Zoom documentation claims that the app uses “AES-256”
encryption for meetings where possible. However, we find that in
each Zoom meeting, a single AES-128 key is used in ECB mode by
all participants to encrypt and decrypt audio and video. The use
of ECB mode is not recommended because patterns present in the
plaintext are preserved during encryption.
The AES-128 keys, which we verified are sufficient to decrypt
Zoom packets intercepted in Internet traffic, appear to be
generated by Zoom servers, and in some cases, are delivered to
participants in a Zoom meeting through servers in China, even
when all meeting participants, and the Zoom subscriber’s
company, are outside of China.
Zoom, a Silicon Valley-based company, appears to own three
companies in China through which at least 700 employees are paid
to develop Zoom’s software. This arrangement is ostensibly an
effort at labor arbitrage: Zoom can avoid paying US wages
while selling to US customers, thus increasing their profit
margin. However, this arrangement may make Zoom responsive to
pressure from Chinese authorities.