant is Mine: How to Abuse Speakers to Steal Information and Control Your Phone

A Robust Ecc Based Mutual Authentication Protocol With Anonymity For Session Initiation Protocol