Last updated on 2020-01-18

0. Summary

Zoom has a history of poor security practices and deceitful claims to its users. Its record on user freedom is exceptionally poor because Zoom actively cooperates with the Chinese Communist Party to censor and surveil users in and outside of mainland China. From the U.S. Department of Justice:

…the PRC government had directed [Zoom] to develop the capability to respond to a PRC government demand to terminate an illegal meeting, account or recording within one minute

[Zoom] pledged to migrate the data storage of the accounts of approximately one million ‘Chinese users’ from the United States to the PRC, thereby subjecting these accounts to PRC law and process…

1. Why Platform Choice Matters

Communication platforms typically benefit from the network effect – the more people on a given platform, the more pressure there is to use it. Most people don’t use Zoom because they shopped around and chose a videoconferencing platform with features that they liked. Instead, they were invited to events that use it, and they know that those they invite to a call are likely to already use the platform. The value of the Zoom platform derives from the friends, family, and co-workers who use it.

The use of insecure platforms like Zoom for official, semi-official, or social functions strongly encourages more people to install them – and the presence of those users encourages further adoption. The network effect encourages many people to use these platforms without being informed of the risks – risks which might be unreasonable to expect non-experts to fully understand. Some have the immense privilege of not needing to fear their country’s government, but that is not the case for many. If the only people who use secure communications are activists and others threatened by tyrannical regimes, the mere use of those technologies marks them for additional scrutiny.

2. Privacy of Zoom Calls

Zoom has misled users for years about the privacy of their calls. An FTC complaint regarding Zoom’s deceptive marketing practices shows that Zoom advertised its product as suitable for confidential healthcare information because it “employes industry-standard end-to-end Advanced Encryption Standard (AES) encryption using 256-bit keys” when this was not true.

2.1 Type of Encryption

Despite explicit claims, including showing “secured with end-to-end encryption” in the application interface, Zoom calls are not end-to-end encrypted.

Second, encryption is used in ECB mode, which is widely known to be particularly insecure for visual content such as a video call. This is a violation of extensively studied and well-documented cryptography best practices.

2.2 Strength of Encryption

Zoom claimed that AES-256 (using a 256 bit key) was used to secure calls, when calls actually used a single AES-128 (128 bits long) key. Since key length usually means exponential increase in strength, this is a dramatically weaker system.

2.3 Access to Encryption Keys

Encryption only keeps data private to the extent the keys are kept private. However, researchers in Canada observed that encryption keys were sometimes generated in mainland China, where they could be directly copied by PRC authorities.

3. Security of the Zoom App

When using the Zoom client, you aren’t just trusting Zoom with the content of the call - you are also trusting them with access to your computer. Since the Zoom client is closed-source, you can’t be sure that it itself is not malicious. Additionally, any vulnerabilities in the Zoom app could allow a third-party to access your webcam, files on your computer, or install additional malware.

3.1 Vulnerabilities in Zoom software

The Zoom client has had so many security issues that I won’t attempt to cover them comprehensively. Here is a selection:

  • Zoom sent the AES-128 encryption key (the same key they lied about the size of) for calls to users in the waiting room, even if they weren’t approved to join.
    • Zoom’s response claimed that at least the video stream was not sent to users in the waiting room - an attacker would have to independently intercept the encrypted call.
    • The video stream was, in fact, sent to users in the waiting room along with the encryption key.
  • A local user could use the Zoom app to escalate privileges and stealthily access a user’s microphone and camera.
  • Hackers sold knowledge of a Zoom vulnerability that would allow remote code execution on a victim’s computer for $500,000.

3.1.1 What about the Web Client?

Many of the risks to your computer can be mitigated by using the Zoom web client instead of the desktop app, at the expense of many features such as polls, viewing multiple participants at once, etc, but the web client has not been free of issues.

In April 2020, the Zoom web client went offline because a researcher reported a vulnerability in the web client that allowed anyone to easily brute-force the password for a password-protected meeting.

3.2 Zoom is closed-source

Software is written in ‘source code’ which is readable and writable by humans, but it is distributed in the form of ‘machine code’, which is only understandable by processors. If you only have the machine code, it is difficult to determine what the software actually does – you are reliant on the developer to tell you.

‘Open-source’ refers to software that has source code – not just machine code – available, so that you (or a security researcher) can compile it to machine code yourself, and verify that the software does what it claims, and only what it claims. The Zoom client is not open source - there is no way for anyone to easily verify how it works. Researchers had to carefully monitor network traffic and perform a memory dump of the client in order to prove that Zoom was blatantly lying about their cryptography.

3.3 Zoom backdoors

In July 2019, a researcher revealed that the Zoom client for Macs installed a backdoor web server that would allow a hacker to turn on a user’s webcam just by getting them to visit a webpage or open an email. Even worse, this backdoor remained even if the Zoom client was uninstalled.

This vulnerability was so significant that it prompted Apple to issue a silent update to MacOS removing the backdoor.

3.4 Supply Chain Attacks

In December 2019, it was revealed that hackers had inserted malicious code into Orion, IT management software produced by SolarWinds. This attack has been called the worst cyber attack of all time and may have compromised over 17,000 organizations including government agencies and the majority of the Fortune 500 companies.

A similar strategy was used in 2017, when Russian hackers pushed a malicious update to Ukranian tax software and unleashed the NotPetya malware. The attack caused approximately $10 billion in damages, mostly in Ukraine, but it also crippled shipping giant Maersk, who operates around 1/5th of all global shipping.

Attackers were able to compromise so many computers, individuals, and organizations because they were able to compromise a software vendor whose products were used across the world. It is possible and even likely that over one billion computers worldwide have the Zoom client installed, and it is difficult to overstate the impact of a criminal government or intelligence agency deploying their own code as an update to Zoom.

Zoom’s SEC filings indicate that they employ 700 engineers in mainland China, and that this is a major part of their business strategy: “our product development team is largely based in China, where personnel costs are less expensive than in many other jurisdictions. If we had to relocate our product development team from China to another jurisdiction, we could experience, among other things, higher operating expenses, which would adversely impact our operating margins”.

Zoom’s reliance of personnel and infrastructure in mainland China likely makes the software development process highly vulnerable to both cyber and human interference from state-affiliated groups such APT 10, which is believed to be linked with the Tianjin office of the Ministry of State Security.

4. Who is Zoom, Inc and what are their motivations?

As a user, there are many features you may want in a communication platform. Here are a few:

  • Confidentiality: only intended recipients should be able to see message contents
  • Integrity: your messages cannot be changed by a third-party; messages you receive are genuine
  • Availability: messages are delivered quickly and reliably
  • Safety: the application is not a means for someone to otherwise compromise your computer or phone

By contrast, Zoom is a for-profit corporation and by their own admission, is seeking to deliver returns to its investors. Despite their claims that their sales model is “non-sketchy” and “non-screw-you-over-ish”, they have clearly and repeatedly disregarded the interests of their users. Lying about encryption doesn’t cost them anything unless users are dissuaded from using the platform - which so far, thay haven’t been: in September 2020, Zoom had 370,200 paying institutional customers with more than 10 employees, up from 458 in September 2019.

4.1 Data Privacy

Zoom, like many tech companies, has a poor record of defending its users’ privacy rights.

4.1.1 Facebook

In March 2020, the Zoom app for iOS was discovered to share user data with Facebook, even if a user didn’t sign in with a Facebook account. This was not made clear to users in the privacy policy, even if they read it.

Zoom then removed that feature and said they were unaware that the Facebook code in their software was collecting additional information.

4.1.2 Attention Tracking

Zoom had an “attention tracking” feature, which alerted the host of a call if participants clicked away from the call. It was not clear to users that this monitoring was taking place, even if participants were on their personal computer. To their credit, Zoom removed this feature in April 2020.

4.1.3 More Privacy Violations

Zoom’s “Comapny Directory” feature mistakenly assumed that all users with emails from the same domain worked for the same company, leaking huge lists of names, emails, and profile pictures as a result.

4.2 Free Speech

In June 2020, Zoom terminated multiple calls because they were being used to commemorate the anniversary of the 1989 Tiananmen Square massacre. Zoom initially defended this action as “complying with local laws”, before issuing an apology and saying that they would now only terminate the accounts of Chinese users by order of the PRC.

4.2.1 Is Zoom in control?

In December 2020, the U.S. Department of Justice unsealed an arrest warrant for Jin Xinjiang, a China-based Zoom employee who had been employed as a liason with PRC authorities. According to the DOJ, Jin’s responsibilities at the company included “proactively monitoring Company-1’s video communications platform for what the PRC government considers to be ‘illegal’ meetings to discuss political and religious subjects unacceptable to the Chinese Communist Party (CCP) and the PRC government”, responding to takedown requests from the PRc government, and providing information about users and meetings to the Ministry of Public Security.

This Zoom employee also collaborated with PRC officials to falsify evidence of pornographic and ISIS-related content affiliated with Chinese dissidents. Zoom admits to complying with PRC requests with regard for users in China; however, their collaboration with PRC agencies and reliance on mainland China-based employees mean that they will likely continue to share information with and disrupt calls of targets of the PRC even outside of China.

Alternatives

Jitsi

Jitsi is an encrypted, open-source video conferencing suite that uses WebRTC, an international standard for web communication. You can host your own Jitsi server, but most people would want to use Jitsi Meet for free online. 8x8 offers their own videoconferencing service with some enterprise features built on Jitsi, with many of the advantages.

Google Meet

Another commercial offering is Google Meet. The big advantage of Google Meet over Zoom is that all features are available in the web client and does not require users to install, and therefore trust, a local client. Though Google’s commitment to their users’ privacy is tenuous at best, Google services are blocked in mainland China by the Great Firewall due to their refusal to censor search results.

Microsoft Teams

Despite their hilariously euphemistic description of the largest censorship in human history as “high-levels of cross-border network congestion”, Microsoft Teams is blocked in China, which indicates that they probably do not provide user data to the PRC. Like Zoom, the closed-source Microsoft Teams client is required for many features such as gallery view. However, Microsoft has a generally good reputation for software security and there is little reason to believe that the Teams client is, or will soon become, actively malicious.

Epilogue

In May 2020, Boris Johnson tweeted a screenshot of a Zoom call with his cabinet with the meeting ID clearly visible. The government defended the use of Zoom by saying that the meeting was password protected. However, as described above, anyone could have attemped to join the call. If the waiting room was enabled, they would have been sent the video feed along with the encryption key for the call. Otherwise, anyone could have joined the call via the web client and simply brute-forced the password within a few minutes.

Both of these vulnerabilities were in place in March, though unknown to the public. That is why the UK government’ could argue that “NCSC (National Cyber Security Centre) guidance shows there is no security reason for Zoom not to be used for meetings of this kind”. We know retrospectively that there were multiple ways that a lone hacker or foreign intelligence agency could have compromised the call. Look carefully at this archived image of the screenshot that Johnson tweeted: there is a user on the call with their camera and microphone off named “iPhone”.