Zoom video conferencing app hit by more security concerns

Last week, British prime minister Boris Johnson was widely mocked for sharing a screenshot of a cabinet meeting held over the Zoom video conferencing platform.

As Twitter users quickly noticed, the image included the Zoom meeting ID number, as well as the usernames of some of the ministers taking part. There was speculation that members of the public might be able to dial into the meeting – although Downing Street insisted that the meeting ID was password protected.

As the world goes into lockdown, more and more meetings are being carried out online – indeed, according to consumer analytics company Viewers Logic, video conferencing apps such as Zoom have seen a jump in usage of 750% over the last two weeks.

And, it seems, Johnson and his team got off lightly. Reports are flooding in of 'Zoombombing' – uninvited trolls jumping in to Zoom calls and posting pornographic or racist images.

And it's not even always corporate meetings – a couple of weeks ago, an online class from a Massachusetts-based high school was invaded by an outsider who swore and then called out the teacher’s home address.

FBI warns users

Events such as these have prompted the FBI to issue a warning. Users shouldn't make meetings public, it says: instead, in Zoom, they can require a meeting password or use the waiting room feature to control the admittance of guests. Links shouldn't be posted publicly.

Users should manage screen sharing options ('Host Only' in Zoom) and should make sure they're using the latest version of the software – a recent Zoom update added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.

These are of course comparatively basic measures, which users – especially those using the system for work – should be complying with as a matter of routine.

More worryingly, though, Zoom has turned out to have further potentially serious security flaws. Most recently, in a report from Canada's Citizen Lab on Friday, it's been accused of routing data via China and claiming falsely that it offered end-to-end encryption (it uses its own encryption scheme).

"Zoom has always strived to use encryption to protect content in as many scenarios as possible, and in that spirit, we used the term end-to-end encryption," says chief product officer Oded Gal in a blog post.

"While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it."

In fact, when all meeting participants are using Zoom clients, and the meeting is not being recorded, all video, audio, screen sharing, and chat content is encrypted at the sending client, and isn't decrypted until it reaches the receiving clients. 

But, says Gal, "When users join Zoom meetings using devices that do not inherently use Zoom’s communication protocol, such as a phone (connected via traditional telephone line, rather than the app) or SIP/H.323 room-based systems, Zoom’s encryption cannot be applied directly by that phone or device."

The company's attempting to fix this through the creation of a series of 'Connectors' – effectively Zoom clients that operate in Zoom’s cloud. 

"Content remains encrypted to each connector, and when possible we will encrypt data between each connector and the eventual destination (such as a non-Zoom room system)," says Gal. It's a solution of sorts.

Meanwhile, reports of a China connection may be equally hard to dismiss.

As Citizen Lab points out, "A company primarily catering to North American clients that sometimes distributes encryption keys through servers in China is potentially concerning, given that Zoom may be legally obligated to disclose these keys to authorities in China." 

While the company says that the routing weakness was a simple oversight during a ramp-up of data center capacity, much of its software is developed through three Chinese companies that employ at least 700 people.

All this means that Zoom's reputation has been seriously tarnished. 

"An app with easily-identifiable limitations in cryptography, security issues, and offshore servers located in China which handle meeting keys presents a clear target to reasonably well-resourced nation state attackers, including the People’s Republic of China," says Citizen Lab.

"As a result of these troubling security issues, we discourage the use of Zoom at this time for use cases that require strong privacy and confidentiality."