
Certain Zoom encryption keys are sent to meeting participants via servers in China, researchers say
Zoom is a teleconferencing application that has grown in popularity considerably, as much of the world is subject to working from home. The overall goal of designing the application seems to …
Zoom is a teleconferencing application that has grown in popularity considerably, as much of the world is subject to working from home. The overall goal of designing the application seems to be to reduce friction during videoconferencing and to make things work “simply”. Zoom’s popularity has skyrocketed since the start of the Covid-19 pandemic, but a lot seems to be catching up with it now.
Discoveries of serious security breaches are increasing and Zoom begins to be depreciated by certain bosses of the Tech and others already prohibit its use within their organizations. A former NSA hacker discovers a new security flaw in Zoom used to take control of Macs, in particular the webcam, microphone and “root” access. According to researchers at the University of Toronto, meetings on Zoom are encrypted using an algorithm with serious and well-known security vulnerabilities, and sometimes using keys issued by servers in China, even when the meeting participants are all in North America.
Zoom claims to use encryption in its literature, but researchers say otherwise
Zoom documentation claims that the application uses AES-256 encryption for meetings. However, the researchers found that in each Zoom meeting, only one AES-128 key is used in ECB mode by all participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended, since the models present in the plain text are preserved during encryption.
According to the researchers, the Zoom documentation contains a number of unclear statements about the encryption offered by the platform. Some Zoom documentation (as well as the Zoom application itself) claims that Zoom offers end-to-end encryption for meetings. However, for researchers, the term “end-to-end encrypted” means that only the parties to the communication can access it (and not the intermediaries who relay the communication). Other Zoom documentation indicates that Zoom’s meeting software for Windows, MacOS, and Linux defaults to the standard TLS 1.2 scheme for transport encryption, although it appears that the platform does not use TLS.
Zoom admits that its platform does not currently implement end-to-end encryption
In response to this confusion, in a blog post published on April 1, Zoom explains its encryption scheme. Basically, the blog post states that Zoom does not currently implement “end-to-end” encryption, because for most people, the term “end-to-end encryption” describes a situation in which all participants in the conference (with the exception of those who connect via the public switched telephone network) are required to use transport encryption between their devices and the Zoom servers.
For researchers, the definition of “end-to-end encryption” from Zoom does not seem to be a standard definition, even in the area of enterprise video conferencing solutions because Zoom does not implement true end-to-end encryption, they have the theoretical ability to decrypt and monitor Zoom calls. Nevertheless, Zoom mentions that they have not built a mechanism to intercept meetings of their clients.
Zoom Sends Certain Encryption Keys Via Servers In China
AES-128 keys, which researchers say have verified that they are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers and, in some cases, are given to participants in a Zoom meeting via servers in China, even when meeting attendees are outside of China.
“When testing a Zoom meeting with two users, one in the United States and the other in Canada, we found that the AES-128 key for conference encryption and decryption had been sent to one of the participants via TLS from a Zoom server apparently located in Beijing. An analysis shows a total of five servers in China and 68 in the United States that apparently run the same Zoom server software. We believe the keys can be distributed through these servers, ”said the researchers.
However, Zoom CEO Eric S Yuan said that routing of US calls through Chinese servers is not the norm and only happened because of the high traffic. “During normal operations, Zoom clients attempt to connect to a series of primary data centers in or near a user’s region, and if these multiple connection attempts fail due to network congestion or other issues, customers will reach two secondary data centers from a list of multiple secondary data centers as a potential backup bridge to the Zoom platform. In all cases, Zoom customers receive a list of data centers appropriate for their region. This system is essential to the reliability of Zoom brands, especially during this period. ”
Zoom, a Silicon Valley-based company, appears to own three companies in China through which at least 700 employees are paid to develop the Zoom software. It would apparently be a Zoom effort to avoid paying wages to Americans when selling to American customers, thereby increasing their profit margin. However, this can make Zoom sensitive to pressure from Chinese authorities.
New York attorney general sends request for explanation to Zoom
New York’s Attorney General Letitia James sent a letter to the company on Monday asking it to describe the steps it has taken to address security concerns and adapt to the increasing number of users. In the letter, James said that Zoom had been slow to address security breaches “that could allow malicious people, among others, to surreptitiously access webcams.”
A Zoom spokesperson said he plans to send James the requested information and comply with the request. “Zoom takes the privacy, security and trust of its users very seriously. During the Covid-19 pandemic, we work tirelessly to ensure that hospitals, universities, schools and other businesses around the world can stay connected and operational, “said the spokesperson.