An investigation by Citizen Lab underlined a few security
issues of teleconferencing application Zoom, on all platforms, and the company
was quick to promise sweeping changes that would make Zoom more secure and
transparent.
Two major issues were brought up by Citizen
Lab, one related to traffic between Zoom participants being rerouted
through Chinese servers, and another about end-to-end encryption that doesn’t
follow industry standards.
A non-technological issue was also brought up by the
investigation. It turns out that much of the research and development of the
app takes place in China, even though most of the revenue comes from the United
States and Zoom is an American company. It would technically open the company
to pressure from Chinese authorities.
Eric Yuan, CEO and founder of Zoom, has answers to a
couple of technical issues but made no mention of the large team of developers
working out of China.
First, it turns out that Zoom uses a geofencing feature
that ensures traffic between participants outside of China is not routed
through Chinese servers. In reverse, traffic inside China uses only servers in
China.
After the application saw a surge in usage as the
COVID-19 pandemic started to spread, the company added new servers to cope with
the demand, and mistakenly added a couple of Chinese servers on a whitelist.
The two servers were quickly removed after the Citizen Lab report came out.
The second problem relates to the end-to-end encryption theoretically
used by the app. It turns out that, while Zoom uses the term end-to-end
encryption, it’s not actually referring to the industry standard.
Citizen Lab states that the encryption used by Zoom could
allow the company to build tools and eavesdrop on conversations or even record
them. The company said that they have no such tools and they are working to
enhance protection, with the help of the community.
“Due to the unique needs of our platform, our goal is to
utilize encryption best practices to provide maximum security, while also
covering the large range of use cases that we support,” said
Zoom’s CEO.
“We are working with outside experts and will also
solicit feedback from our community to ensure it is optimized for our
platform.”
Following a flurry of Zoom security problems the past
month, including leaking data to Facebook through the SDK,
or bypassing macOS
protections to install the client without admin rights, Eric Yuan
said that implementation of new features was halted
for 90 days and the teams are focusing solely on security fixes.