Zoom’s Problems Point to Pitfalls in Writing Your Own Encryption

By Shelley M. Johnson

Zoom’s video conferencing platform took off during the COVID-19 social distancing as millions of people stayed home — but it has faced a bevy of problems, from “Zoombombing” to sharing user information with Facebook and leaking data to LinkedIn.

The Zoombombing hacks exposed an inherent security flaw in Zoom Video Communications Inc.’s platform: Programmers in China wrote their own encryption code for the platform, using a security standard far more vulnerable than the widely accepted AES-256 encryption method approved by the U.S. government.

Zoom also had a weakness in its global transmission network that left its communications susceptible to intruders. 

These steps were not very wise, Michelle Hansen, a cybersecurity expert and professor at the University of Maryland Global Campus, told Digital Privacy News.

The comedy of security errors soon made Zoom users realize they had to take precautions into their own hands.

“Zoom has come under a public microscope recently due to privacy and other security concerns,” said Hansen, whose doctorate in computer information systems and cybersecurity is from Nova Southeastern University. “While Zoom has made significant improvements to secure their platform, the responsibility is at the user’s discretion.

“If you are the meeting host, treat it as your house that participants are invited into,” she continued. “Be a good host, manage your guest list and use settings to mitigate possible risks.”

How Encryption Works

Encryption is the process of encoding electronic information by converting the original data from “plaintext” into an alternative form known as “ciphertext.” Only authorized parties can decipher the encoded data back to plaintext to access the original information.

Most encryption is written according to an Advanced Encryption Standard (AES), a specification accepted by the U.S. National Institute of Standards and Technology in 2001.

It involves algorithms with the key sizes of 128, 192 or 256 bits. Generally, the higher the number, the more secure the encryption

After a review, the National Security Agency determined that all three grades were secure enough for U.S. Government non-classified data. In June 2003, the government said AES could be used to protect classified information.

CEO Comes Clean

Zoom CEO Eric Yuan admitted April 6 that the encryption for the company’s platform was widely flawed after Citizen Lab, a Toronto research group, deemed it woefully inadequate for sharing secrets for government or business use.

“We recognize that we can do better with our encryption design,” Yuan said, according to ZDNet. “Due to the unique needs of our platform, our goal is to utilize encryption best practices to provide maximum security, while also covering the large range of use cases that we support.”

The admission confirmed public fears over Zoom’s safety after its platform use went up last month because of COVID-19 lockdowns.

But Zoombombing was just the beginning of problems. It soon became obvious that poor encryption protocols were in place and customer data was leaking like a sieve.

Consumer confidence waned as other dominoes fell. Zoom’s stock plummeted on Wall Street from the security concerns — and legal challenges came from stockholders and state officials.

The FBI issued warnings about the safety of Zoom after the company was accused of sharing user data with Facebook without permission and leaking information via LinkedIn through a suspect app.

In addition, Taiwan and Germany cut their use of Zoom — and Google banned the firm’s desktop conferencing version on corporate laptops. The Cyber Coordination Centre in India recently issued a 16-page advisory, calling Zoom an “unsafe” platform. 

“You have to have an algorithm that is proven for security. Developing your own is never recommended.” — Michelle Hansen, Ph.D., University of Maryland Global Campus.

Other Changes Made

Yuan now insists that Zoom’s security flaws are patched and its privacy and encryption policies have been clarified. Programmers removed the Facebook software development tools to stop collecting user data.

Zoom programmers also removed a LinkedIn sales navigator feature on their platform, shored up security settings for education users and bolstered overall encryption.

Ultimately, the foibles have created a more cautious and educated public on the risks of teleconferencing. Hansen said users must still decide which platforms are the most secure. Let the buyer beware.

“In cyber security, we know that people are the weakest link,” she told Digital Privacy News. “It is not that they mean to do harm. It is the misconception that software developers, websites, service providers or governments will protect us.

“It is that feeling that makes us all vulnerable,” Hansen added. “Users have to be informed and diligent when it comes to cyberhygiene.”

The Encryption Debacle

Zoom initially claimed that it used end-to-end platform encryption, the de facto standard for conferencing platforms. 

End-to-end code encrypts messages and data at both ends of a conversation between a sender and a receiver. The data stays encrypted throughout the transmission process.

End-to-end also prevents anyone in the middle, like a hacker, from reading private information during the transmission.

Zoom’s platform actually used link encryption along with the weaker AES-128 standard in Electronic Code Book (ECB) mode. ECB is a much weaker, less reliable encryption mode.

Zoom should have used the AES-256 encryption standard, Hansen said.

Link encryption also made Zoom transmissions less secure.

Unlike end-to-end, link encrypts data when messages or data are sent to multiple servers on the way to a receiver, regardless of how many are on the teleconference.

At each server stop, the data is decrypted, then re-encrypted and moved to the next server in the transmission route before it eventually reaches the receiver.

At any point in the decryption process, a data file can be intercepted and read. That leaves a gaping security hole.

Hansen told Digital Privacy News that link encryption was a very poor option by Zoom for sharing information over the internet.

Ensuring Your Security

No web conferencing platform is immune to the pitfalls that have engulfed Zoom, so consumers must ensure their own security.

Here are some suggestions:

  • Require a password for all online meeting attendees. Restrict access by participants.
  • Never allow attendees to remain anonymous. This prevents unwanted guests.
  • Don’t share meeting IDs with anyone but participants. Password-protect the meeting.
  • Make sure a webcam is secure. That is a weak link and a back door. Hackers can use webcams to see a person’s computer, the individual, or even their children if they may be web conferencing for school.

“Most people have no idea that someone is watching them,” Dr. Michelle Hansen, a cybersecurity expert and professor at the University of Maryland Global Campus, told Digital Privacy News.

“There have been stories of baby monitors where malicious actors can get on there.”

“Software inherently has bugs and security flaws and is vulnerable to threats and attacks,” she said. “The internet has created an open playground to attack using these applications.” 

— Shelley M. Johnson

Rogue Programmers

But the problems did not stop there. Zoom programmers went rogue and wrote their own encryption code, making a less-than-secure process fatally flawed. 

“The issue is not so much AES-128,” Hansen explained. “Zoom modified the AES-128 standard and built on the ECB technique, then applied that to their conferencing platform.

“‘Quick and proven’ is the ‘usable’ algorithm,” she continued. “This is where Zoom missed the target.

“You have to have an algorithm that is proven for security (like AES-256). Developing your own is never recommended.”

How Hackers Work

Vulnerable algorithms can be broken by hackers with “Brute Force” and “Dictionary Attacks,” techniques that defeat password authentication security.

The best encryption has proven algorithms that are baked into the coding processes so the receiver of a message is the only one who can decode it with a security key, such as a web conference ID.

When this is compromised, it becomes low-hanging fruit for hackers.

Zoom’s China Connection

Zoom, based in San Jose, Calif., owns three companies in China with programmers paid to develop its software. It has security code developed there — and its encryption keys are sent from China.

The security concerns are great here, Hansen said, because programmers may respond to pressure from Chinese authorities and pose as bad actors who steal data for the government.

Programmers could write malicious code into Zoom software, creating back doors that compromise consumer information and privacy. Computers then could be accessed remotely and undetected.

“It is like the back door to a house,” Hansen explained. “They get in without being seen.

“They have access to individuals, sensitive data, and a full spectrum of business databases and information,” she told Digital Privacy News. “That makes for a very nefarious situation.”

Shelley M. Johnson is a technology and business journalist in Michigan.

Sources (all links are external):