The coronavirus pandemic has seen a rise in the use of Zoom but the software has been more of a privacy nightmare for companies and individuals around the world. Earlier today, we reported how Zoom recordings made it to the internet and immediately after that, security researchers at Citizen Lab published a report claiming the company had routed some calls through China.

In the report, Citizen Lab said that the company routed some of the calls and their respective encryption keys through China. We reported earlier how the company has the encryption keys, which is why the service is not exactly end-to-end encrypted as claimed by the company. In a blog post, the company said that it has “implemented robust and validated internal controls to prevent unauthorized access to any content that users share during meetings.” The same, however, can’t be said for Chinese authorities who could, in theory, access calls routed through China.

Key Findings by Citizen Lab

  • Zoom documentation claims that the app uses “AES-256” encryption for meetings where possible. However, we find that in each Zoom meeting, a single AES-128 key is used in ECB mode by all participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption.
  • The AES-128 keys, which we verified are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, are outside of China.
  • Zoom, a Silicon Valley-based company, appears to own three companies in China through which at least 700 employees are paid to develop Zoom’s software. This arrangement is ostensibly an effort at labor arbitrage: Zoom can avoid paying US wages while selling to US customers, thus increasing their profit margin. However, this arrangement may make Zoom responsive to pressure from Chinese authorities.

Zoom has now confirmed that the company routed calls by mistake. The company’s CEO Eric Yuan gave the following statement:

During normal operations, Zoom clients attempt to connect to a series of primary datacenters in or near a user’s region, and if those multiple connection attempts fail due to network congestion or other issues, clients will reach out to two secondary datacenters off of a list of several secondary datacenters as a potential backup bridge to the Zoom platform. In all instances, Zoom clients are provided with a list of datacenters appropriate to their region. This system is critical to Zoom’s trademark reliability, particularly during times of massive internet stress.

In summary, the calls originating from North America are supposed to be routed through American servers just like the calls made in Europe. The company, however, can route the calls through the nearest server with the most available capacity if it’s experiencing a traffic spike. This is not applicable to China as western countries have concerns about China and hence companies don’t route traffic through China even when other servers are overwhelmed. The company, in this case, breached that and routed American calls through China when there were traffic spikes.

Citizen Lab’s Bill Marczak told TechCrunch that he was “cautiously optimistic” about Zoom’s response.

The bigger issue here is that Zoom has apparently written their own scheme for encrypting and securing calls,” he said, and that “there are Zoom servers in Beijing that have access to the meeting encryption keys.

If you’re a well-resourced entity, obtaining a copy of the internet traffic containing some particularly high-value encrypted Zoom call is perhaps not that hard.

The huge shift to platforms like Zoom during the COVID-19 pandemic makes platforms like Zoom attractive targets for many different types of intelligence agencies, not just China. Fortunately, the company has (so far) hit all the right notes in responding to this new wave of scrutiny from security researchers, and have committed themselves to make improvements in their app.

– Bill Marczak

While the company recently announced that the company will be pausing feature updates to concentrate on fixing the security issues, it’s still facing massive pressure from authorities around the world to fix the security flaws. It will also conduct a comprehensive review with third-party experts and representative users to understand and ensure the security of its service. Learn more about this announcement here.