Zoom’s rise to fame might only be match by the fall from grace as security flaws and apparent ties to China are laid bare for all to see.
It was only last week Zoom CEO Eric Yuan had to pen a blog entry to calm fears over the video-conferencing service, but this additional post is to address statements from University of Toronto’s Citizen Lab. Zoom has rolled out its own encryption software to enhance security, though the Toronto researchers suggest there are ‘significant weaknesses’.
“We appreciate the questions we are getting and continue to work actively to address issues as we identify them,” said Yuan. “As video communications become more mainstream, users deserve to better understand how all these services work, including how the industry — Zoom and its peers – manages operations and provides services in China and around the world.”
Firstly, the Toronto researchers have questioned how effective the security features of Zoom actually are. On one hand, the encryption is not end-to-end by industry standards, despite the company claiming so, while the way in which it has been designed and implemented is also questioned.
“The Zoom transport protocol adds Zoom’s own encryption scheme to RTP in an unusual way,” the researchers state.
“By default, all participants’ audio and video in a Zoom meeting appears to be encrypted and decrypted with a single AES-128 key shared amongst the participants. The AES key appears to be generated and distributed to the meeting’s participants by Zoom servers. Zoom’s encryption and decryption use AES in ECB mode, which is well-understood to be a bad idea, because this mode of encryption preserves patterns in the input.”
These encryption keys could also be distributed through Chinese servers, which is a bad idea for anyone as companies can be legally compelled by the Government to hand over these keys. Zoom has said this oversight has been corrected and no international meetings will be routed through Chinese servers, but the damage may well have already been done.
When security and privacy in the digital economy are being discussed, it makes a tarnish on the record which can be very difficult to remove. Zoom has an incredibly long list for a company which continues to trade, but a link to China is one which is almost impossible to shake off. Especially when it comes to operating in the US.
Zoom is a company which is listed in the US on the NASDAQ, but the software appears to be developed by three companies in China, all known as Ruanshi Software, only two of which are owned by Zoom. The ownership of the third company, also known as American Cloud Video Software Technology, is unknown.
As it stands, 700 employees are currently in China, which is not unusual as it can save on salaries in comparison to the US, though it does open up the firm to pressure and influence from the Chinese Government. This is not a position which will make US authorities comfortable.
In New York, the Department of Education has banned all schools from using Zoom for remote learning, stating teachers will have Microsoft Teams functionality available as soon as possible. New York Attorney General Letitia James is also probing the privacy and security credentials of the company, a worrying sign for the business.
Security is a major component of the digital economy and Zoom just does not appear to be up to scratch. For every leak in the hull which is fixed, three more seem to emerge. The long list of security vulnerabilities was always going to catch up with the team, though it remains to be seen whether Eric Yuan can talk his way out of the apparent links to China, a potential death sentence in the US.