Online education had received a huge fillip thanks to the adoption of Zoom, a revolutionary web-conferencing application. Then all of a sudden it all went belly up because of security concerns. I am an information security consultant and routinely work with data centers and eCommerce companies all over the world. My job is to review the ecosystem, which includes underlying infrastructure, code, processes and policies, and determine where the loop holes are, fix them and repeat this process every few days. My wife is the Vice President of Product Development at a leading Information Security Company and leads the development of an AI enabled product that detects and prevents hacks before they happen, this system is used at leading banks, stock exchanges, telecom providers and law enforcement agencies all across the world. We decided to check what the problem with Zoom was because what we saw in the papers smelt of a hack job (here by hack job I mean smear campaign). To be clear we are not connected with Zoom in any manner whatsoever, however we have seen many a good products being destroyed by similar smear campaigns to let this happen all over again.
I’m going to answer the questions people have about Zoom in a FAQ format.
- Zoom is a Chinese company.
Zoom was born in the Silicon valley and is a true blue American success story. It was recognized as a unicorn and received funding multiple times. Before the Covid-19 related exponential growth in numbers Zoom was more widely used for office communications, yes you heard it right secure office communications. The only China connection that Zoom has is the owner who is an American citizen of Chinese origin. He built it so he could be closer to his girl friend. Eric Yuan moved to the Silicon Valley in 1997 (around 23 years back). Eric was a key member in the development of Webex, Webex is a web conferencing solution from Cisco. Yuan set up Zoom in 2011 after Cisco rejected the idea of a smartphone friendly web conferencing tool. That now Webex has a smartphone friendly version is proof that what Yuan had suggested in 2011 was eventually accepted by Cisco.
- Zoom has servers in China.
No and Yes.
So here it is important to understand what having servers in China means. In today’s environment every online platform which wishes to do business in China has to have servers in China. Be it Amazon, Google, Microsoft, Cloudflare or Zoom for that matter. However all companies employ a mechanism called geo-fencing. What that means is that data pertinent to a particular region does not go and sit on a server in another region. China data will not sit on the cloud servers in Singapore and India data will not go and sit on servers in Pakistan. Simple as that. So Yes Zoom has servers in China and No data from other countries does not sit in China.
- Then what was all that noise about data sitting in China?
In December 2019 the subscription base that Zoom enjoyed was 10million strong. That many people across the world used Zoom for day to day communication with their teams. In January 2020, because of the Covid crisis, this number suddenly shot up to 200million users. This sort of a twenty fold increase in numbers is unprecedented in Internet history. Never has it ever happened. Zoom was suddenly like the local grocery store which was over run by desperate buyers and had to send out SOS to nearby grocery stores to help them cope with the rush. Some calls based entirely on load balancing algorithms got routed via China based servers. Remember geo-fencing from the previous point, right it was taken off to help cope with that torrent of users. While engineers like me rushed to deploy more servers, secure them, test them and add them to the load balancers Zoom developers temporarily removed the geo-fencing constraint so that customers could be serviced. Again this was avoidable but in the trade off between going down (like Twitter, FB and WhatsApp do from time to time) and being available this was at the time considered a good strategy. Data never got stored on a China based server, it only traveled through the code sitting on the China based servers. Trust me the Chinese have much better ways to eavesdrop on your conversations and access your pictures and videos if they wanted to. For starts check the labels on most of your phones, webcams, laptops. Most of them will say made in China, what’s to say they didn’t put a bug in any or all of those devices. So anyway coming back to Zoom. As soon as Zoom was able to move this traffic back to geo-fenced state it did that. As of today none of the Zoom calls are routed via China or any other region. Your calls stay in India for instance. What’s more Zoom is giving users the option to now specify which regions they explicitly do not want their calls to be routed through, complete control in your hands.
- What about encryption? They say that Zoom uses TLS only not end to end encryption.
First of all those who say this are ignorant. TLS stands for Transport layer Security and it is the successor for SSL (yeah you thought SSL was the epitome of secure, well news flash SSL got deprecated and TLS is the new and shiny replacement). For the common ordinary user it is something that we will never ever be impacted by in our day to day usage. TLS/SSL we don’t get to find out as long as that padlock is there in the address bar we’re fine. The communication between our device and the server is encrypted. From the server to the destination (in this case the people you are talking to) is also encrypted. So no one can launch a man in the middle sort of attack and eavesdrop on our communication. On the server (which is not in China as explained above) the data is stored only for the purpose of re-transmission (to the intended recipient). It is physically impossible for a company the size of Zoom to store so much of voice/video/text/multimedia data indefinitely. So for all practical purposes our data leaves our machine in an encrypted state (garbled and nonsensical for someone trying to listen in over the wire) and is received at the other end in the same state then it is decrypted at the other end to again fall back into the sensible format. End to End encryption is available in the paid version and will be made available soon for the free version as well.
- How is end to end encryption better than the network layer encryption used currently?
End to End encryption means that the call data is not decrypted for re-transmission at the server. This in turn means that a hacked Zoom server will not mean that your calls can be viewed by someone else. A hacked Zoom server is a rare chance. All this having been said please know that end to end encryption is not available on Google Meet, Google Classroom, Microsoft Teams, Skype or Webex. None of the web-conferencing systems use end to end encryption at the moment. Only Google duo uses it however the free version has a limit of eleven participants at a time.
- What about Zoom-bombing? Surely people dropping in uninvited and projecting objectionable content is a big problem.
Yes Zoom-bombing, when it used to happen, was a very big problem. It meant that anyone could enter a meeting and listen in. In India a meeting with the Defense Minister was Zoom-bombed which prompted the Indian authorities to issue a blanket ban on all usage of Zoom for government work purposes. State secrets could not be risked. However Zoom addressed this problem in a two-pronged manner. Firstly they introduced meeting passwords, only people with the meeting password could get into the meeting. Secondly they introduced the concept of Waiting Room. Everyone with a password is let into the waiting room and the moderator has the option to allow or deny entry based on manual validation. This ensures that getting into a meeting room surreptitiously will not happen anymore. Again Zoom-bombing is a security flaw is a wrong thing to say because when meeting urls are shared by participants over insecure channels like twitter(look up Zoom on Twitter there is a #zoomcodes which is always active with people putting up Zoom meeting ids and passwords that they want the world to crash for malicious reasons) then the question of security doesnt come into the picture. Its like saying your debit card is insecure after you write the pin code on the back of the card. So if a participant with the codes is hell bent upon getting the session hacked what can the moderator do? Well now they can deny access from the waiting room area itself. Mischief Managed!
- Are there no other alternatives?
There are many alternatives and whats more using opensource software a good DevOps person can have a solution up and running for exclusive use within a couple of hours if they know what they are doing . Zoom just works more maturely and better than the others at the moment. What’s more they are working on the specific security aspect with the best in the business. Alex Stamos, Ex-Chief Security Officer at Facebook is now advising Zoom on security issues and helping them incorporate secure practices into the robust application.
Finally what I would like to add is that security is forever a work in progress. You may believe that you are very secure today however hackers out there will find a way in. The only way to be 100% secure is to unplug and take all your electronic devices, including the phone chargers because they too can be hacked now, put them into a metal box, put a padlock on that box, tie it up in heavy metal chains and drop this box off at the Mariana trench. So what are you gonna do about it? Well to begin with follow best practices, stay up to date on what’s going on from reputable sources only certainly not from TV News or newspapers and tabloids, and do the trade off analysis. A school class for instance is not discussing state secrets it is ok to use TLS security for link layer encryption (re-encryption at server end for re-transmission to intended recipient) as opposed to end to end encryption for this reason. Think and research before forming an opinion and if in doubt talk to people who actually understand the technology rather than rumour mongers. Stay safe, Stay Connected… Zoom is fine, it is not Chinese owned for sure, for use at schools as long as best practices are being followed and reviewed periodically.