Zoom: no nefarious stuff today? Hold my beer.

Zoom documentation claims that the app uses “AES-256” encryption for meetings where possible. However, we find that in each Zoom meeting, a single AES-128 key is used in ECB mode by all participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption.
The AES-128 keys, which we verified are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, are outside of China.
Zoom, a Silicon Valley-based company, appears to own three companies in China through which at least 700 employees are paid to develop Zoom’s software. This arrangement is ostensibly an effort at labor arbitrage: Zoom can avoid paying US wages while selling to US customers, thus increasing their profit margin. However, this arrangement may make Zoom responsive to pressure from Chinese authorities.

Marczak, B., & Scott-Railton, J. (2020, April 3). Move Fast & Roll Your Own Crypto: A Quick Look At The Confidentiality Of Zoom Meetings - The Citizen Lab. The Citizen Lab. Retrieved April 4, 2020, from https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/

The Intercept posted the following yesterday as a comment on the above:

Furthermore, Zoom encrypts and decrypts with AES using an algorithm called Electronic Codebook, or ECB, mode, “which is well-understood to be a bad idea, because this mode of encryption preserves patterns in the input,” according to the Citizen Lab researchers. In fact, ECB is considered the worst of AES’s available modes.
Here’s why: It should be impossible to tell the difference between properly encrypted data and completely random data, such as static on a radio, but ECB mode fails to do this. If there’s a pattern in the unencrypted data, the same pattern shows up in the encrypted data.
Lee, M. (2020, April 3). Zoom’s Encryption Is “Not Suited For Secrets” And Has Surprising Links To China, Researchers Discover. The Intercept. Retrieved April 4, 2020, from https://theintercept.com/2020/04/03/zooms-encryption-is-not-suited-for-secrets-and-has-surprising-links-to-china-researchers-discover/

This is good:

Unlike some other tech companies, Zoom has never released any information about how many government requests for data it gets, and how many of those requests it complies with. But after the human rights group Access Now’s open letter urging Zoom to publish a transparency report, Yuan also promised to do just that. Within the next three months, the company will prepare “a transparency report that details information related to requests for data, records, or content.” Access Now has commended Zoom on committing to publish a transparency report.
Lee, M. (2020, April 3). Zoom’s Encryption Is “Not Suited For Secrets” And Has Surprising Links To China, Researchers Discover. The Intercept. Retrieved April 4, 2020, from https://theintercept.com/2020/04/03/zooms-encryption-is-not-suited-for-secrets-and-has-surprising-links-to-china-researchers-discover/

https://twitter.com/patrickwardle/status/1245613529660411905

However, unless Zoom hold their promises and stop doing nefarious shit, they're doing what they're traditionally doing: acting in their own interests while shitting on their users.

We'll see what happens.

Posted from my blog with SteemPress : https://niklasblog.com/?p=24569