Zoom ‘Lied,’ Faces Criticism for Newly Discovered Lax Security Practices



Zoom Video Communications faces intensified scrutiny as new questions about lax security practices surfaced and school districts and other organizations started banning the meeting service.

Despite apologizing last week after the FBI warned that “Zoom-bombers” were hijacking Zoom meetings with pornographic images, New York City’s Department of Education barred use of the service, recommending Microsoft Teams instead. Likewise, other school districts throughout the U.S. pulled the plug on Zoom because of the lax security practices. NASA, SpaceX and the governments of Australia and Taiwan are among the latest to ban use of Zoom.

As critics debated Zoom’s lax security practices, the University of Toronto’s Citizen Lab released a report on Friday that raised more alarms. Among them, researchers discovered encryption keys on servers in Beijing, China, for meetings in North America. The researchers saw the keys when making a test call, according to the report.

Citizen Lab’s testers also found single 128-bit encryption keys by all Zoom meeting participants in ECB mode to encrypt and decrypt audio and video. That finding is especially troubling because Zoom has claimed its service uses 256-bit encryption for its service. Moreover, security experts have long regarded ECB mode as insecure.

Two days after apologizing for last week’s lax security practices, Zoom CEO Eric Yuan responded to The Citizen Lab’s findings. In its urgency to add capacity, Yuan noted Zoom had rapidly added more server capacity, starting in China. Zoom added the capacity in China where cases of COVID-19 first appeared, he noted.

Zoom's Eric Yuan

Zoom’s Eric Yuan

“In that process, we failed to fully implement our usual geofencing best practices,” according to Yuan’s April 3 post. “As a result, it is possible certain meetings were allowed to connect to systems in China, where they should not have been able to connect. We have since corrected this. We have also been working on improving our encryption and will be working with experts to ensure we are following best practices.”

Yuan noted that Zoom typically maintains geofencing. That method aims to ensure that meetings users hold outside of China aren’t routed through data centers in that country. As demand ramped suddenly in February, Zoom rushed to meet it by quickly deploying the additional servers.

“In our haste, we mistakenly added our two Chinese data centers to a lengthy whitelist of backup bridges, potentially enabling non-Chinese clients to – under extremely limited circumstances – connect to them,” he said.

This typically happened when all other servers outside of China were unavailable, he noted. Following on a prior April 1 post, Yuan promised to share more how Zoom will address the encryption issues.

“We recognize that we can do better with our encryption design,” he said, in his subsequent April 3 post.

Zoom shares plummeted 15% on April 6 and were down nearly 7% as of 1:40 p.m. ET on Tuesday as critics remained unmoved by Yuan’s responses to reports of its lax security practices.

Harsh Reaction on Social Media

“For everybody patting Zoom on the back for its apologies and promises to do better, keep in mind it LIED about: AE256 (128), E2E encryption (TLS), geofenced keys (China-US),” industry analyst Patrick Moorhead, founder of Moor Insights and Technology, tweeted. “These aren’t ‘mistakes.’ It has a culture issue.”

Managed service providers (MSP) and IT consultants agree that Zoom must fix these issues quickly, but have …

Pages:  1 2 Next

Leave a comment

Your email address will not be published. Required fields are marked *

The ID is: 135193