This report examines the encryption that protects conferences in the widespread Zoom teleconference app. We discover that Zoom has “rolled their own” encryption scheme, which has important weaknesses. As well as, we establish potential areas of concern in Zoom’s infrastructure, together with observing the transmission of assembly encryption keys by means of China.

Key Findings

• The AES-128 keys, which we verified are adequate to decrypt Zoom packets intercepted in Web site visitors, seem like generated by Zoom servers, and in some circumstances, are delivered to members in a Zoom assembly by means of servers in China, even when all assembly members, and the Zoom subscriber’s firm, are exterior of China.
• Zoom, a Silicon Valley-based firm, seems to personal three firms in China by means of which at least 700 staff are paid to develop Zoom’s software program. This association is ostensibly an effort at labor arbitrage: Zoom can keep away from paying US wages whereas promoting to US prospects, thus rising their revenue margin. Nevertheless, this association could make Zoom conscious of strain from Chinese language authorities.
  

1. Background: A US Firm with a Chinese language Coronary heart?

Zoom is a well-liked teleconference app whose reputation has elevated dramatically, given a lot of the world is underneath necessary work-from-home orders on account of the unfold of COVID-19. The app’s overarching design aim appears to be lowering friction in videoconferencing and making issues “just work.”