Technical analysis of how the very popular video conferencing app encrypts meeting data has found significant weaknesses and dubious practices, leading researchers to warn governments and others who need confidentiality to be protected not to use the software.
Bill Marczak and John Scott-Railton of the University of Toronto's The Citizen Lab discovered that despite Zoom's claims, the video conferencing app uses a home-brewed encryption scheme that is far from secure.
By default Zoom uses a single Advanced Encryption Standard (AES) encryption key that is 128 bits long that is shared among all meeting participants, the two researchers discovered.
Zoom claims to use 256-bit AES encyrption whenever possible.
Making matters worse, the AES encryption defaults to the simplest Electronic Codebook (ECB) mode which the researchers say is well-understood to be a bad idea as it preserves patterns in the input.
By capturing the 128-bit AES key from system memory, it was possible to decrypt video and audio from meetings.
Furthermore, the conference encryption key is at times sent to participants overseas from a server that appears to be located in Beijing, China, Citizen Lab observed by sniffing network traffic.
"A company primarily catering to North American clients that sometimes distributes encryption keys through servers in China is potentially concerning, given that Zoom may be legally obligated to disclose these keys to authorities in China," the researchers pointed out.
On top of the encryption weakness and handling of AES-128 key issues, the researchers said they had discovered a serious problem with Zoom's Waiting Room feature.
That security issue has been responsibly disclosed to Zoom so that the company can verify the problem and develop a patch for it.
Meanwhile, the researchers advised people not to use Zoom's Waiting Room and instead enable the password feature for a higher level of confidentaility.
Although Zoom is based in Silicon Valley, it has strong connections with China, and owns three companies with at least 700 developers in the country.
That arrangement could make Zoom susceptible to pressure from Chinese authorities, the researchers said.
Due to the weaknesses and security concerns in Zoom, Citizen Lab said it discourages the use of the video conferencing app when strong privacy and confidentiality is required.
Governments and businesses worried aobut espionage and cybercrime should stay away from Zoom, ditto healthcare providers that handle sensitive patient information, Citizen Lab said.
Zoom is also not suitable for activists, lawyers and journalists dealiing with sensitive topics.
On the other hand, keeping in touch with friends and other social events over Zoom, as well as organising courses and lectures that would otherwise be held in public venues aren't necessarily affected by Citizen Lab's findings.
If people decide to use Zoom, they are advised to go for the browser-based version which should have somewhat better security than the app itself.
Zoom has risen to great heights of popularity as people work from home during the COVID-19 pandemic, but the app has been sharply criticised by researchers for poor security and privacy concerns.
WIthout naming Zoom, the Australian Signals Directorate intelligence agency last week cautioned users to stay away from insecure video conferencing applications.
ASD's New Zealand counterpart, the Government Communications Security Bureau, has cleared [pdf] the use of Zoom for public servants up to the RESTRICTED information classification level, but not for the stricter SECRET and TOP SECRET levels.