Zoom Sends Encryption Keys To China (Sometimes)

Zoom, the videoconferencing giant that’s gained huge popularity in the work-from-home coronavirus age, sends user data to China, according to researchers. That information, on occasion, also includes encryption keys, the chunks of data that can unlock conversations, even if the participants aren’t based in China, the academics found in their tests of the software.

The research, handed to Forbes ahead of publication on Friday, comes after a difficult week for Zoom, in which it had to apologize for various shortcomings in its privacy and security. The report’s authors, Bill Marczak and John Scott-Railton at the University of Toronto-based Citizen Lab, say their findings raise issues about whether U.S. government organizations should be using it at all. 

Yesterday, Forbes revealed U.S. agencies handling the coronavirus response had spent a collective $1.3 million on Zoom tech in just a few days at the end of March. Not only had the Centers for Disease Control and Prevention (CDC) and the Federal Emergency Management Agency (FEMA) spent hundreds of thousands on Zoom for COVID-19-related webinars and calls, but other government agencies had bought into the tech too. That included the State Department and one organization that was the alleged victim of a major Chinese hack, the Office of Personnel Management, in a breach that saw the private data of 21 million Americans leak. The U.K. government is also a well-known user of the tool, hosting critical cabinet meetings over Zoom.

“The research seems to raise a lot of questions, which Zoom really needs to answer with detail, not vague promises or denials. Be transparent if you want people to trust your product,” said professor Alan Woodward, a cryptography expert at the University of Surrey.

Zoom hadn’t responded to requests for comment. But in an interview published on Forbes on Friday, chief executive Eric Yuan said the company was going to check on how it was routing conversations to China, but emphasized the data was protected. As Citizen Lab hadn’t sent its findings to Zoom, saying it was in the public interest to release the information as soon as possible, the videoconferencing company wouldn’t have been aware of the findings. But Yuan assured that if user data was being transferred to China when users weren’t even based there, “we are willing to address that.”

Marczak told Forbes that any U.S. agency using the government-specific Zoom app (which wasn’t studied by his team) should “take a close look” at whether their conversations are being routed through China. For many other users, Zoom remains a useful tool, he added. 

“To U.S. government organizations, in light of our findings, make sure that the U.S. government folks charged with vetting the Zoom Gov app double check that its security properties are suitable for the way in which U.S. government entities are using the app,” he said. “To everyone else: if you’re using Zoom to have a chat over drinks with your mates like you would at a pub, then by all means, keep calm and Zoom on.”

Zoom’s Chinese connections

Zoom has numerous connections back to China. CEO Yuan was born in Shandong Province and attended university there, though he came to America in the 1990s and now lives in California.

Much of Zoom’s research and development happens in China, which the company has been open about in SEC filings. In the last year, the company has been expanding in China, going from 500 employees to 700 in the space of a year, according to SEC documents. The Citizen Lab researchers dug further and found a handful of companies owned by Zoom operating under the name Ruanshi Software.

When Citizen Lab looked at where their U.S. and Canada-based Zoom conversations were being routed, the researchers discovered encryption keys were sometimes sent to Beijing, though would be handled by servers in other countries too. According to its SEC filings, Zoom isn’t just sending data through China, it also has 13 co-located data centers in Australia, Brazil, Canada, Germany, India, Japan, the Netherlands and the U.S. But the issue with sending data, especially encryption keys, to China is that “Zoom may be legally obligated to disclose these keys to authorities in China,” Citizen Lab noted.

Not that Zoom is unaware of concerns about its links to China. As per a recent SEC filing: “We have a high concentration of research and development personnel in China, which could expose us to market scrutiny regarding the integrity of our solution or data security features.” Huawei, the Chinese telecoms giant, faced such scrutiny in the U.S., to the point it’s been barred from working with any American government organization and has seen its smartphone sales dwindle in the country. 

In a blog post this week, Zoom said “it has never built a mechanism to decrypt live meetings for lawful intercept purposes, nor do we have means to insert our employees or others into meetings without being reflected in the participant list.” But Zoom is yet to release a transparency report showing how it deals with government requests. Other web giants, like Google, Microsoft and Facebook, all reveal when they give up information to different authorities.

What’s up with Zoom encryption?

Zoom had already been forced to apologize for misleading claims that it offered end-to-end encryption. 

With end-to-end encryption, the digital keys that lock up and open user data are only supposed to be generated and stored on the user’s computer or smartphone. In Zoom’s system, its own servers generate the keys and so it has access to them, meaning the audio and video of each call aren’t truly protected.

Marczak and Scott-Railton also found that Zoom was using weaker encryption – the AES-128 algorithm rather than AES-256 – to create those unique keys. And the keys were being shared in what’s known as Electronic Codebook (ECB) mode, they found. When ECB mode is turned on, it’s possible to glean information from within the supposedly-protected data without having to crack the keys. “That’s a gift to cryptanalysts,” notes professor Woodward. Both Woodward and Marczak also noted it’s unclear just how Zoom is generating keys and whether its methods were secure.

Crucially, though, only those with a Zoom meeting password receive the key and guessing AES-128 keys is still incredibly hard. Given the keys change with each new conversation, cracking them in time should be infeasible in almost all scenarios.

And Marczak said that Zoom at least appeared to be working on addressing its security. In a blog post this week, Yuan said Zoom was pausing all feature development to focus on privacy and security. “The fact that Zoom recently voluntarily admitted that they don’t actually use end-to-end encryption, and committed themselves to make security and privacy improvements in their app, is an encouraging sign,” the researcher said.

Ultimately, anyone having sensitive conversations should therefore consider whether Zoom is suitable, he noted. “I would think very carefully before I used Zoom to communicate classified information, trade secrets, or confidential medical data,” Marczak said. “If you are a human rights defender, lawyer, journalist, or anyone else working on sensitive topics that you think a nation-state or other powerful adversary might be interested in, I would advise you to wait for Zoom to make security improvements in their app before you use it.”

And, as with any Zoom chat, it’d be wise to add a password to prevent any “Zoom bombers” ruining your self-quarantined fun.