Zoom was routing calls through China, and there are issues with its encryption as well, reveals new research. In this photo, a student takes class online while using the Zoom app at her home as Egypt shut down schools. (Image source: Reuters)
Zoom’s list of controversies show no sign of slowing down. In the latest revelations by security researchers at Citizen Lab, new flaws have been discovered in the Zoom service, which show that the company’s encryption practices are not secure. More worryingly Zoom appears to be routing some of its calls via services in China, which again raises security risks, given the company is based in the US, and is now being used by million of users daily. Zoom’s own data reveals they are seeing close to 200 million daily sessions. Zoom has also responded to the allegations, saying they are taking steps to address the problem.
So what has Citizen Lab revealed?
According to a blog post by Citizen Lab, there are problems with the way Zoom is encrypting meetings. While Zoom has already apologised for claiming it offered end-to-end encryption, when it was not the case, Citizen Lab’s analysis reveals more issues.
The researchers note that for each Zoom meeting the company is using a single AES-128 key, to encrypt and decrypt audio and video and not AES-256 encryption, which is a higher standard. Zoom’s documentation also claims to be using AES-256, which is not the case.
More worryingly, Zoom’s servers were routing some of the meetings through servers in China, which raises a whole new set of privacy questions, especially as the calls are not end-to-end encrypted.
Citizen Lab also raised questions on how Zoom owns three companies in China, and has 700 employees in the country who are being “paid to develop”, the company’s software. The blog post notes, “This arrangement is ostensibly an effort at labor arbitrage: Zoom can avoid paying US wages while selling to US customers, thus increasing their profit margin. However, this arrangement may make Zoom responsive to pressure from Chinese authorities.”
Citizen Lab notes, “A company primarily catering to North American clients that sometimes distributes encryption keys through servers in China is potentially concerning, given that Zoom may be legally obligated to disclose these keys to authorities in China.”
What has Zoom said in response?
Zoom CEO Eric S Yuan has written a detailed blog post addressing some of these concerns, especially around geo-fencing and meeting encryption. The post says that given the load of people coming on to the service during the coronavirus pandemic, they were forced to add server capacity quickly, especially in China. The blogpost admits some meetings were routed via China, which should not have been the case.
“In that process, we failed to fully implement our usual geo-fencing best practices. As a result, it is possible certain meetings were allowed to connect to systems in China, where they should not have been able to connect. We have since corrected this,” notes Yuan in the blog.
Need help using Zoom: Here’s our guide for beginners
The post also claims that in periods of high traffic, the client might reach out to secondary datacenters, which might not be near a user’s region, especially if multiple connection attempts to the primary datacenter fail. Still, the systems have to “maintain geo-fencing around China for both primary and secondary datacenters — ensuring that users outside of China do not have their meeting data routed through Zoom’s mainland China datacenters.”
The company claims that in February it mistakenly added two Chinese datacenters to a lengthy whitelist of backup bridges, which would have resulted in calls from non-China regions being routed via China. Zoom says it has taken off the mainland China datacenters off of the whitelist.
Regarding the encryption issues, the blog post just says that the company knows they can do better on this front, but doesn’t add anything substantial, only noting that they will have more to share on this soon.