Experts believe that the popular teleconference application Zoom is not as secure as it bills itself to be.
Researchers with Citizen Lab, an information laboratory with the Munk School of Global Affairs at the University of Toronto, have found that San Francisco-based Zoom not only utilizes an easy-to-decrypt format while hosting conferences, but also sends the encryption keys to China.
“During multiple test calls in North America, we observed keys for encrypting and decrypting meetings transmitted to servers in Beijing, China,” Bill Marczak and John Scott-Railton, two researchers with Citizen Lab, wrote in their report.
Zoom claim that their app uses “AES-256” encryption for meetings where possible, but the university researchers found that in each Zoom meeting, a single AES-128 key is used in Electronic Code Book (ECB) mode by all participants to encrypt and decrypt audio and video. ECB mode is not recommended by security experts since patterns in the plaintext are preserved when encrypted, making it easier for malicious actors that have the corresponding keys to decrypt the data.
Citizen Lab also noted that these AES-128 keys, which can be used to easily decrypt Zoom data packets, appear to be generated – and in some cases, even delivered to Zoom users – through servers in China. The researchers suggested that the keys are being sent to China because Zoom has subsidiary offices in the country.
“A scan shows a total of five servers in China and 68 in the United States that apparently run the same Zoom server software as the Beijing server,” the report said.
The researchers warned that Zoom’s China offices are under the jurisdiction of the Chinese government, which can compel local companies to hand over information such as the encryption keys.
News of Zoom’s questionable encryption comes as the number of “Zoom-bombing” incidents increases – a growing concern as more people rely on teleconferencing as they work from home amid the COVID-19 pandemic. PC Mag reported that the teleconference platform’s lack of security has prompted even the US Federal Bureau of Investigation to issue a warning to the public about the vulnerability.