Zoom engineering management practices have been exposed as far below industry standards of safety and product security. They have been doing a terrible job, and it is easy now to explain how and why. Just look at their encryption.

The Citizen Lab April 3rd, 2020 report broke the news on Zoom practicing deception with weak encryption and gave this top-level finding:

Zoom documentation claims that the app uses “AES-256” encryption for meetings where possible. However, we find that in each Zoom meeting, a single AES-128 key is used in ECB mode by all participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption.

It’s a long report with excellent details, definitely worth reading if you have the time. It even includes the famous electronic codebook (ECB) mode penguin, which illustrates why ECB is considered so broken for confidentiality that nobody should be using it.

I say famous here because anyone thinking about writing software to use AES surely knows of or has seen this image. It’s from an early 2000s education campaign meant to prevent ECB mode selection.

There’s even an ECB Penguin bot on Twitter that encrypts images with AES-128-ECB that you send it so you can quickly visualize how it fails.

A problem is simply that using ECB means identical plaintext blocks generate identical ciphertext blocks, which maintains recognizable patterns. This also means when you decipher one block you see the contents in all of the identical blocks. So it is very manifestly the wrong choice for streams of lots of data intended to be confidential.

However, while Citizen Lab included the core image to illustrate this failure, they also left out a crucial third frame on the right that can drive home what industry norms are compared to Zoom’s unfortunate decision.

The main reason this Linux penguin image became famous in encryption circles is because it shows huge weakness faster than trying to explain ECB cracking. It makes it obvious why Zoom really screwed up.

Now, just for fun, I’ll still try to explain here the old-fashioned way.

Advanced Encryption Standard (AES) is a U.S. National Institute of Standards and Technology (NIST) algorithm for encryption.

Here’s our confidential message that nobody should see:

zoom

Here’s our secret (passphrase/password) we will use to generate a key:

whywouldyouuseECB

Conversion of password from ASCII to Hex could simply give us a 128 bit block (16 bytes of ASCII into 32 HEX characters):

77 68 79 77 6f 75 6c 64 79 6f 75 75 73 65 45 43

Yet we want to generate a SHA256 hash from our passphrase to get ourselves a “strong” key (used here just as another example of poor decision risks, since PBKDF2 is a far safer choice to generate an AES key):

cbc406369f3d59ca1cc1115e726cac59d646f7fada1805db44dfc0a684b235c4

We then take our plaintext “zoom” and use our key to generate the following ciphertext blocks (AES block size is always 128 bit — 32 Hex characters — even when keys used are longer such as AES-256, which uses 256 bit keys):

a53d9e8a03c9627d2f0e1c88922b7f3f
ad850495b0fc5e2f0c7b0bf06fdf5aad
ad850495b0fc5e2f0c7b0bf06fdf5aad
b3a9589b68698d4718236c4bf3658412

I’ve kept the 128 bit blocks separate above and highlighted the middle two because you can see exactly how “zoom” repetitive plaintext is reflected by two identical blocks.

It’s not as obvious as the penguin, but you still kind of see the point, right?

If we string these blocks together, as if sending over a network, to the human eye it is deceptively random-looking, like this:

a53d9e8a03c9627d2f0e1c88922b7f3fad850495b0fc5e2f0c7b0bf06fdf5aadad850495b0fc5e2f0c7b0bf06fdf5aadb3a9589b68698d4718236c4bf3658412

And back to the key, if we run decryption on our stream, we see our confidential content padded out in blocks uniformly sized:

z***************o***************o***************m

You also probably noticed at this point that if anyone grabs our string they can replay it. So using ECB also brings an obvious simple copy-and-paste risk.

A key takeaway, pun intended of course, is that Zoom used known weak and undesirable protection by choosing AES-128 ECB. That’s bad.

It is made worse because they told customers it was AES-256; they’re not disclosing their actual protection level and calling it something it’s not. That’s misleading customers who may run away when they hear AES-128 ECB (as they probably should).

Maybe run away is too strong, but I can tell you all the cloud providers treat AES-256 as a minimum target (I’ve spent decades eliminating weak cryptography from platforms, nobody today wants to hear AES-128). At least two “academic” attacks have been published for AES-128: “key leak and retrieval in cache” and “finding the key four times faster“.

And the NSA published a revealing doc in 2015 saying AES-256 was their minimum guidance all the way up to top secret information.

On top of all that, the keys for Zoom were being generated in China even for users in America not communicating with anyone in China.

Insert conspiracy theory here: AES-128 was deemed unsafe by NSA in 2015 and ECB has been deemed unsafe for streams by everyone since forever… and then Zoom just oops “accidentally” generates AES-128 ECB keys on Chinese servers for American meetings? Uhhhh.

It’s all a huge mess and part of a larger mismanagement pattern, pun intended of course. Weak confidentiality protections are pervasive in Zoom engineering.

Here are some more examples to round out why I consider it pervasive mismanagement.

Zoom used no authentication for their “record to cloud” feature, so customers were unwittingly posting private videos onto a publicly accessible service with no password. Zoom stored calls with a default naming scheme that users stored in insecure open Amazon S3 “buckets” that could be easily discovered.

Do you know what encrypted video that needs no password is called? Decrypted.

If someone chose to add authentication to protect their recorded video, the Zoom cloud only allowed a 10 character password (protip: NIST recommends long passwords. 10 is short) and Zoom had no brute force protections for these short passwords.

They also used no randomness in their meeting ID, kept it a short number and left it exposed permanently on the user interface.

Again all of this means that Zoom fundamentally didn’t put the basic work in to keep secrets safe; didn’t apply well-known industry-standard methods that are decades old. Or to put it another way, it doesn’t even matter that Zoom chose broken unsafe encryption routed through China and lied about it when they also basically defaulted to public access for the encrypted content!

It would be very nice, preferred really, if there were some way to say these engineering decisions were naive or even accidental.

However, there are now two major factors prohibiting that comfortable conclusion.

1. The first is set in stone: Zoom CEO was the former VP of engineering at WebEx after it was acquired by Cisco and tried to publicly shame them for using his “buggy code“. He was well aware of both safe coding practices as well as the damage to reputation from bugs, since he tried to use that as a competitive weapon in direct competition with his former employer.
2. The second is an entirely new development that validates why and how Zoom ended up where they are today: the CEO announced he will bring on board the ex-CSO of Facebook (now working at Stanford, arguably still for Facebook) to lead a group of CSO. The last thing Zoom needs (or anyone for that matter) is twelve CSO doing steak dinners and golf trips while chatting at the 30,000 foot level about being safe (basically a government lobby group). The CEO needs expert product security managers with their ear to the ground, digging through tickets and seeing detailed customer complaints, integrated deep into the engineering organization. Instead he has announced an appeal-to-authority fallacy (list of names and associations) with a very political agenda, just like when tobacco companies hired Stanford doctors to tell everyone smoking is now safe.

Here’s the garbage post that Zoom made about their future of security, which is little more than boasting about political circles, authority and accolades.

…Chief Security Officer of Facebook, where he led a team charged with understanding and mitigating information security risks for the company’s 2.5 billion users… a contributor to Harvard’s Defending Digital Democracy Project and an advisor to Stanford’s Cybersecurity Policy Program and UC Berkeley’s Center for Long-Term Cybersecurity. He is also a member of the Aspen Institute’s Cyber Security Task Force, the Bay Area CSO Council, and the Council on Foreign Relations. And, he serves on the advisory board to NATO’s Collective Cybersecurity Center of Excellence.

We are thrilled to have Alex on board. He is a fan of our platform…

None of that, not one sentence is a positive sign for customers. It’s no different, as I said above in point two, from tobacco companies laying out a PR campaign that they’ve brought on board a Stanford or Harvard doctor to be on a payroll to tell kids to smoke.

Even worse is that the CEO admits he can’t be advised on privacy or security by anyone below a C-level

…we are establishing an Advisory Board that will include a subset of CISOs who will act as advisors to me personally. This group will enable me to be a more effective and thoughtful leader…

If that doesn’t say he doesn’t know how to manage security at all, I’m not sure what does. He’s neither announcing promotion of anyone inside the organization, nor is he announcing a hire of someone to lead engineering who he will entrust with day-to-day transformation… the PR is all about him improving his own skills and reputation and armoring against critics by buying a herd to hide inside.

This is not about patching or a quick fix. It really is about organizational culture and management theory. Who would choose ECB mode for encryption, would so poorly manage the weak secrets making bad encryption worse, and after all that… be thrilled to bring on board the least successful CSO in history? Their new security advisor infamously pre-announced big projects (e.g. encryption at Yahoo in 2014) that went absolutely nowhere (never even launched a prototype) is accused of facilitating atrocities and facing government prosecution for crimes, and who demonstrably failed to protect customers from massive harms.

Zoom just hired the ECB of CSOs, so I’m just wondering how and when everyone will see that fact as clearly as with the penguin image. Perhaps it might look something like this.

---

Update April 12: Jitsi has posted a nice blog entry called “This is what end-to-end encryption should look like!” These guys really get it, so if you ask me for better solutions, they’re giving a great example. Superb transparency, low key modest approach. Don’t be surprised instead when Zoom rolls out some basic config change like AES-256-GCM by default and wants to throw itself a ticker-tape parade for mission accomplished. Again, the issue isn’t a single flaw or a config, it’s the culture.

Update April 13: a third-party (cyber-itl.org) security assessment of the Zoom linux client finds many serious and fundamental flaws, once again showing how terrible general Zoom engineering management practices have been, willfully violating industry standards of safety and product security.

It lacks so many base security mitigations it would not be allowed as a target in many Capture The Flag contests. Linux Zoom would be considered too easy to exploit! Perhaps Zoom using a 5 year out of date development environment helps (2015). It’s not hard to find vulnerable coding in the product either. There are plenty of secure-coding-101 flaws here.

These are really rube, 101-level, flaws that any reasonable engineering management organization would have done something about years ago. It is easy to predict how this form of negligence turns out, and the CEO attacked his former employer for using his buggy code, so ask why did Zoom believe they could get away with it?

Update November 11: The FTC calls out Zoom for being a fraud, yet neither penalizes them nor compensates their victims.

…’increased users risk of remote video surveillance by strangers and remained on users’ computers even after they deleted the Zoom app, and would automatically reinstall the Zoom app—without any user action—in certain circumstances,’ the FTC said. The FTC alleged that Zoom’s deployment of the software without adequate notice or user consent violated US law banning unfair and deceptive business practices.

And they basically lied for years and years about security.

…Zoom claimed it offers end-to-end encryption in its June 2016 and July 2017 HIPAA compliance guides… also claimed it offered end-to-end encryption in a January 2019 white paper, in an April 2017 blog post, and in direct responses to inquiries from customers and potential customers… In fact, Zoom did not provide end-to-end encryption for any Zoom Meeting…

Since June 2016 Zoom lied repeatedly about its encryption practices in order to juice sales in American healthcare while diverting traffic through China. Think hard about that.

Recently I pointed out in a blog post that the Zoom CEO was the VP of Engineering at Cisco who left to start a direct competitor because, according to him, he was unhappy about the speed he could operate at.

Being secure, to be frank, is about flaw management practices such as transparency and handling much more than being devoid of flaws. How one educates users about a serious bug should be in the spotlight right now and Zoom is failing catastrophically.

Reading between the lines it looks a bit like the CEO didn’t like being told to do the right thing (follow safety processes) by Cisco management, and he allegedly saw it as an opportunity to exit and do a much easier thing — get rich doing what’s wrong, then apologize and hope for no accountability.

So let’s put this business management theory to a simple product security management test.

Here is a 2020 WebEx security vulnerability advisory:

I’d rate that security page and overall site as excellent and extremely useful to keeping everyone safe.

It stems from the main cisco.com/security page, where you can easily query and sort on WebEx vulnerabilities.

Let’s now compare that level of transparency and operational excellence to the Zoom outfit, run by the celebrated billionaire CEO.

First, the zoom.com/security page is a lot of marketing material fluff. We know already that these marketing materials are deceptive (e.g. end-to-end encryption is claimed, yet in reality it’s client server using a shared key that’s half the strength claimed and distributed in China…but I digress).

You have to scroll all the way to the bottom (it’s long) to find anything about security practices, like patches and advisories. Even then, security practices appear at first glance to be severely lacking, hosted at this oddly complicated US support URL.

https://support.zoom.us/hc/en-us/sections/201728933-Security

Second, I will test this support page using Patrick Wardle’s announcement (“The ‘S’ in Zoom, Stands for Security: uncovering [local] security flaws in Zoom’s latest macOS client“) from March 30, 2020.

Patrick kindly has updated his own announcement page in April that “Zoom has patched both bugs in Version 4.6.9 (19273.0402)”. Was the Zoom response well done? No.

Look very closely and very carefully at the Zoom security practices page:

A huge security news story, details about the vulnerability, announcement of the patch… none of it, nothing at all can be found anywhere in this support page or the top-level security page.

How would you know to update for a security flaw or even who it affects and how bad it is when it doesn’t appear anywhere except an obscure security researcher’s personal blog page?

I’d rate that as awful, and way below industry practices (again, look above at WebEx). This company supposedly obsessed with technology being “easy and fast to use” has a terribly convoluted hidden security site with CVE tossed in like a mixed bag among some random thoughts by their support team that hasn’t been updated in half a year.

It’s April 2020 and given the news so far this year there should be far more CVE on this page (even if only placeholders, we’ve seen one for Windows and one for OSX).

That’s just to begin with, as this really should elevate to a zoom.com/security URL and be easily sorted and searched as well as linked to product release/fix notes. I would imagine a truly sorry CEO would put up a giant box on the top level security page that says the industry standard WARNING: SECURITY FLAW.

Do it now Zoom, if you really are interested in moving fast.

Third, pop over to the release notes for the version Patrick mentions, which aren’t even linked from this page, you won’t find the word security mentioned anywhere.

This is unbelievable levels of bad management practice. Both the security page and the release page are far below acceptable. The practices are truly below baseline and should fail regulations and audits.

Please, anyone, someone explain to me why these release notes don’t use the word security anywhere, let alone don’t have a CVE with details and aren’t connected to the security advisory page.

There’s really not a need at this point for me to get into interesting and messy details of CVE, CWE, CVSS, etc when it’s obvious just how far below a safe baseline Zoom is operating.

I’ve shown enough already how Zoom practices may be a danger to society.

My take on this is the CEO has not enabled his security team (buried in US support), is not listening to his security critics (2020 vulnerabilities not listed), and does not yet take security seriously (sends out apologies to get sympathy without making necessary changes).

I may be forced to look further.

It’s like watching a dumpster burning and hard for me to take my eyes off at this point. Ok, ok let’s go just a little bit onward.

Fourth, I drop down into Security: CVE-2019-13450 shows Zoom has a severity score of 3.1 out of 10 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N):

HOLD ON TO YOUR HATS everyone because… wait for it… NIST shows this vulnerability officially filed as 6.5 out of 10 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N), more than double what Zoom wrote on their security support pages!

Here are the calculations side-by-side, which shows how Zoom ended up publishing a false score in their useless security page (Attack Complexity High, Confidentiality Low) while everyone in the world will pull an official higher risk number from NIST’s database:

Zoom: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
NIST: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Look, I’ve spent a lot, and I mean a lot, of time inside the sausage factories called software development working on CVSS scores like these. There can be endless debates and fights and it isn’t always easy. I get that, trust me. I even established one of the first 70 CVE Numbering Authority (CNA) in the world for a major software vendor to pump out vulnerabilities that had been obscured.

But I will tell you right now that Zoom claiming complexity is high and confidentiality is low is completely and utterly wrong. It’s deceptive and it’s harmful. Here is the excellent NIST text explaining a CVSS score of 6.5:

…attackers can force a user to join a video call with the video camera active. This occurs because any web site can interact with the Zoom web server on localhost port 19421 or 19424. NOTE: a machine remains vulnerable if the Zoom Client was installed in the past and then uninstalled…

That is a text book case of high confidentiality loss. Does it really get any higher than to be spied on from your camera? And it has a reliable service (text book case of low complexity) that remains vulnerable even after a user tries to remove it? Come on Zoom people.

From there I drop into another CVE they have listed and another, and see problems everywhere…

Their last update on vulnerabilities is from six months ago called “Security: 2019-11 Zoom Connector for Cisco, Poly, and Lifesize” which has a CVSS of 8.1 and no CVE number assigned. I get that they might not be a CNA, or have trouble getting a CVE, but it doesn’t say anything at all.

In the meantime, with no CVE and no advisories page and no links from the main security pages, who exactly is expected to know they need to patch a CVSS 8.1 from October 2019?

There are a million more examples I could give but honestly it’s just so bad I think people need to understand that a major product security and safety overhaul is overdue at Zoom.

I’m not saying anyone should use WebEx, but at least take a look at what they’re doing right to understand just how far off the mark Zoom is. I do not see anything approaching a safe product with proper management practices at Zoom.

And I don’t know if any of this yet means the CEO has to go, or that the AG and FTC should be breathing fire.

However, I can tell you as a long-time product security leader that so far everything I’m looking at from my perspective shows very broken software lifecycle; it’s substantial evidence of misleading and deceptive practices, which clearly harm customers.

Only YOU can prevent video conferencing fires.