 Friday, April 3, 2020 in Privacy  No Comments |  |  Meetings on Zoom, the increasingly popular video conferencing service, are encrypted using an algorithm with serious, well-known weaknesses, and sometimes using keys issued by servers in China, even when meeting participants are all in North America, according to researchers at the University of Toronto.
The researchers also found that Zoom protects video and audio content using a home-grown encryption scheme, that there is a vulnerability in Zoom`s "waiting room" feature, and that Zoom appears to have at least 700 employees in China spread across three subsidiaries. They conclude, in a report for the university`s Citizen Lab — widely followed in information security circles — that Zoom`s service is "not suited for secrets" and that it may be legally obligated to disclose encryption keys to Chinese authorities and "responsive to pressure" from them.
Zoom could not be reached for comment.
Generating Encryption Keys in China
Earlier this week, The Intercept reported that Zoom was misleading users in its claim to support end-to-end encryption, in which no one but participants can decrypt a conversation. Zoom`s Chief Product Officer Oded Gal later wrote a blog post in which he apologized on behalf of the company "for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption. The post went on to detail what encryption the company does use.
Based on a reading of that blog post and Citizen Lab`s research, here is how Zoom meetings appear to work:
When you start a Zoom meeting, the Zoom software running your device fetches a key with which to encrypt audio and video. This key comes from Zoom`s cloud infrastructure, which contains servers around the world. Specifically, it comes from a type of server known as a "key management system", which generates encryption keys and distributes them to meeting participants. Each user gets the same, shared key as they join the meeting. It is transmitted to the Zoom software on their devices from the key management system using yet another encryption system, TLS, the same technology used in the "https" protocol that protects websites.
Depending on how the meeting is set up, some servers in Zoom`s cloud called "connectors" may also get a copy of this key. For example, if someone calls in on the phone, they`re actually calling a "Zoom Telephony Connector server, which gets sent a copy of the key.
Some of the key management systems — 5 out of 73, in a Citizen Lab scan — seem to be located in China, with the rest in the United States. Interestingly, the Chinese servers are at least sometimes used for Zoom chats that have no nexus in China. The two Citizen Lab researchers who authored the report, Bill Marczak and John Scott-Railton, live in the United States and Canada. During a test call between the two, the shared meeting encryption key "was sent to one of the participants over TLS from a Zoom server apparently located in Beijing, according to the report.
The report points out that Zoom may be legally obligated to share encryption keys with Chinese authorities if the keys are generated on a key management server hosted in China. If the Chinese authorities or any other hypothetical attacker with access to a key wants to spy on a Zoom meeting, they also need to either monitor the internet access of a participant in the meeting, or monitor the network inside the Zoom cloud. Once they collect the encrypted meeting traffic, they can use the key to decrypt it and recover the video and audio.
theintercept.com | |
|
