Zoom is a popular video conferencing app that is used by numerous businesses for conducting online meetings and group discussions. One of the features highlighted by the app is its support for end-to-end encryption for video calls. However, a recent report by watchdog Citizen Lab claims that the company not only holds on to the encryption keys, but might also send them to China in some instances.
After it recently came to light that Zoom was misleading their customers about end-to-end encryption in which the company falsely guaranteed that only participants of a video call can decrypt the conversation, the Chief Product Officer apologized for the “confusion.” When someone starts a Zoom meeting, the software fetches a key and uses it to encrypt the audio and video. This key is generated through Zoom’s cloud infrastructure, which includes a number of servers spread throughout the world.
Every user gets the same key when they join an online conference. This key is transferred to the Zoom software on users’ devices from the company’s “key management system” servers using an encryption system called the TLS. A few of the key management system servers are located in China, about 5 in 73 according to the Citizen Lab report, while the rest are in the United States. Servers in China are also used for Zoom chats. During a test call conducted by individuals residing in the U.S. and Canada, it was found that the encryption key for the meeting was sent to the users from a server located in Beijing. And herein lies the security risk.
“Zoom may be legally obligated to share encryption keys with Chinese authorities if the keys are generated on a key management server hosted in China. If the Chinese authorities or any other hypothetical attacker with access to a key wants to spy on a Zoom meeting, they also need to either monitor the internet access of a participant in the meeting, or monitor the network inside the Zoom cloud. Once they collect the encrypted meeting traffic, they can use the key to decrypt it and recover the video and audio,” according to The Intercept.
Zoom claims that it has never created a mechanism to decrypt live messages and that it does not have the ability to insert third parties into an online meeting without their presence being reflected in the participant list. However, the company has yet to confirm its stand on how it deals with government requests.
U.S. security firm FireEye has identified a hacking attempt by Chinese state-backed group APT41 that targeted the company’s clients. FireEye is calling the attack one of the broadest Chinese campaigns in years. The attack was aimed at companies in the U.S., UK, Japan, France, Saudi Arabia, UAE, Sweden, Singapore, along with a few more. It sought to exploit vulnerabilities in Cisco routers, Citrix NetScaler/ADC, and Zoho’s ManageEngine Desktop Central software. Interestingly, FireEye did not notice any APT41 activity between February 2 and 19.
“China initiated COVID-19 related quarantines in cities in Hubei province starting on January 23 and January 24, and rolled out quarantines to additional provinces starting between February 2 and February 10. While it is possible that this reduction in activity might be related to the COVID-19 quarantine measures in China, APT41 may have remained active in other ways, which we were unable to observe with FireEye telemetry,” FireEye said in a blog. Hacking campaigns by APT41 are often aimed at stealing intellectual property. FireEye warned that APT41 was one of the most prolific threats the security firm is tracking in 2020.