The pandemic has forced millions of people to look for other ways to stay in touch from a distance, resulting in the growing popularity of video conferencing platforms such as Zoom, although it has also caught the attention of data security training experts, cybercriminal groups and even unreliable security practices present in the service have been unveiled.
A recently published research has revealed that Zoom’s encryption could contain a backdoor developed in China, in addition to the company’s use data mining processes from its users’ LinkedIn profiles to sell their information.
Zoom servers in China
To begin with, it is necessary to clarify that, contrary to what the platform claims, Zoom does not have end-to-end encryption, as pointed out by experts in data security training. When users start a Zoom session, the software on the user’s device obtains a key to encrypt audio and video, which is sent from the company’s cloud infrastructure, which in turn contains servers around the world.
The key comes from a server known as the Key Management System, which generates the same encryption key and sends it to all the Zoom session participants. This key is sent to the video conferencing software using TLS, the same technology used in the “https” protocol. Depending on the session configuration, some Zoom cloud servers (known as “connectors”) might get a copy of the encryption key.
Data security training specialists mentioned that, in total, Zoom has 73 key management systems; of these, 5 are found in China and the remaining in the U.S. This is a worrying behavior because, given the laws under which technology companies operate in China, Zoom may be forced to share encryption keys with the authorities of the Asian country if they are generated on a server hosted in Chinese territory. If the Chinese government or any other threat actor tried to spy on a Zoom session, it would also require monitoring the target user’s Internet access, or monitoring the Zoom cloud network. By collecting this information, the attack can be completed, decrypting the session audio and video.
Weak encryption is just one of the many security weaknesses in Zoom. While the platform conforms to the Advanced Encryption Standard (AES), the encryption keys used in the company are only 128 bits; while still considered secure, most technology companies have migrated to the use of 256-bit keys for years. Specialists believe that these deficiencies could be of particular concern to government officials around the world and large companies, as Zoom failures could expose them to leaks of confidential information or espionage activities.
LinkedIn data leaking
Unfortunately, this is not the only privacy drawback discovered in Zoom over the last few days. In a report published in The New York Times, data security training specialists revealed a data mining bug that would be filtering data from the LinkedIn profiles of videoconferencing session participants.
This flaw is affecting any user subscribed to a LinkedIn service called “LinkedIn Sales Navigator”. When this service is enabled, LinkedIn data for all participants in a Zoom session can be quickly accessed without requesting their consent. Among the leaked information are details such as:
- Current work
- Charge
- Name of employer
- Location data
After multiple tests, researchers discovered that the data mining tool is able to instantly link the Zoom user’s name to their LinkedIn profile name. In addition, Zoom automatically sends this personal information to your data collection tool, regardless of whether the session members activated it or not.
After the publication of this report, Zoom issued a statement to inform that it had permanently disabled this tool, although it is not possible to define how many users were subjected to this invasive practice. LinkedIn also reported some measures in this regard.
The International Institute of Cyber Security (IICS) says that, since the start of the coronavirus outbreak, the number of Zoom users rose from 10 million to 200 million, including individuals, academic institutions, private companies and government agencies. Social estrangement will continue for at least the next three months, so it is worth requiring the company to reveal more details about its data collection policies and ties with the Chinese government, as the millions of users who depend on it tool to continue your academic and professional activities deserve to know what protections your information can provide this platform.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.