COVID-19 Canada | CTV News | Coronavirus
'Think twice' before using Zoom for confidential conversations, experts warn
TORONTO -- Canadian cybersecurity researchers are discouraging healthcare officials and government bodies from using video conferencing app Zoom, warning that the app’s security measures are not designed for sensitive conversations.
Research by Citizen Lab, an internet watchdog group based at the University of Toronto, found that Zoom uses non-industry standard encryption techniques with “identifiable weaknesses.”
“Zoom has made the classic mistake of designing and implementing their own encryption scheme, rather than using one of the existing standards for encrypting voice and video content,” Bill Marczak, Citizen Lab research fellow, said in a statement.
“Zoom’s encryption is better than none at all, but users expecting their Zoom meetings to be safe from espionage should think twice before using the app to discuss sensitive information.”
Use of the video conferencing platform has exploded amid worldwide lockdowns related to the spread of COVID-19. So, too, have concerns about its security measures, with some cybersecurity experts describing it as a “privacy disaster.”
Still, politicians including British Prime Minister Boris Johnson have been seen using Zoom to conduct meetings while self-isolating and a growing number of healthcare services are being offered virtually using the platform.
According to the Citizen Lab report, Zoom’s own documentation presents unclear claims about its encryption protocols and notes that there are potential security issues surrounding the way the company stores cryptographic information.
The report says that Zoom does not use end-to-end encryption -- the gold standard of security measures -- "as most people understand the term." Instead, it uses "transport" encryption between devices and servers.
The company previously suggested its video conference sessions were capable of end-to-end encryption. It has since apologized for this claim.
The researchers also expressed concerns that some of Zoom’s encryption keys were being distributed through servers in China, even when all meeting participants were outside of China.
“A company primarily catering to North American clients that distributes encryption keys through servers in China is very concerning, given that Zoom may be legally obligated to disclose these keys to authorities in China,” reads the report.
“Given the business value of meetings currently being conducted on Zoom, it is reasonable to expect that the platform is being closely scrutinized by groups engaged in industrial and political espionage, as well as cybercrime.”
Though the report discourages using the platform for government communications, confidential business activities, and the handling of sensitive healthcare or legal information, researchers note the average user shouldn’t be concerned.
“For those using Zoom to keep in touch with friends, hold social events, or organize courses or lectures that they might otherwise hold in a public or semi-public venue, our findings should not necessarily be concerning,” reads the report.
On Thursday, Zoom’s founder and CEO Eric Yuan said the company would freeze new feature development and shift all of its engineering resources to working on security and safety issues.
The company said it has seen the number of daily meeting participants, both free and paid, balloon from approximately 10 million users in December 2019, to more than 200 million in March of this year.
“We recognize that we have fallen short of the community’s – and our own – privacy and security expectations. For that, I am deeply sorry,” Yuan said in a blog post.
The company has released a series of blog posts directly users to specific privacy features, including one specifically aimed at using Zoom for telehealth and virtual healthcare appointments.
On April 1, Zoom also issued a clarification surrounding its encryption practices, noting “Zoom has implemented robust and validated internal controls to prevent unauthorized access to any content that users share during meetings, including -- but not limited to -- the video, audio, and chat content of those meetings.”
“Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes, nor do we have means to insert our employees or others into meetings without being reflected in the participant list,” reads the blog post.