Chinese connection threatens to take Zoom from boom to doom
06 April 2020
Last week the CEO of Zoom, Eric Yuan, sought to calm fears about the collaboration tool’s poor security and the company rolled out encryption software to address security fears.
However, this has given rise to more questions than answers, according to the University of Toronto’s Citizen Lab.
The researchers are not convinced about how well the security features function as they say it does not use the industry standard – AES-256 – from end to end. This contradicts the company’s claims.
There are concerns about how encryption has been deployed: the researchers said, “We find that in each Zoom meeting, a single AES-128 key is used in ECB [electronic codebook] mode by all participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption.
Location is an issue too. The researchers said that the AES-128 “appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, are outside of China”.
Obliged to spy if asked
The researchers’ third major finding is that although Zoom is based in Silicon Valley, it looks like it owns companies in China whose employees develop Zoom’s software. They acknowledge that this might be because Chinese developers will work for much less than their American counterparts and legally sell to US customers, but it potentially makes Zoom susceptible to pressure from the Chinese government – under the Chinese National Intelligence Law – which is the same argument as is used against using Huawei equipment.
In short, if the state asks individuals or companies to carry out espionage on its behalf, they have no option but to comply.
New York takes action
New York City, the epicentre of the coronavirus in the US, has banned the use of Zoom for remote teaching on Saturday, according to a report by Chalkbeat.
Danielle Filson, a spokesperson for the New York City Department of Education, was quoted saying, “Providing a safe and secure remote learning experience for our students is essential, and upon further review of security concerns, schools should move away from using Zoom as soon as possible.
“There are many new components to remote learning, and we are making real-time decisions in the best interest of our staff and students.”
The Department of Education is moving schools over to Microsoft Teams, which Filson said has the “same capabilities with appropriate security measures in place.” The ban covers about 1.1 million students from more than 1,800 schools across five boroughs.
Right to reply
Via its latest CEO’s blog, the company directly responds to the problems highlighted by the researchers in Toronto – geo-fencing and meeting encryption – are being addressed: “In our urgency to come to the aid of people around the world during this unprecedented pandemic, we added server capacity and deployed it quickly — starting in China, where the outbreak began.
“In that process, we failed to fully implement our usual geo-fencing best practices. As a result, it is possible certain meetings were allowed to connect to systems in China, where they should not have been able to connect.” and says this is now addressed.
How it wil overcome concerns about Chinese companies and individuals having to obey Chinese law and spy if required remains to be seen.