A recent analysis of the Zoom video conferencing application revealed that the keys used to encrypt and decrypt meetings may be sent to servers in China, even if all participants are located in other countries.
As a result of its increasing popularity caused by the COVID-19 coronavirus outbreak, Zoom has come under scrutiny from cybersecurity and privacy experts. The company has updated its privacy policy, patched some potentially serious vulnerabilities, and it has promised to take measures to address some of the concerns.
Zoom also recently clarified that its definition of “end-to-end encryption” is different from the one of the cybersecurity community. End-to-end encryption typically means that communications are protected in a way that ensures no one — except for the sender and the recipient — can access the data being transmitted. If end-to-end encryption is used, not even the service provider should have access to unencrypted data.
However, in the case of Zoom, only communications between meeting participants and Zoom servers are encrypted, which gives the company access to unencrypted data and allows it to monitor conversations. Zoom, however, claims that it has “never built a mechanism to decrypt live meetings for lawful intercept purposes.”
An analysis conducted by University of Toronto’s Citizen Lab research group revealed that this is not the only issue related to encryption when it comes to Zoom. During test meetings conducted by users in Canada and the United States, researchers noticed that the key used to encrypt and decrypt the video conference was sent to a server apparently located in Beijing, China.
“A scan shows a total of five servers in China and 68 in the United States that apparently run the same Zoom server software as the Beijing server. We suspect that keys may be distributed through these servers. A company primarily catering to North American clients that sometimes distributes encryption keys through servers in China is potentially concerning, given that Zoom may be legally obligated to disclose these keys to authorities in China,” Citizen Lab explained in a report published on Friday.
As for the encryption itself, the organization noticed that Zoom meetings are encrypted with an AES-128 key, contrary to Zoom documentation, which claims AES-256 encryption is used. Furthermore, the AES key is used in ECB mode, which is no longer recommended due to the fact that it fails to properly hide data patterns.
Citizen Lab has also pointed out that while Zoom is based in the U.S., it owns three Chinese companies that are responsible for developing Zoom software.
“Zoom’s most recent SEC filing shows that the company (through its Chinese affiliates) employs at least 700 employees in China that work in ‘research and development.’ The filing also implies that 81% of Zoom’s revenue comes from North America. Running development out of China likely saves Zoom having to pay Silicon Valley salaries, reducing their expenses and increasing their profit margin. However, this arrangement could also open up Zoom to pressure from Chinese authorities,” researchers said.
SecurityWeek has reached out to Zoom for comment and will update this article if the company responds.
UPDATE. Zoom has published a blog post claiming certain meetings connected to servers in China due to an error, which the company has addressed.
Related: Zoom’s Security and Privacy Woes Violated GDPR, Expert Says
Related: Trojanized Zoom Apps Target Remote Workers
Related: Zoom Conferencing App Exposes Enterprises to Attacks