Videoconferencing app employs custom encryption scheme and uses servers based in Beijing, researchers find as Zoom popularity soars
A Toronto-based research institute has recommended organisations against using the Zoom teleconferencing application for certain types of meetings, after discovering “significant weaknesses” in the custom encryption scheme the app uses.
The Citizen Lab said it had also found an unpatched flaw in the Zoom’s Waiting Rooms feature and had reported it to the company.
The group’s report follows Zoom’s move last week to freeze the app’s current feature set and spend the next 90 days working exclusively on “trust, safety, and privacy issues”.
The Citizen Lab, based at the University of Toronto, said Zoom appears to use a custom extension to the Real-time Transport Protocol (RTP) standard, which includes the company’s own encryption scheme.
The scheme involves the use of a single AES-128 key generated by Zoom’s servers and shared amongst the participants for encryption and decryption of the call’s audio and video, researchers said.
Zoom’s encryption and decryption use the Advanced Encryption Standard (AES) in ECB mode, which the researchers said is “well-understood to be a bad idea” as patterns from the source remain detectable.
The lab criticised the firm for “potentially misleading and conflicting claims” regarding its encryption scheme, the details of which it said the company has never clarified.
Researchers also found that in test calls the AES-128 key was sent to participants from a Zoom server apparently located in Beijing.
“A company primarily catering to North American clients that sometimes distributes encryption keys through servers in China is potentially concerning, given that Zoom may be legally obligated to disclose these keys to authorities in China,” The Citizen Lab said in its study.
While Zoom Video Communications is based in Silicon Valley and trades on the Nasdaq, it was founded by Chinese-born Eric Yuan, and employs at least 700 staff in China to develop the Zoom software.
The Citizen Lab warned that this arrangement “may make Zoom responsive to pressure from Chinese authorities”.
Cyber spying risk
Such issues would have seemed minor a few weeks ago, but usage of teleconferencing apps, and Zoom in particular, has skyrocketed amidst the coronavirus crisis.
Zoom said it had more than 200 million calls per day in March, up from a previous maximum total of 10 million, the company said last week.
Microsoft’s Teams software has also registered a significant rise in traffic, while Cisco’s Webex hosted 324 million attendees in March, with usage growing by 2.5 times in the Americas, four times in Europe and 3.5 times in Asia Pacific, Cisco said last week.
With sensitive government and business conversations now taking place over such platforms, the situation has created a “potential goldmine for cyber spies”, The Citizen Lab said.
The lab said that while Zoom is extremely user-friendly, “the implementation of call security in Zoom may not match its exceptional usability”, and advised governments, businesses, healthcare providers and others not to use it for discussing sensitive material.
But the researchers said Zoom presents few security risks for those looking to keep in touch with friends, hold social events or organise courses or lectures.
“Zoom has made the classic mistake of designing and implementing their own encryption scheme, rather than using one of the existing standards for encrypting voice and video content,” said The Citizen Lab research fellow Bill Marczak.
“To be sure, Zoom’s encryption is better than none at all, but users expecting their Zoom meetings to be safe from espionage should think twice before using the app to discuss sensitive information.”
The UK’s National Cyber Security Centre said Zoom is being used to enable unclassified crisis communications under “the current unprecedented circumstances”.
“Assured services are in place for more sensitive communications and the provision of these services is being widened given the demands of much greater remote working,” the agency said in a statement.
The government has said it is using Zoom for Cabinet meetings but not emergency Cobra meetings.