A recent review of the Zoom video conferencing software revealed that, even though all participants located in other countries, the keys for encrypting and decrypting meetings can be sent to servers in China.
As a result of its growing prominence due to the COVID-19 coronavirus outbreak, cybersecurity and privacy experts have been investigating Zoom. The organization revised its privacy policies, fixed specific potentially dangerous bugs, and vowed to take steps to fix those concerns.
Zoom has further explained recently that its “end-to-end encryption” concept varies from that of the cybersecurity community. End-to-end encryption usually means that messages are encrypted in such a way that nobody can access the data exchanged between the sender and the receiver. Even the service provider does not have access to unencrypted information when end-to-end encryption is used.
In Zoom, however, only messages are encrypted between meeting participants and Zoom servers, which gives the organization access to unencrypted information and enables it to track conversations. Nevertheless, Zoom reported that it “never built a mechanism to decrypt live meetings for lawful intercept purposes.”
An investigation undertaken by the Citizen Lab Group of the University of Toronto found that this is not the only problem related to encryption with zoom. During tests carried out by users in Canada and the USA, researchers found that the video conference key used to encrypt and decrypt sent to a server apparently in Peking, China.
Zoom also recently clarified that its definition of “end-to-end encryption” is different from the one of the cybersecurity community. End-to-end encryption typically means that communications are protected in a way that ensures no one — except for the sender and the recipient — can access the data transmitted. If end-to-end encryption is used, not even the service provider should have access to unencrypted data.
However, in the case of Zoom, only communications between meeting participants and Zoom servers are encrypted, which gives the company access to unencrypted data and allows it to monitor conversations. Zoom, however, claims that it has “never built a mechanism to decrypt live meetings for lawful intercept purposes.”
An analysis conducted by the University of Toronto’s Citizen Lab research group revealed that this is not the only issue related to encryption when it comes to Zoom. During test meetings conducted by users in Canada and the United States, researchers noticed that the key used to encrypt and decrypt the video conference was sent to a server located in Beijing, China.
“A scan shows a total of five servers in China and 68 in the United States that apparently run the same Zoom server software as the Beijing server. We suspect that keys may be distributed through these servers. A company primarily catering to North American clients that sometimes distributes encryption keys through servers in China is potentially concerning, given that Zoom may be legally obligated to disclose these keys to authorities in China,” Citizen Lab explained in a report published on Friday.
For encryption, the organization, as opposed to Zoom documentation which claims AES-256 encoding, found that Zoom meetings are encrypted with an AES-128 key. In addition, the AES key is used in the ECB mode, which is no longer recommended because data patterns are not adequately protected.
Citizen Lab also said that while Zoom is based in the USA, it owns three Chinese companies that develop Zoom software.
“Zoom’s most recent SEC filing shows that the company (through its Chinese affiliates) employs at least 700 employees in China that work in ‘research and development.’ The filing also implies that 81% of Zoom’s revenue comes from North America. Running development out of China likely saves Zoom having to pay Silicon Valley salaries, reducing their expenses and increasing their profit margin. However, this arrangement could also open up Zoom to pressure from Chinese authorities,” researchers said.