Wednesday, March 3, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

Zoom concedes custom encryption is substandard as Citizen Lab pokes holes in it

April 6, 2020
in Internet Security
Zoom concedes custom encryption is substandard as Citizen Lab pokes holes in it
585
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Citizen Lab, a research group within the University of Toronto, has been able to drive a proverbial truck through the encryption used by video conferencing app Zoom.

In a report where the group said the video platform was not suitable for sharing secrets nor government or business use, Citizen Lab found Zoom has been rolling its own encryption scheme as part of a custom extension to the real-time transport protocol.

You might also like

Remote work: 5 things every business needs to know

New app rollout helps reduce paperwork for NSW frontline child protection caseworkers

Linux Mint may start pushing high-priority patches to users

Further, instead of using AES-256 encryption as Zoom claims, the report found the application was using an AES-128 key in electronic code book (ECB) mode.

“Zoom’s encryption and decryption use AES in ECB mode, which is well-understood to be a bad idea, because this mode of encryption preserves patterns in the input. Industry standard protocols for encryption of streaming media (e.g., the SRTP standard) recommend the use of AES in Segmented Integer Counter Mode or f8-mode, which do not have the same weakness as ECB mode,” Citizen Lab said.

The research group also said it found a “serious security issue” in the application’s waiting room functionality and has disclosed this to the company. It said it would provide further details on this issue in the meantime however, beyond suggesting users avoid the feature and use passwords on meetings instead, to prevent the issue from being abused.

This vulnerability is particularly pertinent as the platform is currently being hit by a plethora of Zoom-bombing instances, where uninvited people enter a Zoom meeting and show disruptive content or behaviour, and various sources have offered the waiting room functionality as a solution despite the disclosed security issue.

In direct response to Citizen Lab, Zoom CEO Eric Yuan admitted that the company’s encryption was substandard.

“We recognise that we can do better with our encryption design. Due to the unique needs of our platform, our goal is to utilise encryption best practices to provide maximum security, while also covering the large range of use cases that we support,” Yuan said.

“We are working with outside experts and will also solicit feedback from our community to ensure it is optimised for our platform.”

Last week, Zoom said it would spend 90 days on improving the security of its product following a spate of vulnerabilities being unveiled. The vulnerabilities have been uncovered as more people use Zoom due to the coronavirus pandemic sweeping the planet.

See also: Best video conferencing software for business: Microsoft Teams plus eight more Zoom alternatives

Citizen Lab also found the application was serving up encryption keys from servers in China to participants from outside the Middle Kingdom.

“A company primarily catering to North American clients that sometimes distributes encryption keys through servers in China is potentially concerning, given that Zoom may be legally obligated to disclose these keys to authorities in China,” the report said.

Zoom said the behaviour was an oversight due to its decision to recently scale up its data centres to meet demand.

“Zoom’s systems are designed to maintain geo-fencing around China for both primary and secondary data centers — ensuring that users outside of China do not have their meeting data routed through Zoom’s mainland China data centers (which consist of infrastructure in a facility owned by Telstra, a leading Australian communications provider, as well as Amazon Web Services),” Yuan said.

“In February, Zoom rapidly added capacity to our Chinese region to handle a massive increase in demand.

“In our haste, we mistakenly added our two Chinese data centers to a lengthy whitelist of backup bridges, potentially enabling non-Chinese clients to — under extremely limited circumstances — connect to them (namely when the primary non-Chinese servers were unavailable).”

Yuan said the company had fixed the whitelist once it learnt of the issue.

The company has also been in hot water for its misleading claims that its product uses end-to-end encryption.

“While we never intended to deceive any of our customers, we recognise that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it,” the company wrote in a blog post last week.

As Zoom pointed out, it retains the full ability to decrypt any call or meetings on its servers at any point, and organisations concerned with wanting to control the encryption keys themselves are able to run an on-premise version. The company did say it has not built a decryption service for live meetings for lawful interception, or does not have a way to insert people into meetings without being shown in the meeting participant list. ZDNet has asked Zoom if this statement also covers the ability to record meetings for law enforcement.

Over the weekend, New York City reportedly joined a growing list of organisations to ban the use of the application.

Reuters reported over the weekend that the state attorneys-general of New York and Connecticut have made inquiries to the company over its security practices.

Last year, the company was caught out for using a local web server on Mac instances to avoid an extra click for users. That server was found to contain a remote code execution vulnerability.

When the issue first came to light, Zoom defended the use of the web server, saying to ZDNet in a statement that it was a “legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator”.

The next day, Zoom said it would walk back its local web server support in a patch prepared, and told ZDNet previously its change in course was in response to customer feedback, not security concerns.

“There was never a remote code execution vulnerability identified,” the company said at the time.

“Zoom decided to remove the web server based on feedback from the security community and our users.”

Related Coverage

Credit: Zdnet

Previous Post

Artificial Intelligence strategy for SMEs: A pragmatic approach

Next Post

What Is Autonomous Analytics?

Related Posts

Remote work: 5 things every business needs to know
Internet Security

Remote work: 5 things every business needs to know

March 3, 2021
New app rollout helps reduce paperwork for NSW frontline child protection caseworkers
Internet Security

New app rollout helps reduce paperwork for NSW frontline child protection caseworkers

March 3, 2021
Linux Mint may start pushing high-priority patches to users
Internet Security

Linux Mint may start pushing high-priority patches to users

March 3, 2021
Ransomware puzzle: These two pieces of malware look very different, but they evolved from the same root
Internet Security

Ransomware puzzle: These two pieces of malware look very different, but they evolved from the same root

March 3, 2021
Google addresses customer data protection, security in Workspace
Internet Security

Google addresses customer data protection, security in Workspace

March 2, 2021
Next Post
What Is Autonomous Analytics?

What Is Autonomous Analytics?

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Remote work: 5 things every business needs to know
Internet Security

Remote work: 5 things every business needs to know

March 3, 2021
Yum! Brands Acquires AI Company
Machine Learning

Yum! Brands Acquires AI Company

March 3, 2021
Customer Experience Management and Improvement
Marketing Technology

Customer Experience Management and Improvement

March 3, 2021
New app rollout helps reduce paperwork for NSW frontline child protection caseworkers
Internet Security

New app rollout helps reduce paperwork for NSW frontline child protection caseworkers

March 3, 2021
Cloudera: An Enterprise-Level Play On Machine Learning And Big Data – Seeking Alpha
Machine Learning

Cloudera: An Enterprise-Level Play On Machine Learning And Big Data – Seeking Alpha

March 3, 2021
The Symbolic World: Raising A Turing’s Child Machine (1/2) | by Puttatida Mahapattanakul | Feb, 2021
Neural Networks

The Symbolic World: Raising A Turing’s Child Machine (1/2) | by Puttatida Mahapattanakul | Feb, 2021

March 3, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Remote work: 5 things every business needs to know March 3, 2021
  • Yum! Brands Acquires AI Company March 3, 2021
  • Customer Experience Management and Improvement March 3, 2021
  • New app rollout helps reduce paperwork for NSW frontline child protection caseworkers March 3, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates