Zoom, the video conferencing app was found to be using a non-standard type of encryption, and transmitting information through China.
Zoom was mainly used for business conference calls, but recently it had gained wide popularity during the coronavirus crisis, when millions of people had to work from home.
According to the research team at the Citizen Lab, the Zoom might not be suitable for
- Governments and businesses worried about espionage
- Healthcare providers handling sensitive patient information
- Activists, lawyers and journalists working on sensitive topics
So, government uses like Boris Johnson’s use of the app for Cabinet meetings is not considered a good idea.
But the app seems fine to be keeping in touch with friends, holding social events or organizing courses or lectures people.
According to Zoom, there are now at least 200 million meetings held on it every day, and they claim that it is safe to use this app.
The Citizen Lab provided evidence that it is possible to collect all the data of a video meeting and then partially unscramble it to find out, roughly, what was said and seen. But it might take a pretty long time and effort for a hacker to do this.
Zoom has designed and implemented their own encryption scheme, instead of using any existing standards for encrypting voice and video content. Users must be careful while using this app to discuss sensitive information.
Besides the encryption standards, the researchers also found that Zoom sends traffic to China, even when all the people in a Zoom meeting are outside of China.
During test calls done in North America, it was observed that the keys for encrypting and decrypting meetings were transmitted to servers in Beijing.
In the documentation, Zoom stated that they are using a type of encryption called AES-256. But researchers denied it saying that Zoom has their own encryption which is a variant of something called AES-128 in “ECB mode”.
They also reported that Zoom does not use end-to-end encryption and used uses “transport” encryption between devices and servers.
On 1st April, Zoom clarified its encryption policy and apologized for incorrectly suggesting that meetings have end-to-end encryption.