By Erich Moechel
Not a day goes by without new vulnerabilities, false security promises or illegal mass transfers of data from the video platform Zoom making headlines. On Thursday, the Canadian Citizen Lab presented its analysis of the encryption used by Zoom. This analysis is not entirely unexpected.
To cope with the rapid growth of users, Zoom uses questionable, self-made encryption methods, the claimed end-to-end encryption in groups is simply not true. In addition, “zoom bombing” has become the new sport for trolls who suddenly appear in school hours or meetings. The rapidly increasing stock market price of the company now depicts this news in zigzag leaps.
The Motley Fool
As this graph from The Motley Fool reports, the price of the zoom paper has almost doubled since December, while the corona crisis dropped all other prices. The wild jumps recently are due to the staccato of recent bad news.
–
Incorrect zoom specifications
Most recently, CEO of high-level stock exchange trader Eric Yuan had to go out in person and admit that Zoom means “end-to-end encryption” differently, namely “transport encryption”. This means that the video streams are unencrypted on the Zoom network, because Zoom also generates the temporary keys for each session. Zoom’s assertions that the sessions are protected from any kind of access by a complicated internal set of rules are of little value. Here the classic “man-in-the-middle” situation is given.
The heading of the analysis of the Citizen Lab “Move fast and roll your own crypto” already sums up the entire zoom dilemma. Instead of a separate key for each individual user, a common session key is generated for video conferences, which Zoom assigns. This key is not the 256-bit version of the secure AES algorithm, but only a 128-bit variant that is weaker by powers of ten. On top of that, none of the recommended modes for encryption is used, but “Electronic Code Book Mode” (ECB), which is highly insecure for block ciphers if more than one block is to be encrypted.
Citizen Lab
–
Data for Facebook, links for trolls
Zoom was chosen by Zoom because it is the fastest mode. Otherwise the explosive increase in users – at least 600 percent since the beginning of the year – would also be impossible to cope with. Zoom has therefore openly given false information about the technical quality of its services and the same has happened with the transfer of data to other commercial services. In mid-March, security researchers tracked down massive, hidden data transfers to Facebook, at Zoom they were surprised by their own data policy and turned off the data transfer as quickly as possible. Like most commercial websites, Zoom is heavily riddled with tracking mechanisms and click-bait advertising.
Public Domain / CC0
On the top left you can see the number of the Zomm video chatroom.
—
This does not mean that you should not use the free version of Zoom in principle. For the remote operation of school lessons, Zoom can definitely only be used at the highest security level and therefore only to a very limited extent. The absolutely practical feature of opening a new video chat, sending the link to all participants by e-mail and – without assigning passwords – starting immediately is self-evident. As can be seen in the screenshot on the left, for each video session assign a 9 to 11-digit number that can be found in the URL of each video chat room. Trolls generate such combinations automatically and until they find a video meeting without password protection and troll the participants there, just as it is the type of trolls.
zoom
Extract from Zoom’s Privacy Policy. This makes it twice clear that this tool is an absolute no-go for professional use or even at government level.
–
Preliminary conclusion
Regarding professional use for business meetings, the Citizenlab report also has bad news. Zoom has two software companies in China, and a third appears to be a joint venture. A total of 700 employees have been registered with the SEC in the US, apparently the entire app development is located there. The British cabinet holds its secret meetings via these apps and any virtual server in the Zoom cloud.
For Zoom, the principle of distrust applies as for any commercial application that uses proprietary, proprietary cryptography methods. The fact that the management lied so openly about security makes Zoom a no-go for all important processes in business, for authorities or in politics. An ad hoc video chat of a small group can very well be carried out, and the portal can also be used as a fallback medium when important meetings have to be held because the own application for video conferences is on strike. However, zoom is recommended for video calls between two participants, because end-to-end encryption should actually be used.
–
