Zoom says it offers end-to-end encryption on your video conferences to help ward off spying, but don’t believe it. The San Jose-based company is not only holding on to the encryption keys, but also sending them to China in some cases, according to a watchdog group.
Citizen Lab tested the video-conferencing service to see where the encryption keys were being generated. “During multiple test calls in North America, we observed keys for encrypting and decrypting meetings transmitted to servers in Beijing, China,” researchers Bill Marczak and John Scott-Railton wrote in a Friday report.
The keys are likely being sent to China because Zoom has subsidiary offices in the country. The company’s own SEC filing shows the company employs 700 staffers in China for research and development purposes.
Of course, bad actors can easily spy on your Zoom meetings if you’ve made the session public or failed to guard their passwords. The lack of security has resulted in a wave of Zoom-bombing incidents, prompting the FBI to warn the public about the phenomenon.
Encryption, on the other hand, can protect your messages from prying eyes as they get hosted in a database or sent over a network. In a true end-to-end encryption system, the key is generated and stored on your smartphone or laptop, which prevents the provider itself (or law enforcement) from decrypting your messages. However, in Zoom’s case, the company manages the keys from its own servers.
“A scan shows a total of five servers in China and 68 in the United States that apparently run the same Zoom server software as the Beijing server,” the researchers said in the report.
According to Citizen Lab, Zoom likely has company offices in China to help it cut down on labor costs. But it also means those offices fall under the jurisdiction of the Chinese government, which has the power to pressure domestic companies to hand over information.
So far, Zoom hasn’t commented on the report. But on Wednesday, it addressed the controversy over its approach to encryption. While Zoom does hold on to encryption keys, it has no system in place to readily decrypt the video sessions, according to Oded Gal, Zoom’s chief product officer.
“Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes, nor do we have means to insert our employees or others into meetings without being reflected in the participant list,” Gal wrote in a blog post.
Still, Citizen Lab pokes some significant holes in the company’s encryption claims. The same report notes Zoom is using a weaker encryption standard, AES-128, in what’s called ECB mode. This is a bad idea, according to Citizen Lab, because encrypted video sessions will still retain patterns in the data. This can allow you to view rough outlines to video images, despite the encryption in place.
The researchers have also found a serious vulnerability in Zoom’s waiting room feature, which can be used to prevent unwanted guests from entering your meetings. “We are not currently providing public information about the issue to prevent it from being abused,” the researchers wrote. “In the meantime, we advise Zoom users who desire confidentiality to not use Zoom Waiting Rooms. Instead, we encourage users to use Zoom’s password feature, which appears to offer a higher level of confidentiality than waiting rooms.”
The report’s main takeaway: Zoom is fine to use for casual conversations and online teaching. But if you’re relying on the service to talk about sensitive information, such as company or government business, you should consider a more secure video conferencing tool, or messaging app such as Signal.
Zoom has said it’s working on letting users store the encryption keys locally on their own hardware. But the option won’t arrive until later this year and appears to be geared toward enterprises, not average consumers. Due to the coronavirus, use of Zoom has skyrocketed to 200 million daily users, up from a mere 10 million back in December.