US-based video meeting app Zoom courted a fresh controversy when security researchers from Citizen Lab at the University of Toronto found that some Zoom calls are being routed through servers in China, along with conference encryption and decryption keys used to secure those calls. According to the researchers, Zoom appears to own three companies in China through which at least 700 employees are paid to develop Zoom's software.
"Zoom can avoid paying US wages while selling to US customers, thus increasing their profit margin. However, this arrangement may make Zoom responsive to pressure from Chinese authorities,' said the team. During its analysis, the security researchers also identified a security issue with Zoom's Waiting Room feature. "Assessing that the issue presented a risk to users, we have initiated a responsible vulnerability disclosure process with Zoom. We are not currently providing public information about the issue to prevent it from being abused," the team said in a detailed statement on Friday.
While the mainline Zoom app (zoom.us) was reportedly blocked in China in November 2019, there are several third-party Chinese companies that sell the Zoom app within China (zoom.cn, zoomvip.cn, zoomcloud.cn). Citizen Lab said it has initiated a responsible disclosure process with Zoom over Waiting Room vulnerability. "We hope that the company will quickly act to patch and provide an advisory. In the meantime, we advise Zoom users who desire confidentiality to not use Zoom Waiting Rooms".
The rapid uptake of teleconference platforms such as Zoom, without proper vetting, potentially puts trade secrets, state secrets, and human rights defenders at risk. "Companies and individuals might erroneously assume that because a company is publicly listed or is a major household name, that this means the app is designed using security best practices. As we showed in this report, that assumption is false," said Citizen Lab. A TechCrunch report said on Saturday that Zoom "mistakenly" allowed two of its Chinese data centers to accept calls as a backup in the event of network congestion.
"During normal operations, Zoom clients attempt to connect to a series of primary data centers in or near a user's region, and if those multiple connection attempts fail due to network congestion or other issues, clients will reach out to two secondary datacenters off of a list of several secondary datacenters as a potential backup bridge to the Zoom platform," explained Zoom Founder and CEO Eric Yuan.
Yuan has already apologized for the privacy and security issues or "Zoom-bombing" being reported in his app that has seen a surge in usage globally as people work from home during the lockdown. Slammed for the lack of users privacy and security by the US Federal Bureau of Investigation (FBI) and cybersecurity experts, reports claimed this week that the video conferencing app Zoom is also prone to hacking.
The Zoom CEO said that over the next 90 days, the company is committed to dedicating the resources needed to better identify, address, and fix issues proactively to "maintain your trust". In March this year, the user base on Zoom reached more than 200 million daily meeting participants, both free and paid.