PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

Is That a Legit Zoom Call or Are You Getting Hacked?

Hackers could bypass network security by exploiting popular video-chat platforms. At Black Hat, a security expert says Zoom and Teams are most vulnerable; only one has released a patch.

Neil J. Rubenking
 & Neil J. Rubenking Principal Writer, Security

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS
(Credit: PCMag Composite; Serhiy Stakhnyk, Lazy_Bear, yanik88/iStock; Orhan Turan/Creatas Video; Alis)

LAS VEGAS—Major networks get hacked every week, and at Praetorian Security, Adam Crosser’s job is to find new and different ways to break into valuable targets. His goal is to help network defenders head off new attacks, and his session at the Black Hat security conference in Las Vegas exposed a new way that scammers could get past network security by misusing two major video conferencing platforms. Spoiler alert—one of them patched their software to foil this attack just before Black Hat started. But the other one didn’t.

How Do Hackers Compromise Networks?

In the movies, network hacking is fast. A hacker in a hoodie pounds the keyboard for a few minutes and announces, “I’m in!” In the real world, infiltrating a corporate network is a gradual process. Hackers start by slipping a tiny, nondescript program into the network. Then, they send instructions that let that program gradually expand its access, quietly and steadily working toward full control.

Modern network security naturally aims to prevent this kind of skullduggery. The essential command and control communication with that initial intruding process is a big red flag for network intrusion monitors. A modern hacker needs a communication avenue that doesn’t stand out.

What Makes a Connection Perfect for Hackers?

Crosser's team set out to find an ideal connection for short-term command and control. They identified four important criteria. “First is latency," he said, meaning the connection needs to be fast and responsive. “Then throughput,” he continued, meaning the amount of data. “You need both.”

His next criterion was reach—the technology must be widely available. He gave Tor and IRC as examples of tech that never got (and still don't) have sufficient reach. Finally, the technology must be trusted by its users and network administrators.

Crosser reviewed several connection types, demonstrating that each failed one or more of the four criteria. These included using DNS communication, working through cloud storage, and even email. Web conferencing systems such as Zoom and Teams, however, checked all four boxes, making them ideal intrusion methods.

Zoom and Teams Can Break Network Security

Crosser noted that web conferencing systems themselves have to do a lot of work breaking through network restrictions. Microsoft Teams support recommends using split tunneling to avoid connecting through a VPN, for example. If your network security keeps the CEO from attending video meetings, well, he’s not going to be happy.

Recommended by Our Editors

How We Test Phones
How We Test Phones
The Best Robot Lawn Mowers for 2026
The Best Robot Lawn Mowers for 2026
The Best Ergonomic Keyboards for 2026
The Best Ergonomic Keyboards for 2026

Crosser, going into detail comprehensible only to the network-savvy attendees, laid out all the steps Zoom may go through trying to connect from within a highly secure network. In short, if one technique doesn’t work, it just tries and tries again until it finds a way to connect, or just fails, prompting that call from the CEO to the IT department.

“Zoom and Teams are the most popular by a wide margin,” noted Crosser. “We focused on these two solutions. Even if your business uses Google Meet internally, you surely have external meetings that use one of these.” The point here is that your attack won’t get caught breaking through security because the video conferencing tool has already punched right through it.

Hijacking the Connection

Crosser explained how the team extracted authentication credentials from a Zoom or Teams call and used them to piggyback their own traffic on that connection. In live demos, he showed that it was possible to covertly download a file to the victim's system. That's where the real danger lies: someone who thinks they're trying to connect to a video call ends up with malware on their company computer that could steal their data or the company's data or, worse, launch a ransomware attack against the whole firm.

The attack technique involves a technology called TURN, a network protocol for connecting devices that can’t easily connect directly. The team coded up an app that they called TURNt, for TURN tunneler, which Crosser made available to attendees.

Crosser noted that just before Black Hat, Zoom released a patch that defeats the TURNt attack, but Teams is still vulnerable. He concluded with thoughts for future research in this area. “It’s a good entry point for new researchers,” he said. “Pick a topic, expand on it, see if you can make something that functions.”

About Our Expert

Neil J. Rubenking

Neil J. Rubenking

Principal Writer, Security

My Experience

When the IBM PC was new, I served as the president of the San Francisco PC User Group for three years. That’s how I met PCMag’s editorial team, who brought me on board in 1986. In the years since that fateful meeting, I’ve become PCMag’s expert on security, privacy, and identity protection, putting antivirus tools, security suites, and all kinds of security software through their paces.

Before my current security gig, I supplied PCMag readers with tips and solutions on using popular applications, operating systems, and programming languages in my "User to User" and "Ask Neil" columns, which began in 1990 and ran for almost 20 years. Along the way, I wrote more than 40 utility articles, as well as Delphi Programming for Dummies and six other books covering DOS, Windows, and programming. I also reviewed thousands of products of all kinds, ranging from early Sierra Online adventure games to AOL’s precursor Q-Link.

In the early 2000s, I turned my focus to security and the growing antivirus industry. After years of working with antivirus, I’m known throughout the security industry as an expert on evaluating antivirus tools. I serve as an advisory board member for the Anti-Malware Testing Standards Organization (AMTSO), an international nonprofit group dedicated to coordinating and improving testing of anti-malware solutions.

The Technology I Use

Much of the testing I do, particularly testing with real-world ransomware, is just plain dangerous. To perform such tests safely, I sequester them inside virtual machines managed by VMWare Workstation. For cross-platform testing, I use a MacBook Air, a Google Pixel 4, and a 6th-generation iPad.

I rely on my Delphi coding skills to create and maintain small applications. These include programs to check whether an antivirus correctly handled the malware it detected, launch dangerous URLs and record the security program’s reaction, and analyze the malware that I collect for use in testing. I also wrote a tiny browser and text editor for use in testing security apps that have predefined reactions for known products.

I do my writing and research on a Dell OptiPlex desktop, relying on Microsoft Word (my fingers know all the shortcuts). Many of my articles include charts and analysis; Excel is my go-to for those. When work hours end, though, I escape the bounds of Microsoft and Windows. There’s an iPhone in my pocket, I relax with my oversized iPad, and my Kindle Oasis is always loaded with the best science fiction and fantasy.

Read the latest from Neil J. Rubenking

Read full bio