Zoom encryption keys “sometimes” sent to China?

In end-to-end encryption, keys are usually created and stored on your phone or computer. However, Zoom manages those keys on the company’s servers, and some of them are located in China, according to Citizen Lab.

Zoom says that they provide end-to-end encryption keys for your meetings to avoid information leakage, but don’t believe it. The San Jose-based office not only stores encryption keys but also sends them to China in some cases, depending on the group being monitored.

Citizen Lab tested creating a meeting on Zoom to see where the encryption keys were generated. In many tests in North America, they observed encryption keys and decrypted them, identifying keys that were directed to servers in Beijing, China. These are reports explored by Bill Marczak and John Scott-Railton last Friday

The encryption keys are likely to be sent to China because Zoom has a corporate office in this country. According to the SEC (Securities and Exchange Commission) records, Zoom has about 700 employees in China for research and development purposes.

Of course, bad guys can easily keep track of your Zoom meetings, if you leave them public or don’t create a room password. The lack of security has led to a series of attacks targeting Zoom users, prompting the FBI to warn people about this issue.

Encryption, on the other hand, can protect your messages from prying eyes when they are stored in a database or sent over a network. In an end-to-end encryption system, keys are generated and stored on your phone or computer, which prevents the supplier (or law enforcement agencies) from decrypting your message. . In the case of Zoom, however, they manage keys at their own servers.

The researchers said that in all 5 servers in China and 68 servers in the US it seems that they run the same server software as the Beijing server.

According to Citizen Lab, it is possible that Zoom could set up a company office in China to help them cut labor costs. But it also means that those offices are under the jurisdiction of the Chinese government, which has the authority to force domestic companies to provide all information.

So far, Zoom has not yet spoken about this report. But on Wednesday, they solved the drama about how to approach encryption keys. According to Oded Gal, Zoom’s product manager, although Zoom holds the encryption keys, they don’t have the system to decode those sessions:

“We never build a system to decode meetings directly for illegal purposes, nor do we intend to” engage “our employees or others into meetings without our permission from the room creator. ”

However, Citizen Lab found a number of significant flaws in the defense of Zoom’s coding. The report notes Zoom is using a weaker encryption standard than AES-128, which is called ECB. This is a bad idea, according to Citizen Lab, because encrypted video meetings will still retain patterns in the data. This may allow you to view rough outlines of the video’s image, even though it has been ENCODED.

The researchers also found another critical flaw in Zoom’s lounge feature, which could be used to prevent “uninvited guests” from joining your meetings. “We currently do not provide public information on this issue to prevent it being abused,” they wrote. During this time, we recommend that Zoom users who want to secure their privacy not use the Zoom Lounge. Instead, we encourage users to use Zoom’s password feature. ”

Zoom is a suitable choice for casual conversations and online teaching. But if you’re relying on this service to exchange sensitive information, such as corporate or government businesses, you should consider another safer tool or messaging app like Signal.

Zoom says it is working to allow users to store encryption keys locally on their own hardware. But perhaps it will have to wait until the end of this year to overcome and it seems to be directed at businesses, not ordinary consumers. Due to covid-19, the usage of Zoom has skyrocketed to 200 million users per day.

Nguồn bài viết : Techtalk