Sign in Subscribe

Bug Nonties! Vol 2

Dennis Taggart

4 min read
Share
This is a series on practicing skills used to hunt for bugs, make the world a better place, and earn some coin. This series is by many accounts, a list of failures...since none of the things I write about were considered vulnerabilities or valid for fix. I did however gain some good-old lessons in how things work, and hopefully these lessons help expand your secure horizons as well, read on!

Microsoft Teams Unauthorized Dial-out Disclosure Vulnerability

Introduction

It goes without saying, remote meetings are pretty popular via enabling tools like Microsoft Teams.  While most remote meetings may never require the same level of anti-recording assurance as some in-person meetings, additional controls are warranted for all remote meetings to prevent exposure of sensitive information.  

A low-skilled insider threat may use the “dial out” feature to record sections of audio content without triggering a clear recording notice to meeting attendees.  This can be used to exfiltrate sensitive corporate or personal audio in a difficult-to-detect manner.  Additionally, this may lead to failures to comply with local legal or regulatory requirements around recording consent, and potentially creates unintended exposures to liability.  Implementing Answering Machine Detection (AMD) technology and/or an easy-to-understand banner when outside numbers are used, are examples of controls which could help minimize abuse in this space.  

Terminology

While researching this possible exposure, I became familiar with some specific functions of MS Teams that I wasn't as well-versed in before. For example, “Dial-out,” “call me” and “invite someone” may be used interchangeably throughout this report, so don't get too hung up on differences there.  Each refers to the feature(s) enabling outbound calls from within a Teams Meeting and apply to the participant audio vector or the invite via phone number vector.

Call collector” refers to the system which has been pre-configured by an attacker to receive calls made from the dial-out feature and record the contents of the meeting.

Conditions

  • The meeting has to be created as part of an E5 License OR with licenses carrying the Audio-Conferencing add-on.
  • The meeting has to have the dial-out permissions set to “Allow” in the admin center.

Test Setup

Because exploiting the “dial out” feature in Teams requires an outbound call to be made, and ringing is generally audible to all meeting attendees, the call collector must meet the following requirements to not raise suspicion 

  • Rapidly or immediately sends calls to voicemail (e.g., “do not disturb”) 
  • Avoid requiring user interaction to begin or end recording
  • Avoid any indication that recording is underway 

Supporting Environment

The attack is organized below into three attacker personas for "malicious organizer," "attendee" and "opportunist." These were tested using Microsoft Teams and Google Voice.  The call collector provider is not critical, though slight variations in capability exist between services such as maximum recording length.  Additionally, non-VoIP options may prove promising for removing the recording tone altogether, eliminating the need to mute the call collector’s number first.   

Test Execution

Malicious Organizer 
  1. Mute the phone number for the call collector
    1. Prior to others joining the meeting, add the call collector as a participant to the meeting via “dial a number” 
  2. Disable/mute mic for the call collector’s phone number.  
    1. Note that mic mute persists as long as at least one person remains in the meeting and the status is applied across features.  i.e. muting a number which has been invited as a participant will mute the number for the dial-out feature as well.  If all participants leave, even if the same meeting is rejoined later, this setting will not persist, and in the case of this attack, the call collector number would no longer be muted.  This means the attacker would have to perform Step 1 again to minimize detection. 
  3. Use the “call me” feature 
    1. This avoids the more questionable circumstance where an unrecognized phone number appears in a meeting.
  4. OR just leave the call collector as a participant
    1. select “mute all participants.”
    2. IF leaving call collector as a participant is a reasonable approach for the target meeting, set “announce when callers join or leave” to False.
  5. (optional) Re-enable computer audio 
    1. This facilitates continued coordination in the call during recording by selecting “Mic” then “Turn audio on.”  Otherwise, all the audio will be routed to the call collector.
  6. (optional) Repeat as needed prior to recording limit being reached 
    1. e.g. every 3-5 min
Malicious Attendee
  1. Join target meeting  
  2. Use the “call me” feature 
    1. This avoids the more questionable circumstance where an unrecognized phone number appears in a meeting.
  3. (optional) Re-enable computer audio 
    1. This facilitates continued coordination in the call during recording by selecting “Mic” then “Turn audio on.”  Otherwise, all the audio will be routed to the call collector.
  4. (optional) Repeat as needed prior to recording limit being reached 
    1. e.g. every 3-5 min
 Opportunist
  1. Upon joining, notes that all attendees are set to mute already.
  2. Follows malicious attendee steps two through four and avoids detection because call collector is already automatically muted.  

Test Results

  • Target information is recorded, and the organization or individual is unaware the attack has taken place.

Possible Mitigations Offered (Most-effective first)

  • Investigate implementing an Answering Machine Detection (AMD) capability into the Teams product for “dial out” functionality.
    • Terminate the call on Answering Machine Detection.
  • Consider an appropriate lightweight banner, icon, or other educational information, similar to browser TLS warnings, “outside numbers are being utilized in this meeting, recording outside of Microsoft Teams is possible.”
  • Prevent simultaneous joining from computer audio AND phone audio.
  • Assess resetting mic mute status upon each disconnect.
  • Establish more granular permission options for audio conferencing.
    • Consider limiting attendees from dialing out as many times as they want.
    • Investigate limiting dial outs after a certain amount of time has passed.
    • Prompt the organizer to allow or deny using dial-out on a per-meeting basis.

Key Take-aways

This testing took a long time but the running down various use-cases and attacker personas was extremely valuable mental exercise. I communicated this with Microsoft and they validated this was in fact a valid vulnerability, but because it was not high priority, they couldn't tell me when or if they'd fix it, but a fix would be slated for potential undetermined future release and the case was closed. I get that many vulnerabilities are reported so decisions have to be made. I asked if I could disclose this publicly since the case was closed and received no response. I followed up indicating that the lack of response indicated to me I had permission to disclose.

Sign up for more like this.

Enter your email
Subscribe