Request a Quote

Thank you for reaching out to us! Please fill out and submit the form below and we will get back to you as soon as we are able to. Existing clients may Contact Us online or submit a Support Request.

Your Contact Information

What Services are you interested in?

Project Schedule

Additional Information

Zoom and China: Why you should zoom to another solution, quick.
May 01,
2020
Zoom and China: Why you should zoom to another solution, quick.
Why Government, Non Profits, Healthcare Providers, and Political committees should stop holding meetings using Zoom.

Zoom is facing scrutiny over vulnerabilities as it took advantage of the Coronavirus pandemic to quickly become the # 1 Video Conferencing platform in the United States during the COVID-19 Response "Stay at Home" orders and as a remote meeting solution for essential workers who have had to #WorkFromHome.  "Zoombombing" was just the beginning as it was soon discovered over the past month just how vulnerable Zoom actually is.

Zoom: Spyware Made in China

On paper, Zoom may be headquartered in the US (and listed on the NASDAQ), but the actual Zoom app appears to have been developed by companies in China  which all have the name 软视软件 ("Ruanshi Software")Two of the three companies are owned by Zoom as Chinese subsidiaries while the third is owned by a company called 美国云视频软件技术有限公司 ("American Cloud Video Software Technology Co., Ltd.").

In its most recent filing with the Securities and Exchange Commission, Zoom admits (through its Chinese affiliates) that it has at least 700 employees in China who work in "research and development." The SEC filing also indicates over 80% of the company's revenue comes from North America. Outsourcing development to China allows Zoom to reduce its expenses while increasing its profits.

On April 27th, the US Department of Homeland Security issued a warning that any organization currently using or considering using Zoom "should evaluate the risk of its use".  The same day, Risk Based Security® (RBS), a global leader in vulnerability intelligence, breach data, and risk ratings, published an article including a list of corporations, governments, and educational institutions which have already banned or discontinued the use of Zoom.

TechCrunch explains how this is a small part of a much larger, sinister strategy of the Chinese Communist Party in an article it published on April 11th titled "China's next plan to dominate international tech standards".

Zoombombing

On March 30th, the FBI Field Office in Boston reported that it received multiple reports of instances where malicious users hijacked Zoom Video-Teleconferencing (VTC) meetings, flooding the Zoom meetings with pornographic and/or hate images as well as threatening language.  

In the FBI's warning they included several recommendations to reduce the threat of having your Zoom Meeting hijacked:

As individuals continue the transition to online lessons and meetings, the FBI recommends exercising due diligence and caution in your cybersecurity efforts. The following steps can be taken to mitigate teleconference hijacking threats:
• Do not make meetings or classrooms public. In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests.
• Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people.
•  Manage screensharing options. In Zoom, change screensharing to “Host Only.”
• Ensure users are using the updated version of remote access/meeting applications. In January 2020, Zoom updated their software. In their security update, the teleconference software provider added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.
• Lastly, ensure that your organization’s telework policy or guide addresses requirements for physical and information security.

Source: FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic (FBI.gov)

Over Half a Million Compromised Zoom Accounts For Sale on the Dark Web

On April 1st it was reported that account information of over 500,000 compromised Zoom Accounts was available for sale on the Dark Web, including email addresses, passwords, and personal meetings URLs and host keys.  Source: Over 500,000 Zoom Accounts for Sale on the Dark Web (Dashlane)

Zoom Video Calls Routed through Servers in China on top of Security Vulnerabilities Exposed

On April 16th, the Republic of India's Ministry of Home Affairs issued an advisory that Zoom "is not a secure platform" for private use, having advised all government offices not to use Zoom for any purpose because it had been discovered that the application's data was being sold to foreign governments such as the People's Republic of China.

Zoom Meetings Vulnerable to Chinese Surveillance

In mid-April the British Government and Parliament were told by its intelligence agencies not to use Zoom for confidential business, "due to fears it could be vulnerable to Chinese surveillance."  The UK's National Cyber Security Centre (NCSC) issued an explicit warning to "not use [Zoom] to talk about things detrimental to the interests of China".

Zoom Waiting Room Vulnerability

While Zoom released its new version 5 on April 8th with improved encryption and privacy controls, along with features to prevent "Zoombombing", The Citizen Lab (University of Toronto) released a report the same day disclosing an issue with the Zoom "Waiting room" which proved that the Zoom servers provided both the meeting's encryption keys and a live video stream of the Zoom meeting to all users in the meeting's waiting room, even if the "waiting" users had not been approved to join the meeting, allowing for an arbitrary, unauthorized Zoom user in a waiting room to intercept and decrypt "encrypted" video content.

Encryption Keys Sent to China for US-based Zoom Meetings

In an earlier report on April 3rd, The Citizen Lab released a report disclosing discrepancies between security claims in Zoom documentation and how it actually works. Essentially, it was discovered that encryption in Zoom was not well-designed nor implemented.

"The AES-128 keys, which we verified were sufficient to decrypt Zoom packets intercepted in Internet traffic, appeared to be generated by Zoom servers, and in some cases, were delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, were outside of China. This finding is significant because Zoom is a company that primarily serves customers in North America and sending encryption keys via servers in China may potentially open Zoom up to requests from authorities in China to disclose the encryption keys."

Is Zoom appropriate for confidential communications?

The Citizen Lab's report continued, discouraging utilizing Zoom if confidentiality and/or privacy are a concern.

Based on the findings of our April 3 report, we discourage the use of Zoom in cases where strong confidentiality and privacy is required, including:

• Governments worried about espionage
• Businesses concerned about cybercrime and industrial espionage
• Healthcare providers handling sensitive patient information
• Activists, lawyers, and journalists working on sensitive topics

Source: The Citizen Lab: FAQ on Zoom Security Issues

Further Reading:

April 9th, 2020: Time Magazine reports "Foreign Spies are Targeting Americans on Zoom and other video chat platforms, U.S. Intel Officials say."

April 3rd, 2020: "Zoom's Encryption is "Not Suited for Secrets" and has surprising links to China, Researchers Discover" (The Intercept)

Alternatives to Zoom?

RingCentral recently replaced its whitelabel version of Zoom, which was called "RingCentral Meetings", with its secure, integrated video conferencing solution "RingCentral Video", announced April 2nd, 2020.  RingCentral is allowing existing customers the ability to switch from RingCentral Meetings to RingCentral Video without incurring any additional costs.  RingCentral Video offers integrated video conferencing, screen-sharing, and team messaging.

Insercorp, in partnership with RingCentral, is currently offering RingCentral Office (which includes RingCentral Video) free for 3 months for government, healthcare providers, political organizations, non-profits, educational institutions, and news media.  Read the announcement to learn more.

Tim Bradshaw
Founder & CEO
Tim Bradshaw is the Founder and CEO of Insercorp LTD.
Leave a Comment!

Comments

Your comment has been successfully submitted and will be posted when reviewed and approved.
User Comments