Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

Keys Used to Encrypt Zoom Meetings Sent to China: Researchers

Zoom encryption keys sent to China

Zoom encryption keys sent to China

A recent analysis of the Zoom video conferencing application revealed that the keys used to encrypt and decrypt meetings may be sent to servers in China, even if all participants are located in other countries.

As a result of its increasing popularity caused by the COVID-19 coronavirus outbreak, Zoom has come under scrutiny from cybersecurity and privacy experts. The company has updated its privacy policy, patched some potentially serious vulnerabilities, and it has promised to take measures to address some of the concerns.

Zoom also recently clarified that its definition of “end-to-end encryption” is different from the one of the cybersecurity community. End-to-end encryption typically means that communications are protected in a way that ensures no one — except for the sender and the recipient — can access the data being transmitted. If end-to-end encryption is used, not even the service provider should have access to unencrypted data.

However, in the case of Zoom, only communications between meeting participants and Zoom servers are encrypted, which gives the company access to unencrypted data and allows it to monitor conversations. Zoom, however, claims that it has “never built a mechanism to decrypt live meetings for lawful intercept purposes.”

An analysis conducted by University of Toronto’s Citizen Lab research group revealed that this is not the only issue related to encryption when it comes to Zoom. During test meetings conducted by users in Canada and the United States, researchers noticed that the key used to encrypt and decrypt the video conference was sent to a server apparently located in Beijing, China.

“A scan shows a total of five servers in China and 68 in the United States that apparently run the same Zoom server software as the Beijing server. We suspect that keys may be distributed through these servers. A company primarily catering to North American clients that sometimes distributes encryption keys through servers in China is potentially concerning, given that Zoom may be legally obligated to disclose these keys to authorities in China,” Citizen Lab explained in a report published on Friday.

As for the encryption itself, the organization noticed that Zoom meetings are encrypted with an AES-128 key, contrary to Zoom documentation, which claims AES-256 encryption is used. Furthermore, the AES key is used in ECB mode, which is no longer recommended due to the fact that it fails to properly hide data patterns.

Citizen Lab has also pointed out that while Zoom is based in the U.S., it owns three Chinese companies that are responsible for developing Zoom software.

Advertisement. Scroll to continue reading.

“Zoom’s most recent SEC filing shows that the company (through its Chinese affiliates) employs at least 700 employees in China that work in ‘research and development.’ The filing also implies that 81% of Zoom’s revenue comes from North America. Running development out of China likely saves Zoom having to pay Silicon Valley salaries, reducing their expenses and increasing their profit margin. However, this arrangement could also open up Zoom to pressure from Chinese authorities,” researchers said.

SecurityWeek has reached out to Zoom for comment and will update this article if the company responds.

UPDATE. Zoom has published a blog post claiming certain meetings connected to servers in China due to an error, which the company has addressed.

Related: Zoom’s Security and Privacy Woes Violated GDPR, Expert Says

Related: Trojanized Zoom Apps Target Remote Workers

Related: Zoom Conferencing App Exposes Enterprises to Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Data Protection

While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.