Zoom concedes custom encryption is substandard as Citizen Lab pokes holes in it

Company also claims it mistakenly ran calls from outside China through the Middle Kingdom.
Written by Chris Duckett, Contributor

Citizen Lab, a research group within the University of Toronto, has been able to drive a proverbial truck through the encryption used by video conferencing app Zoom.

In a report where the group said the video platform was not suitable for sharing secrets nor government or business use, Citizen Lab found Zoom has been rolling its own encryption scheme as part of a custom extension to the real-time transport protocol.

Further, instead of using AES-256 encryption as Zoom claims, the report found the application was using an AES-128 key in electronic code book (ECB) mode.

"Zoom's encryption and decryption use AES in ECB mode, which is well-understood to be a bad idea, because this mode of encryption preserves patterns in the input. Industry standard protocols for encryption of streaming media (e.g., the SRTP standard) recommend the use of AES in Segmented Integer Counter Mode or f8-mode, which do not have the same weakness as ECB mode," Citizen Lab said.

The research group also said it found a "serious security issue" in the application's waiting room functionality and has disclosed this to the company. It said it would provide further details on this issue in the meantime however, beyond suggesting users avoid the feature and use passwords on meetings instead, to prevent the issue from being abused.

This vulnerability is particularly pertinent as the platform is currently being hit by a plethora of Zoom-bombing instances, where uninvited people enter a Zoom meeting and show disruptive content or behaviour, and various sources have offered the waiting room functionality as a solution despite the disclosed security issue.

In direct response to Citizen Lab, Zoom CEO Eric Yuan admitted that the company's encryption was substandard.

"We recognise that we can do better with our encryption design. Due to the unique needs of our platform, our goal is to utilise encryption best practices to provide maximum security, while also covering the large range of use cases that we support," Yuan said.

"We are working with outside experts and will also solicit feedback from our community to ensure it is optimised for our platform."

Last week, Zoom said it would spend 90 days on improving the security of its product following a spate of vulnerabilities being unveiled. The vulnerabilities have been uncovered as more people use Zoom due to the coronavirus pandemic sweeping the planet.

See also: Best video conferencing software for business: Microsoft Teams plus eight more Zoom alternatives

Citizen Lab also found the application was serving up encryption keys from servers in China to participants from outside the Middle Kingdom.

"A company primarily catering to North American clients that sometimes distributes encryption keys through servers in China is potentially concerning, given that Zoom may be legally obligated to disclose these keys to authorities in China," the report said.

Zoom said the behaviour was an oversight due to its decision to recently scale up its data centres to meet demand.

"Zoom's systems are designed to maintain geo-fencing around China for both primary and secondary data centers -- ensuring that users outside of China do not have their meeting data routed through Zoom's mainland China data centers (which consist of infrastructure in a facility owned by Telstra, a leading Australian communications provider, as well as Amazon Web Services)," Yuan said.

"In February, Zoom rapidly added capacity to our Chinese region to handle a massive increase in demand.

"In our haste, we mistakenly added our two Chinese data centers to a lengthy whitelist of backup bridges, potentially enabling non-Chinese clients to -- under extremely limited circumstances -- connect to them (namely when the primary non-Chinese servers were unavailable)."

Yuan said the company had fixed the whitelist once it learnt of the issue.

The company has also been in hot water for its misleading claims that its product uses end-to-end encryption.

"While we never intended to deceive any of our customers, we recognise that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it," the company wrote in a blog post last week.

As Zoom pointed out, it retains the full ability to decrypt any call or meetings on its servers at any point, and organisations concerned with wanting to control the encryption keys themselves are able to run an on-premise version. The company did say it has not built a decryption service for live meetings for lawful interception, or does not have a way to insert people into meetings without being shown in the meeting participant list. ZDNet has asked Zoom if this statement also covers the ability to record meetings for law enforcement.

Over the weekend, New York City reportedly joined a growing list of organisations to ban the use of the application.

Reuters reported over the weekend that the state attorneys-general of New York and Connecticut have made inquiries to the company over its security practices.

Last year, the company was caught out for using a local web server on Mac instances to avoid an extra click for users. That server was found to contain a remote code execution vulnerability.

When the issue first came to light, Zoom defended the use of the web server, saying to ZDNet in a statement that it was a "legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator".

The next day, Zoom said it would walk back its local web server support in a patch prepared, and told ZDNet previously its change in course was in response to customer feedback, not security concerns.

"There was never a remote code execution vulnerability identified," the company said at the time.

"Zoom decided to remove the web server based on feedback from the security community and our users."

Related Coverage

Editorial standards