- Report: Move Fast and Roll Your Own Crypto A Quick Look at the Confidentiality of Zoom Meetings and the FAQ
- Date Published: April 3rd, 2020
Zoom for Mac, Linux, and Windows < 4.6.10
Zoom documentation claims that the app uses “AES-256” encryption for meetings where possible. However, we find that in each Zoom meeting, a single AES-128 key is used in ECB mode by all participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption.
The AES-128 keys, which we verified were sufficient to decrypt Zoom packets intercepted in Internet traffic, appeared to be generated by Zoom servers, and in some cases, were delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, were outside of China. This finding is significant because Zoom is a company that primarily serves customers in North America and sending encryption keys via servers in China may potentially open Zoom up to requests from authorities in China to disclose the encryption keys. While this scenario is plausible, we do not have evidence that authorities in China or any other state have actually obtained meeting encryption keys.
- Apr 3rd, 2020 - report published