Zoom under fire for security vulnerabilities, ties to China

'Zoom has fatal flaws in their security architecture,' Keeper Security CEO Darren Guccione told FOX Business

Get all the latest news on coronavirus and more delivered daily to your inbox. Sign up here.

A study by the University of Toronto's Citizen Lab found new and significant security flaws in video conferencing app Zoom, including ties to China.

The app, which grew from 10 million to 200 million in March because so many people were required to work from home to slow the spread of the novel coronavirus pandemic, is facing several investigations in relation to its data privacy and security practices.

"In our urgency to come to the aid of people around the world during this unprecedented pandemic, we added server capacity and deployed it quickly — starting in China, where the outbreak began. In that process, we failed to fully implement our usual geo-fencing best practices," Zoom founder Eric Yuan said in an April 3 response to the findings.

The study published April 3 by  and  shared three particular cybersecurity vulnerabilities found in Zoom's technology.

"Zoom has fatal flaws in their security architecture," Darren Guccione, CEO and co-founder of cybersecurity firm Keeper Security, told FOX Business.

He added that users should "absolutely be worried and upset" that they were led to believe the platform was secure when the study shows that it still has a long way to go.

"Like many other companies today with security issues, Zoom needs to understand that its business extends beyond creating and selling a productivity application," he said.

1. Encryption codes coming from China

First, the Marczack and Scott-Railton study found that five of Zoom's 73 "key management systems," which generate unique encryption keys for users' calls, are located in China.


These encryption keys are generated for each individual Zoom call to keep conversations private by changing plain text into unreadable code, but Guccione says Zoom's codes leave some plain text in a readable format.

The significance of having offices in China that generate encryption codes is the fact that under a 2017 Chinese law, the Chinese government could potentially force Zoom to give up those keys, which hold users' personal information.

Guccione said this particular finding highlights the fact that Zoom does not use zero-knowledge security, which he called the company's "overarching flaw."

"In a zero-knowledge security architecture, the customer is always in complete control of their master password and their encryption keys," he said, adding that it ensures that the user has knowledge of and access to their encryption keys to make calls. Instead, the company has access to all of its users' encryption keys.


2. Some U.S. and Canada Zoom calls were connected to China for no reason

Further, some Zoom calls made by U.S. and Canada users were routed through these key management systems in China despite having no China-based participants, which is a flaw, Yuan said, the company has corrected.

"It is possible certain meetings were allowed to connect to systems in China, where they should not have been able to connect," the Zoom founder said. "We have since corrected this, and would like to use this blog post to explain how our system typically works, where our misstep occurred, and how we will prevent these kinds of problems in the future."

Marczak and Scott-Railton also note in their study that Zoom employs about 700 people in China, which is "is ostensibly an effort at labor arbitrage: Zoom can avoid paying US wages while selling to US customers, thus increasing their profit margin. However, this arrangement may make Zoom responsive to pressure from Chinese authorities."

In this April 2, 2020, frame from a Zoom video, the Rev. Laura Everett in Boston delivers a sermon for Boston’s First Baptist Church.(The Rev. Laura E. Everett via AP)

This information comes on top of a lawsuit accusing Zoom of sharing personal user information with Facebook.

As Guccione pointed out, because Zoom does not use zero-knowledge security, if someone breached the company's systems, that person would have access to users' encryption keys and all of their personal information that Zoom apparently holds.

"If you can breach a database with this information, it's a total bonanza," he said.

He added that "this is a common thread in so many businesses today [in which] they fail to realize that when they collect ... sensitive and confidential customer information, they have a duty to protect, safeguard and prevent its distribution and misuse to third-parties."


Zoom disputed the accusation that it sent personal information to Facebook in a statement to Vox's tech magazine, Motherboard, but said it had sent information about user devices to the social media site. It also said it made updates to the app to ensure that it does not happen in the future.

3. Encryption key standards severely outdated

The standards by which those encryption keys are generated are outdated. Guccione said they date back to the 1980s.

Even though Zoom claims to comply with Advanced Encryption Standard 256, Marczack and Scott-Railton found that "by default, all participants’ audio and video in a Zoom meeting appears to be encrypted and decrypted with a single AES-128 key shared amongst the participants."

But that isn't true, Guccione said. Zoom is using "ECB Mode, which is an older encryption standard that dates back to 1981."

Eric Yuan, CEO of Zoom Video Communications poses for a photo after he took part in a bell ringing ceremony at the NASDAQ MarketSite in New York, New York, U.S., April 18, 2019. (REUTERS/Carlo Allegri)

He added that it's possible Zoom "has the ability to monitor encrypted calls because they have access to the encryption keys."

This finding relates back to Zoom's claim that it offered end-to-end encryption -- a type of technology that prevents developers and other third parties like hackers or law enforcement from accessing private communication between two parties on a platform. Apps such as Facebook Messenger and WhatsApp offer this feature.


Zoom claimed that its servers were endpoints, suggesting that only users have access to their private conversations, but the study shows that the app's servers were not endpoints but instead acted as intermediaries, meaning Zoom had access to those conversations.

"This is why cybercriminals are Zoombombing," Guccione said in reference to a new internet trend that has exposed a Zoom security flaw in which someone enters a private Zoom meeting despite not being invited and disrupting the conversation. Some instances are harmless while others have prompted serious security and safety concerns.

Yuan said his company is working to upgrade its encryption design.

"Due to the unique needs of our platform, our goal is to utilize encryption best practices to provide maximum security, while also covering the large range of use cases that we support," he said. "We are working with outside experts and will also solicit feedback from our community to ensure it is optimized for our platform."

Guccione recommended not hosting any sensitive or confidential calls on the app "until Zoom addresses and resolves the security and privacy issues raised in both the researcher’s report and [in] recent lawsuits."