A team of researchers at The Citizen Lab says the suddenly popular videoconferencing app Zoom uses a non-standard method of encryption, and transmits user information through China. If true, huge: the concern is that China could have access to all the encryption keys needed to access the contents of all those calls.
Read the report:
Move Fast & Roll Your Own Crypto
A Quick Look at the Confidentiality of Zoom Meetings
By Bill Marczak and John Scott-Railton
April 3, 2020
citizenlab.ca
The researchers advise against use of Zoom by government officials (Boris Johnson is using the app for Cabinet meetings), but say the app is fine for keeping in touch or other forms of low-security group communication, for most users.
Me? I ain't installing that app for nothing and nobody.
The Citizen Lab's report warns Zoom "may not be suitable" for:
• Governments and businesses worried about espionage
• Healthcare providers handling sensitive patient information
• Activists, lawyers and journalists working on sensitive topics
But "our findings should not necessarily be concerning", the report said.
They also note that "Zoom… appears to own three companies in China through which at least 700 employees are paid to develop Zoom's software…this arrangement may make Zoom responsive to pressure from Chinese authorities."
Here's a snip from Bruce Schneier's takeaway on the news today:
Over the past few weeks, Zoom's use has exploded since it became the video conferencing platform of choice in today's COVID-19 world. (My own university, Harvard, uses it for all of its classes.) Over that same period, the company has been exposed for having both lousy privacy and lousy security. My goal here is to summarize all of the problems and talk about solutions and workarounds.
In general, Zoom's problems fall into three broad buckets: (1) bad privacy practices, (2) bad security practices, and (3) bad user configurations.
Privacy first: Zoom spies on its users for personal profit. It seems to have cleaned this up somewhat since everyone started paying attention, but it still does it.
The company collects a laundry list of data about you, including user name, physical address, email address, phone number, job information, Facebook profile information, computer or phone specs, IP address, and any other information you create or upload. And it uses all of this surveillance data for profit, against your interests.
Read the rest at schneier.com:
Security and Privacy Implications of Zoom
And more observations on Twitter.
cc: UK government. https://t.co/n4CGe5pfji
— Martin SFP Bryant (@MartinSFP) April 3, 2020
I wrote a non-technical post on the situation with Zoom and encryption. This mostly summarizes what we know from @citizenlab and Zoom itself: https://t.co/g6hFWjPwXT
— Matthew Green (@matthew_d_green) April 3, 2020
Zoom is getting torn apart. That's not a bad thing. Very very few enterprise tools get the attention of world-class researchers. Even premier applications by huge companies go unexamimed b/c difficulty of obtaining and installing them. Plenty of Tier0 stuff written in C in 2007.
— SwiftOnSecurity (@SwiftOnSecurity) April 2, 2020
Looks like solid research by @citizenlab. If I'm reading it correctly, actors in China could have access to all the encryption keys needed to see calls. Keep this in mind when you chose to discuss sensitive info using #zoom. Obviously no mil/gov should talk classified on it. https://t.co/9PH5Qd9e9k
— Richard Bejtlich (@taosecurity) April 3, 2020
Among other concerns including encryption & data being routed through China, "Zoom…appears to own three companies in China through which at least 700 employees are paid to develop Zoom's software…this arrangement may make Zoom responsive to pressure from Chinese authorities" https://t.co/Q6TNgykDwh
— Mary Hui (@maryhui) April 3, 2020
Interesting research from Citizen Lab on Zoom – it raises concerns about Chinese end of the company – 'during multiple test calls in North America, we observed keys for encrypting and decrypting meetings transmitted to servers in Beijing, China' https://t.co/M2dAN9wnEn
— Gordon Corera (@gordoncorera) April 3, 2020
There are two things you should never do:
1. Get involved in a land war in Asia, and
2. Roll your own cryptohttps://t.co/5bIyf1oMLd— Jeffrey Vagle (@jvagle) April 3, 2020
When the first phase of this is over, we are going to wake up to the scale of the information security and privacy risks we have all been taking https://t.co/uaDrx4YPTQ
— Nicholas Dawes (@NicDawes) April 3, 2020