Cybersecurity Warning: Video conferencing app Zoom sends encryption keys to China; could compromise the confidentiality of Zoom meetings

With everyone practicing social distancing as a way to control the spread of the deadly coronavirus, many people are now going online to conduct their meeting. One of the most popular popular videoconferencing app that has gained huge popularity in the work-from-home coronavirus age is Zoom. Now, a new report from cybersecurity researchers at the University of Toronto-based Citizen Lab found that Zoom app sends user data to China. The researchers said in their report that they have disclosed the vulnerability to Zoom but that “we are not currently providing public information about the issue to prevent it from being abused.”

In the meantime, the researchers advised Zoom users who desire confidentiality to avoid using waiting rooms and instead set passwords on meetings. That data includes encryption keys, the chunks of data that can unlock conversations, even if the participants aren’t based in China, the researchers found in their tests of the software.

“This report examines encryption in the popular Zoom app. We find that Zoom has “rolled their own” encryption scheme, which has significant weaknesses & we identify potential areas of concern in Zoom’s infrastructure, including the transmission of encryption keys through China,” report’s authors, Bill Marczak and John Scott-Railto, said.

The report comes after a difficult week for Zoom, in which it had to apologize for various shortcomings in its privacy and security. The report’s authors, Bill Marczak and John Scott-Railton at the University of Toronto-based Citizen Lab, say their findings raise issues about whether U.S. government organizations should be using it at all.

Below are the key findings from the report

• Zoom documentation claims that the app uses “AES-256” encryption for meetings where possible. However, we find that in each Zoom meeting, a single AES-128 key is used in ECB mode by all participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption.
• The AES-128 keys, which we verified are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, are outside of China.
• Zoom, a Silicon Valley-based company, appears to own three companies in China through which at least 700 employees are paid to develop Zoom’s software. This arrangement is ostensibly an effort at labor arbitrage: Zoom can avoid paying US wages while selling to US customers, thus increasing their profit margin. However, this arrangement may make Zoom responsive to pressure from Chinese authorities.