As working from home becomes the new norm in today’s COVID-19 pandemic, video conferencing solutions are utilized to foster communication, collaboration, and to stay connected with all business personnel. One of the most popular video conferencing solutions being used is Zoom. The number of daily users experienced a significant increase, from an average of 10 million to 200 million daily users in March 2020.
However, there are certain issues and concerns in regards to security when using Zoom. This includes ‘zoombombing’ where unauthorized participants show up uninvited to steal corporate data or present inappropriate materials. Not only that, but it has also been found that Zoom has shared users data with Facebook and LinkedIn, and does not offer true end-to-end encryption. In this article, we will explain Zoom encryption practices and why it is inadequate to protect users.
True end-to-end encryption means that Zoom calls are encrypted at all points in the data creation, transfer, and reception lifecycle, which also cannot be accessed by Zoom. However, this is not the case. It is found that if one participant phones in without using Zoom or the call is being recorded, Zoom will not encrypt these calls. When the calls are encrypted, it is found that Zoom’s servers have access to the encryption keys, and may decrypt them at their discretion. It is important to note that Zoom’s servers do not decrypt the traffic. This means that they have a good enough infrastructure to roll out true end-to-end encryption without much difficulty.
When building secure encryption, Zoom uses the simplest method of operation in applying the block cipher called Electronic Codebook (ECB) mode. It is when data is divided into blocks, and each block is encrypted separately by simply passing it through the block cipher, as shown in the diagram below:
Unfortunately, ECB is not a secure way of encrypting. This is because the blocks of the same data are always mapped to the result, which can leak a lot of information, as shown in the encryption of the famous Linux penguin below:
As shown above, the penguin encrypted in ECB mode still looks like a penguin since all of the white blocks are mapped to the same color, all of the yellow blocks to the same color. This proves that ECB is not secure enough to protect Zoom users. However, these issues can be easily fixed, and with the good basic infrastructure of Zoom, they can have a true end-to-end encryption capability in their next update.
As one of the IT security experts in Indonesia, Defender Nusa Semesta (DNS), is committed in keeping you alert about the latest security issues, especially as you use more work from home solutions in the COVID-19 pandemic. We hope that Zoom can fix their encryption issues by their next update to keep users protected.
