Since my previous post below, I have been reading up on Zoom as a company, its staffing and its worrying security (or rather lack of) track record. When I wrote the initial post I said that “Zoom is a US company funded almost entirely by venture capital. Its servers are US based.”. It appears that is not entirely accurate. Indeed, it would appear that some of its servers are actually based in China, furthermore, a large number of its development staff are Chinese nationals, also based in China. And the CEO, Eric S Yuan grew up in China. On a Zoom blog post dated 26 February of this year Yuan wrote:
“I grew up in the eastern Shandong Province of China and studied at the Shandong University of Science & Technology. It’s a place I still hold dear. I am continuously inspired by the courageous efforts of those treating patients in China and around the world — working hard to try to further prevent the spread of the virus.”
According to his Wikipedia entry, Yuan was “born and raised in Tai’an, Shandong Province” and “moved to the US in the mid-1990s, after obtaining a visa on the ninth try.”
Now there is nothing inherently wrong with any of that, but when coupled with other findings by Security researchers such as Citizen Lab and Checkpoint amongst others a troubling picture starts to emerge. On 3 April, ElReg reported on the CitizenLab findings. The CitzenLab post is well worth reading. It found that:
- Zoom documentation claims that the app uses “AES-256” encryption for meetings where possible. However, we find that in each Zoom meeting, a single AES-128 key is used in ECB mode by all participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption.
- The AES-128 keys, which we verified are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, are outside of China.
- Zoom, a Silicon Valley-based company, appears to own three companies in China through which at least 700 employees are paid to develop Zoom’s software. This arrangement is ostensibly an effort at labor arbitrage: Zoom can avoid paying US wages while selling to US customers, thus increasing their profit margin. However, this arrangement may make Zoom responsive to pressure from Chinese authorities.
The report concludes:
As a result of these troubling security issues, we discourage the use of Zoom at this time for use cases that require strong privacy and confidentiality, including:
- Governments worried about espionage
- Businesses concerned about cybercrime and industrial espionage
- Healthcare providers handling sensitive patient information
- Activists, lawyers, and journalists working on sensitive topics
For those using Zoom to keep in touch with friends, hold social events, or organize courses or lectures that they might otherwise hold in a public or semi-public venue, our findings should not necessarily be concerning.
In January of this year, Checkpoint published the details of a vulnerability (since mitigated) which could allow a threat actor to eavesdrop on a Zoom conference. And on 3 April, TwelveSecurity published a blog article looking at links between Zoom and the Chinese military, intelligence services, and their Army officers.
Whilst this latter article is a little breathless and (I think) overwrought in places, it does raise some questions about Zoom as a company and the security of its product in particular. The Register article cited above also points to a listing posted by Dan Ehrlick of TwelveSecurity of more than 130,000 subdomains of the main zoom.us domain. Whilst there is no analysis of the usage of those domains (beyond a rather sideways dig at some of the names used) I find it astonishing that zoom should actually /need/ that many subdomains. At best it raises some interesting questions.
Of course, a prior question still remains as to why on earth someone in the Cabinet Office or No 10 thought it would be a smart idea to use Zoom for a Cabinet meeting.