‘Alarming’: Popular video platform Zoom uses weak encryption and stores keys on Chinese servers
The world flocked to Zoom as the coronavirus pandemic hit, pushing the popular video conferencing platform to 200 million daily meetings in March as millions of office workers began to telecommute. But researchers have found serious flaws with Zoom’s encryption mechanisms, meaning their privacy and personal information are at risk.
Bill Marczak and John Scott-Railton from the University of Toronto’s Citizen Lab say the biggest problem is that Zoom uses what experts consider the simplest—and the weakest—type of encryption: the Electronic Codebook Method.
When programmers use ECB for encryption, the result can still be intelligible: It does little to obscure what you’re protecting.
And Zoom’s encryption keys, the data that unscrambles sensitive files, are stored on Chinese servers, creating a national security risk.
“A company primarily catering to North American clients that sometimes distributes encryption keys through servers in China is potentially concerning, given that Zoom may be legally obligated to disclose these keys to authorities in China,” Marczak and Scott-Railton wrote.
Roslyn Layton, a visiting tech scholar at the American Enterprise Institute, said according to Chinese law, the Chinese government has the right to access any data from Chinese tech — including servers in China, even if they’re owned by American companies.
“China has a particular law that says they can confiscate the data on a particular device for any reason, there’s no due process, no warrant. If you use anything by Huawei, Lenovo, they believe the data there is available for the Chinese government for any reason. The legal framework is worse than the technical issues,” she told Zenger News.
Tarik Moataz, a visiting computer scientist at Brown University, said it was “very surprising” to him that Zoom used ECB encryption.
“There is no good reason to use ECB,” he told Zenger. “In cryptography classes, ECB is used most of the time as a good example to start mode of operations in class, but not to use. This is the very first thing they say never to use.”
Echoing the Citizen Lab report and Layton, Moataz said what’s “more alarming” is storing encryption keys on Chinese servers, because it means both China and Zoom have access to them.
“I don’t understand why a server in China has to originate the key,” he said. “It means that Zoom as a company has access to the key that actually encrypts the audio and video of all our meetings. Zoom has the technical capability to decrypt the content on all our meetings.
Moataz recommends using a video platform like FaceTime instead, because it uses end-to-end encryption, which is much more secure.
“From what we know, we know Apple’s FaceTime provides end-to end-encryption,” he said. “It’s a really nice concept, end-to-end allows only the participants the key to decrypt the content. Even if there’s a server sitting in the cloud, even if it’s in China, if it’s an end-to-end encryption protocol, the server will never have the key to decrypt the content, it will just see gibberish and noise going through the routers and servers.”
Zoom addressed concerns with its platform’s security and privacy in an blog post earlier this month, arguing that its product is “built primarily for enterprise customers–large institutions with full IT support. These range from the world’s largest financial services companies to leading telecommunications providers, government agencies, universities, healthcare organizations, and telemedicine practices.”
But Moataz and Citizen Lab researchers say that makes little sense.
Marczak and Scott-Railton say they “determined that the Zoom app uses non-industry-standard cryptographic techniques with identifiable weaknesses.”
“Any engineer who took a cryptography class in their undergrad or grad, we teach them you shouldn’t use ECB,” Moataz said. “From a cryptographic aspect, in some cases it adds a special security, on the other hand we know that other modes of encryption are way better. This was a mistake of one of the engineers who made the decision to go for ECB.”
Zoom said in the post that it will evaluate its security over the next 90 days and release a report to “maintain trust” and transparency with its users.
In the meantime, Marczak and Scott-Railton advise Zoom users to use passwords, or not use Zoom at all.