Zoom admits to routing some US calls through China
As if the various privacy and security concerns that have plagued Zoom recently had not been enough, now it has been revealed that the company has been routing some calls made in North America through China.
Asking whether Zoom is a "US company with a Chinese heart", security researchers at Citizen Lab reported their discovery that during test meetings, encryption and decryption keys were routed through a server in Bejing. This raised eyebrows, and the company has now tried to explain what happened and issued its second apology this week.
- Zoom security vulnerability can be used to steal Windows login credentials
- Zoom issues an apology for privacy and security issues, will enact a feature freeze to focus on fixes
- Zoom claims to offer end-to-end encryption -- even though that's not strictly true
Presenting their findings, Citizen Lab researchers express concern that in routing traffic through China, Zoom could be legally obliged to disclose decryption keys to the Chinese government. Given Zoom's slightly concerning privacy recently, this was probably the last revelation the company wanted to come out.
The researchers say:
During a test of a Zoom meeting with two users, one in the United States and one in Canada, we found that the AES-128 key for conference encryption and decryption was sent to one of the participants over TLS from a Zoom server apparently located in Beijing, 22.214.171.124. A scan shows a total of five servers in China and 68 in the United States that apparently run the same Zoom server software as the Beijing server. We suspect that keys may be distributed through these servers.
But Zoom's CEO Eric S Yuan says that the routing of American calls through Chinese servers is not the norm, and only occurred because of high traffic. He explains:
During normal operations, Zoom clients attempt to connect to a series of primary datacenters in or near a user’s region, and if those multiple connection attempts fail due to network congestion or other issues, clients will reach out to two secondary datacenters off of a list of several secondary datacenters as a potential backup bridge to the Zoom platform. In all instances, Zoom clients are provided with a list of datacenters appropriate to their region. This system is critical to Zoom’s trademark reliability, particularly during times of massive internet stress.
The company has tried to reassure users that Chinese servers have only been used in "extremely limited circumstances", it's not clear how many users may have been affected.