The last few days have been complicated to Zoom. After a few weeks happy, in which the conferencing application was able to capitalize on the rise of telework all over the world because of the coronavirus, earlier this week it was revealed that its developers they had lied when ensured using encryption end-to-end.
Shortly after, Zoom apologized, clarified that indeed, the encryption of end-to-end was conditioned by multiple factorsand announced several measures to regain the trust of the users (upgrades, external audits, etc.).
From Boston to Los Angeles… passing through Beijing
But whathow it really works the encryption of a video call to Zoom? Let’s see: when the software starts the video call, you get a key (from the cloud Zoom) that is used to encrypt the audio and the video, the same that the rest of the customers will be getting as they join the meeting. It comes from the cloud-Zoom, formed by servers spread around the world.
Depending on how you set up the meeting, some specific servers for this cloud, the so-called “connectors”can also get a copy of the key. For example: if someone is incorporated into the meeting through a phone call, in reality would be calling to the server “Zoom Telephony Connector”, you will receive a copy of the key.
Out of the 73 servers with features of a connector of the cloud-Zoom, most of them are installed in the united States, but 5 of them are in China. And, for what complaint the Citizen Lab at the University of Toronto, many conversations between users unrelated to this asian country end up going through those servers.
The problem with this is, as mentioned in the Citizen Lab in its reportif the server key generator is located on chinese soil, your government has a legal right to demand that the company owner (Zoom) to share with them those keys. This would allow the authorities of the asian country to monitor the traffic of video and audio of the video call, which is a catastrophe for many privacy advocates (and of the industrial secrets of the West).
Perhaps that helps to explain why yesterday, we learned that SpaceX, Apple, and NASA had forbidden their workers to make use of Zoom for communications related to their respective entities.
But that is not all. In the last few hours, the Washington Post has also made public another remarkable vulnerability of Zoom: when using the function to record a video copy of a meeting, the name of the resulting files have always the same structure, which greatly facilitates that a search in the open Network reveals (and allow access to) thousands of recorded sessionssometimes by guilt leaks, sometimes privacy settings incorrect.
Patrick Jackson, the cyber security expert who alerted the Post, claimed to have found 15.000. And the theme of the same (one of them, a conversation between therapist and patient about self-harm) make it clear that was not originally intended for publication in the open.
The response of Zoom, published by Mashablehas been the following:
“Zoom notify the participants when a host chooses to record a meeting and provides a secure way for the hosts to store recordings. The meetings of Zoom are recorded only at the choice of the host, either locally on your computer or in the cloud Zoom.
If the hosts decide after you upload your recordings to any other place, I urge you to be very careful and be transparent with the participants of the meeting, by thoroughly assessing if the meeting contains sensitive information and the opinion of the participants themselves”.
it was originally published in