The University of Toronto’s Citizen Lab published a damning report on Zoom’s security, which found that Zoom meetings are protected with a single AES-128 key, rather than the AES-256 encryption that Zoom claims to use whenever possible.

The report read: “We find that Zoom has “rolled their own” encryption scheme, which has significant weaknesses. In addition, we identify potential areas of concern in Zoom’s infrastructure, including observing the transmission of meeting encryption keys through China.”

Encryption issues

In a Zoom blog post published this month, the company conceded, “While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.”

As Zoom does not implement standard end-to-end encryption, the company could theoretically decrypt and monitor calls hosted on the platform. However, they have strongly denied ever doing so.

Furthermore, Citizen Lab alluded to a security issue with Zoom waiting rooms, stating that they did not want to provide public information on the matter at this point in time, in order to prevent it from being abused.

Geofencing practices

On top of this, there is also the issue of questionable keys for encrypting and decrypting meetings being transmitted to servers in China.

Although it is headquartered in Silicon Valley, Zoom owns three companies in China, which collectively have 700 employees that develop Zoom’s software. Citizen Lab found that some encryption keys were distributed through at least five servers in Beijing. The report concluded that this was “potentially concerning, given that Zoom may be legally obligated to disclose these keys to authorities in China”.

In a statement released on the same day as the Citizen Lab report, Zoom CEO Eric Yuan said that server capacity was deployed quickly to deal with the increased demand of the COVID-19 pandemic, and admitted that geofencing best practices were not properly implemented alongside this expansion.

Zoom stated that although geofencing usually ensured that users outside China did not have their meeting data routed through the company’s data centres on mainland China, due to their “haste” to expand capacity, two Chinese data centres were added to the whitelist of backup bridges (backup bridges are automatically used by Zoom when there is network congestion or other issues disrupting a connection).

How Zoom is trying to correct these oversights

Zoom said that they immediately took the data centres in mainland China off the whitelist of secondary backup bridges for users outside China once the issue was brought to their attention (on the 2nd of April).

Eric Yuan also said: “We recognize that we can do better with our encryption design… We are working with outside experts and will also solicit feedback from our community to ensure it is optimized for our platform.” However, he did not confirm or deny that Zoom calls were protected with a AES-128 key, rather than the advertised AES-256.

Starting from the 5th of April, Zoom brought in new security features aimed at deterring hacking and Zoombombing. Now, attendees that manually enter a meeting ID will also need to enter a password to join – though there will be no change for those using meeting links.

Hosts will now be able to manage participants before a meeting commences, either by hitting the Admit All option or by individually selecting which participants can join. This is part of the now automatically enabled Waiting Room feature, which prevents a call from commencing before the host is there.

In its report, however, Citizen Lab recommended using password protection and not using waiting rooms.

Moving ahead, Zoom has said that they are focusing on boosting security before they release new features. On the 1st of April Yuan said the company was “enacting a feature freeze, effective immediately, and shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues”.

Although Citizen Lab raised numerous concerns, they stated that their findings should not necessarily be concerning for those who only use Zoom in a social context.

Nevertheless, many Zoom users may now be considering alternative platforms. Zoom has faced numerous problems in recent weeks, with new lawsuits against the company and Zoombombing incidents. Just a couple of days ago authorities in New York City banned Zoom from being used for virtual lessons. The Sydney Morning Herald reported that Australia’s own Privacy Commissioner was considering the privacy impacts of these technologies and whether any regulatory action is required.