The past few days have been difficult for Zoom. After a few happy weeks, in which the video conferencing application managed to capitalize on the rise of teleworking Around the world because of the coronavirus, it was learned earlier this week that its developers had lied when claimed they used end-to-end encryption.

Shortly after, Zoom apologized, clarified that indeed, such end-to-end encryption was conditioned by multiple factors, and announced several measures to regain the trust of users (updates, external audits, etc).

From Boston to Los Angeles … passing through Beijing

Buthow encryption of a video call with Zoom really works? Let’s see: when the software initiates said video call, it obtains a key (from the Zoom cloud) that it uses to encrypt the audio and video, the same that the rest of the clients will obtain as they join the meeting. This comes from the Zoom cloud, made up of servers spread around the world.

Zoom servers working during a video call. Image | Citizen Lab

Depending on how the meeting is configured, some specific servers in this cloud, called “connectors”They can also get a copy of the key. For example: if someone joined the meeting with a phone call, they would actually be calling the server “Zoom Telephony Connector”, who in turn will receive a copy of the key.

Of Zoom’s 73 cloud-powered servers, most of them are installed in the United States, but 5 of them are in China. And, according to what the Citizen Lab of the University of Toronto denounces, many conversations between users outside that Asian country end up going through said servers.

The problem with this is, as the Citizen Lab mentions in its report, that if the key generator server is on Chinese soil, your government has a legal right to require that the owner company (Zoom) share these keys with them. This would allow the authorities of the Asian country to monitor the video and audio traffic of the video call, which is a catastrophe for many privacy (and industrial secrets of the West) defenders.

Maybe that will help explain why we found out yesterday that SpaceX, Apple and NASA banned their workers from using Zoom for communications related to their respective entities.

Yet another problem

But that is not all. In the past few hours, the Washington Post has also released another notable Zoom vulnerability: By using the feature to record a video copy of a meeting, the name of the resulting files always has the same structure, which greatly facilitates that An open web search reveals (and allows access to) thousands of recorded sessions, sometimes through leaks, sometimes from incorrect privacy settings.

Patrick Jackson, the cybersecurity expert who alerted the Post, claimed to have found 15,000. And the theme of the same (one of them, a conversation between therapist and patient about self-harm) make it clear that it was not intended for open publication.

Zoom’s response, published by Mashable, was as follows:

“Zoom notifies participants when a host chooses to record a meeting and provides a secure way for hosts to store recordings. Zoom meetings are only recorded at the host’s choice, either locally on their computer or in the Zoom cloud.

If the hosts later decide to upload their recordings elsewhere, we urge them to be very careful and transparent with meeting participants, carefully evaluating whether the meeting contains confidential information and the opinion of the participants themselves. “

Track | The Intercept & Washington Post