Meetings on Zoom, the increasingly popular video conferencing service, are encrypted using an algorithm with serious, well-known weaknesses, and sometimes using keys issued by servers in China, even when meeting participants are all in North America, according to researchers at the University of Toronto.
The researchers also found that Zoom protects video and audio content using a home-grown encryption scheme, that there is a vulnerability in Zoom’s “waiting room” feature, and that Zoom appears to have at least 700 employees in China spread across three subsidiaries. They conclude, in a report for the university’s Citizen Lab — widely followed in information security circles — that Zoom’s service is “not suited for secrets” and that it may be legally obligated to disclose encryption keys to Chinese authorities and “responsive to pressure” from them.
Zoom could not be reached for comment.
Earlier this week, The Intercept reported that Zoom was misleading users in its claim to support end-to-end encryption, in which no one but participants can decrypt a conversation. Zoom’s Chief Product Officer Oded Gal later wrote a blog post in which he apologized on behalf of the company “for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption.” The post went on to detail what encryption the company does use.
Based on a reading of that blog post and Citizen Lab’s research, here is how Zoom meetings appear to work:
When you start a Zoom meeting, the Zoom software running your device fetches a key with which to encrypt audio and video. This key comes from Zoom’s cloud infrastructure, which contains servers around the world. Specifically, it comes from a type of server known as a “key management system,” which generates encryption keys and distributes them to meeting participants. Each user gets the same, shared key as they join the meeting. It is transmitted to the Zoom software on their devices from the key management system using yet another encryption system, TLS, the same technology used in the “https” protocol that protects websites.
Depending on how the meeting is set up, some servers in Zoom’s cloud called “connectors” may also get a copy of this key. For example, if someone calls in on the phone, they’re actually calling a “Zoom Telephony Connector” server, which gets sent a copy of the key.
Some of the key management systems — 5 out of 73, in a Citizen Lab scan — seem to be located in China, with the rest in the United States. Interestingly, the Chinese servers are at least sometimes used for Zoom chats that have no nexus in China. The two Citizen Lab researchers who authored the report, Bill Marczak and John Scott-Railton, live in the United States and Canada. During a test call between the two, the shared meeting encryption key “was sent to one of the participants over TLS from a Zoom server apparently located in Beijing,” according to the report.
The report points out that Zoom may be legally obligated to share encryption keys with Chinese authorities if the keys are generated on a key management server hosted in China. If the Chinese authorities or any other hypothetical attacker with access to a key wants to spy on a Zoom meeting, they also need to either monitor the internet access of a participant in the meeting, or monitor the network inside the Zoom cloud. Once they collect the encrypted meeting traffic, they can use the key to decrypt it and recover the video and audio.
Citizen Lab flagged as worrisome not only the system used to distribute Zoom encryption keys but also the keys themselves and the way they are used to encrypt data.
Zoom’s keys conform to the widely used Advanced Encryption Standard, or AES. A security white paper from the company claims that Zoom meetings are protected using 256-bit AES keys, but the Citizen Lab researchers confirmed the keys in use are actually only 128-bit. Such keys are still considered secure today, but over the last decade many companies have been moving to 256-bit keys instead.
Furthermore, Zoom encrypts and decrypts with AES using an algorithm called Electronic Codebook, or ECB, mode, “which is well-understood to be a bad idea, because this mode of encryption preserves patterns in the input,” according to the Citizen Lab researchers. In fact, ECB is considered the worst of AES’s available modes.
Here’s why: It should be impossible to tell the difference between properly encrypted data and completely random data, such as static on a radio, but ECB mode fails to do this. If there’s a pattern in the unencrypted data, the same pattern shows up in the encrypted data. This Wikipedia page has a useful illustration to visualize this:
Once it has been poorly encrypted in this manner, video and audio data is distributed to all participants in a meeting through a Zoom Multimedia Router server. For most users, this server runs in Zoom’s cloud, but customers can choose to host this part on-premises. In this case, Zoom will generate, and thus have access to, the AES key that encrypts the meeting but shouldn’t have access to the meeting content itself, so long as none of the aforementioned “connector” servers (for phone calls and so forth) are participating in the meeting. (In its blog post, Zoom said self-hosting customers will eventually be able to manage their own encryption keys.)
Meeting hosts can set their meetings to have virtual “waiting rooms,” making it so that users do not directly enter the meeting when they log on with Zoom but instead must wait to be invited in by a participant. The Citizen Lab researchers discovered a security vulnerability with this feature while conducting their encryption analysis. They said in their report that they have disclosed the vulnerability to Zoom but that “we are not currently providing public information about the issue to prevent it from being abused.” In the meantime, the researchers advised Zoom users who desire confidentiality to avoid using waiting rooms and instead set passwords on meetings.
The newly uncovered flaws in Zoom’s encryption may be troubling for many of the company’s customers. Since the coronavirus outbreak started, Zoom’s customer base has surged from 10 million users to 200 million, including “over 90,000 schools across 20 countries,” according to a blog post by Zoom CEO Eric Yuan. The U.S. government recently spent $1.3 million on Zoom contracts as part of its response to the pandemic, according to a review of government contracts by Forbes, and the U.K. government has been using Zoom for remote Cabinet meetings, according to a tweet from Prime Minister Boris Johnson.
This morning I chaired the first ever digital Cabinet.— Boris Johnson #StayHomeSaveLives (@BorisJohnson) March 31, 2020
Our message to the public is: stay at home, protect the NHS, save lives. #StayHomeSaveLives pic.twitter.com/pgeRc3FHIp
Among those who should be concerned about Zoom’s security issues, according to Citizen Lab, are “governments worried about espionage” and “businesses concerned about cybercrime and industrial espionage.”
Despite a recent flood of security and privacy failures, Yuan, Zoom’s CEO, appears to be listening to feedback and making a real effort to improve the service. “These new, mostly consumer use cases have helped us uncover unforeseen issues with our platform. Dedicated journalists and security researchers have also helped to identify pre-existing ones,” Yuan wrote in his blog post. “We appreciate the scrutiny and questions we have been getting — about how the service works, about our infrastructure and capacity, and about our privacy and security policies.”
Kudos to @zoom_us: https://t.co/nU84c5fPcE— patrick wardle (@patrickwardle) April 2, 2020
In *one* day:
? "Released a fix for the UNC link issue"
? "Released fixes for both Mac-related issues"
? Engage in pen-tests
? Improve bug bounty program
? Enact feature freeze to focus on safety/privacy issues
In addition to promptly fixing several security issues that were reported, the company removed an “attendee attention tracker” feature, a privacy nightmare which let meeting hosts track whether participants had the Zoom window — or some other app’s window — in focus during a meeting. It has also invested in new training materials to teach users about the security features like setting passwords on meetings to avoid Zoom-bombing, the phenomenon where people disrupt unprotected Zoom meetings.
Because Zoom’s service is not end-to-end encrypted, and the company has access to all encryption keys and to all video and audio content traversing its cloud, it’s possible that governments around the world could be compelling the company to hand over copies of this data. If Zoom does help governments spy on its users, the company claims that it hasn’t built tools specifically to help law enforcement: “Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes,” Gal, Zoom’s chief product officer, wrote in the technical blog post, “nor do we have means to insert our employees or others into meetings without being reflected in the participant list.”
Unlike some other tech companies, Zoom has never released any information about how many government requests for data it gets, and how many of those requests it complies with. But after the human rights group Access Now’s open letter urging Zoom to publish a transparency report, Yuan also promised to do just that. Within the next three months, the company will prepare “a transparency report that details information related to requests for data, records, or content.” Access Now has commended Zoom on committing to publish a transparency report.