Security Researchers: Zoom’s Encryption Is ‘Not Suited for Secrets’; Key Servers and 700 Employees Are in China

Security researchers Bill Marczak and John Scott-Railton, in a cogent, eye-opening report for the University of Toronto’s Citizen Lab:

Key Findings:

  • Zoom documentation claims that the app uses “AES-256” encryption for meetings where possible. However, we find that in each Zoom meeting, a single AES-128 key is used in ECB mode by all participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption.

  • The AES-128 keys, which we verified are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, are outside of China.

  • Zoom, a Silicon Valley-based company, appears to own three companies in China through which at least 700 employees are paid to develop Zoom’s software. This arrangement is ostensibly an effort at labor arbitrage: Zoom can avoid paying US wages while selling to US customers, thus increasing their profit margin. However, this arrangement may make Zoom responsive to pressure from Chinese authorities.

Apparently these security researchers aren’t aware that Zoom was designed with the security and privacy needs of the enterprise in mind.

Friday, 3 April 2020