SAN JOSE, Calif.–The videoconferencing solution Zoom, which has seen a surge in usage by numerous companies, including credit unions, during the work-from-home environment created by the coronavirus pandemic, is promising to improve its security after numerous vulnerabilities have been revealed and in some cases exploited.]
The pledge from Zoom comes at the same time the company is now facing a class-action lawsuit filed in the U.S. District Court for the Northern District of California that alleges concerns over Zoom's security and privacy flaws have hurt its sstock price, even though Zoom is up 67% since the beginning of the year.
Most recently, the University of Toronto-based Citizen Lab issued a report in which it said the video platform was not suitable for sharing secrets nor government or business use. Citizen Lab found Zoom has been “rolling its own encryption scheme as part of a custom extension to the real-time transport protocol.”
That leaves communications potentially at risk of being intercepted, according to the report’s authors, who further warned of "potential areas of concern in Zoom's infrastructure, including [transmitting] meeting encryption keys through China."
Many of the vulnerabilities were found in the free version of Zoom’s software. Zoom reported in March it had reached 200 million daily users, up from approximately 10-million at year end 2019.
Different Encryption Key
In addition, instead of using AES-256 encryption as Zoom had claimed it does, the report found the application was using an AES-128 key in electronic code book (ECB) mode.
"Zoom's encryption and decryption use AES in ECB mode, which is well-understood to be a bad idea, because this mode of encryption preserves patterns in the input. Industry standard protocols for encryption of streaming media (e.g., the SRTP standard) recommend the use of AES in Segmented Integer Counter Mode or f8-mode, which do not have the same weakness as ECB mode," Citizen Lab said in its analysis.
Furthermore, Citizen Lab also said it found a "serious security issue" in the application's waiting room functionality and has disclosed this to the company. It said it would provide further details on this issue in the meantime however, beyond suggesting users avoid the feature and use passwords on meetings instead, to prevent the issue from being abused.
‘Zoom Bombing’ Emerges
Among the fallout from the security flaws is the emergence of “Zoom bombing,” in which hackers interrupt meetings.
Zoom CEO Eric Yuan has acknowledged the company's encryption has been substandard and is promising changes.
Due to the security flaws, some companies have banned usage of Zoom. New York City has also said it will not allow its employees to use the solution.
In addition to Zoom, other videoconferencing solutions, including WebEx, Skype, and Microsoft Teams, have seen a similar surge in usage.