Amidst the lockdown in many countries due to the coronavirus pandemic, people are now relying on teleconferencing applications to continue to stay connected with work or their distant families. One such popular teleconferencing app globally is Zoom.
But is Zoom safe or a spy for China.
The Citizen Lab at the University of Toronto is an interdisciplinary laboratory based at the Munk School of Global Affairs & Public Policy, University of Toronto, focusing on research, development, and high-level strategic policy and legal engagement at the intersection of information and communication technologies, human rights, and global security.
The Citizen Lab report examined the encryption that protects meetings in the popular Zoom teleconference app. It found that Zoom has “rolled their own” encryption scheme, which has significant weaknesses.
In addition, it identified potential areas of concern in Zoom’s infrastructure, including observing the transmission of meeting encryption keys through China.
Here are the key findings of the The Citizen Lab investigations into ZOOM:
- Zoom documentation claims that the app uses “AES-256” encryption for meetings where possible. However, we find that in each Zoom meeting, a single AES-128 key is used in ECB mode by all participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption.
- The AES-128 keys, which we verified are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, are outside of China.
- Zoom, a Silicon Valley-based company, appears to own three companies in China through which at least 700 employees are paid to develop Zoom’s software. This arrangement is ostensibly an effort at labor arbitrage: Zoom can avoid paying US wages while selling to US customers, thus increasing their profit margin. However, this arrangement may make Zoom responsive to pressure from Chinese authorities.
The report further indicated that while Zoom was headquartered in the United States, and listed on the NASDAQ, the mainline Zoom app appears to be developed by three companies in China, which all have the name – Ruanshi Software. Two of the three companies are owned by Zoom, whereas one is owned by an entity called American Cloud Video Software Technology Co., Ltd.
Zoom’s most recent SEC filling shows that the company (through its Chinese affiliates) employs at least 700 employees in China that work in “research and development.”
The filing also implies that 81 per cent of Zoom’s revenue comes from North America.
Running development out of China likely saves Zoom having to pay Silicon Valley salaries, reducing their expenses and increasing their profit margin.
However, this arrangement could also open up Zoom to pressure from Chinese authorities.
While the mainline Zoom app (zoom.us) was reportedly blocked in China in November 2019, there are several third-party Chinese companies that sell the Zoom app within China (e.g., zoom.cn, zoomvip.cn, zoomcloud.cn).
The report further stated that:
“Unfortunately for those hoping for privacy, the implementation of call security in Zoom may not match its exceptional usability. We determined that the Zoom app uses non-industry-standard cryptographic techniques with identifiable weaknesses. In addition, during multiple test calls in North America, we observed keys for encrypting and decrypting meetings transmitted to servers in Beijing, China.
An app with easily-identifiable limitations in cryptography, security issues, and offshore servers located in China which handle meeting keys presents a clear target to reasonably well-resourced nation state attackers, including the People’s Republic of China.
Our report comes amidst a number of other recent research findings and lawsuits identifying other potential security and privacy concerns with the Zoom app. In addition, advocacy groups have also pointed out that Zoom lacks transparency report a critical step towards addressing concerns arising when companies have access to sensitive user data. Zoom has just started (April 2nd, 2020) that it will release such a report within 90 days.
As a result of these troubling security issues, we discourage the use of Zoom at this time for use cases that require strong privacy and confidentiality, including:
- Governments worried about espionage
- Businesses concerned about cybercrime and industrial espionage
- Healthcare providers handling sensitive patient information
- Activists, lawyers, and journalists working on sensitive topics”
The Citizen Lab raises pertinent questions about the safety of the teleconferencing app Zoom and also about its security due to links off Zoom with China.
0001585521-20-000095