The Verge and The Intercept have released separate reports about vulnerability issues with Zoom, the sudden rising star in the video conferencing world.
White Hats Hack Zoom Meeting Data
The Verge reports that security professionals created an automated tool that was able to scan for unprotected Zoom conferences. It found up to 2,400 calls each day, including links to the meeting, date, time, organizer, and information about the meeting.
The report says that security professional Trent Lo worked with members of the security meetup group SecKC to create zWarDial. The program automatically generates potential IDs for Zoom meetings, which are random 11-digit strings, and use the ID to gather information about the meeting.
On top of being able to discover an average of 100 meetings per hour, zWarDial was found to correctly guess a legitimate Zoom ID 14% of the time. The program was able to extra all kinds of information about the meetings it discovered, including date, time, and agenda.
Flaws in Zooms Encryption Algorithm
This isn’t the only incident Zoom is dealing with right now. Another report, from The Intercept, claims the encryption algorithm used by Zoom is deeply flawed. This report says that the keys are being released from servers based in China, even for users in the US. The vulnerability was discovered by researchers from the University of Toronto.
The researchers say that Zoom uses home-grown encryption to protect audio and video content in meetings. Researchers also say that the “waiting room” feature has a serious vulnerability and that the company employs at least 700 Chinese people across three subsidiaries. Their report, published in Citizen Lab, concludes that the service is “not suited for secrets” and that Zoom could be legally obligated to hand over encryption keys to Chinese authorities and that they would need to be “responsive to pressure” from Chinese authorities.
Data Routed Through China and its Legal Implications
Zoom has yet to comment on this vulnerability, but Chief Executive Eric Yuan did speak to Forbes in an interview. Yuan said the company would look into how traffic is routed through China but re-affirmed that any data was securely protected. Citizen Lab chose to release its findings directly to the public so the company wouldn’t know that the flaws had been found and shared. Yuan reassured users that they are “willing to address” data being transferred to China even if users weren’t based in the country.
The company isn’t Shying Away From the Flak
These vulnerabilities represent just the latest in a string of issues popping up with Zoom. The good news is that Zoom hasn’t hidden away from the issues. The company apologized for the mistakes and said they would fix the problems in the next 90 days and that, at that time, there would be no new features. Zoom is focusing all of its resources on fixing current flaws before working on new features.