TORONTO -- Canadian cybersecurity researchers are discouraging healthcare officials and government bodies from using video conferencing app Zoom, warning that the app鈥檚 security measures are not designed for sensitive conversations.
, an internet watchdog group based at the University of Toronto, found that Zoom uses non-industry standard encryption techniques with 鈥渋dentifiable weaknesses.鈥
鈥淶oom has made the classic mistake of designing and implementing their own encryption scheme, rather than using one of the existing standards for encrypting voice and video content,鈥 Bill Marczak, Citizen Lab research fellow, said in a statement.
鈥淶oom鈥檚 encryption is better than none at all, but users expecting their Zoom meetings to be safe from espionage should think twice before using the app to discuss sensitive information.鈥
Use of the video conferencing platform has exploded amid worldwide lockdowns related to the spread of COVID-19. So, too, have concerns about its security measures, with some cybersecurity experts describing it as a
Still, politicians including British Prime Minister Boris Johnson have been seen using Zoom to conduct meetings while self-isolating and a growing number of healthcare services are being offered virtually using the platform.
According to the Citizen Lab report, Zoom鈥檚 own documentation presents unclear claims about its encryption protocols and notes that there are potential security issues surrounding the way the company stores cryptographic information.
The report says that Zoom does not use end-to-end encryption -- the gold standard of security measures -- "as most people understand the term." Instead, it uses "transport" encryption between devices and servers.
The company previously suggested its video conference sessions were capable of end-to-end encryption. It has since for this claim.
The researchers also expressed concerns that some of Zoom鈥檚 encryption keys were being distributed through servers in China, even when all meeting participants were outside of China.
鈥淎 company primarily catering to North American clients that distributes encryption keys through servers in China is very concerning, given that Zoom may be legally obligated to disclose these keys to authorities in China,鈥 reads the report.
鈥淕iven the business value of meetings currently being conducted on Zoom, it is reasonable to expect that the platform is being closely scrutinized by groups engaged in industrial and political espionage, as well as cybercrime.鈥
Though the report discourages using the platform for government communications, confidential business activities, and the handling of sensitive healthcare or legal information, researchers note the average user shouldn鈥檛 be concerned.
鈥淔or those using Zoom to keep in touch with friends, hold social events, or organize courses or lectures that they might otherwise hold in a public or semi-public venue, our findings should not necessarily be concerning,鈥 reads the report.
On Thursday, Zoom鈥檚 founder and CEO Eric Yuan said the company would freeze new feature development and shift all of its engineering resources to working on security and safety issues.
The company said it has seen the number of daily meeting participants, both free and paid, balloon from approximately 10 million users in December 2019, to more than 200 million in March of this year.
鈥淲e recognize that we have fallen short of the community鈥檚 鈥 and our own 鈥 privacy and security expectations. For that, I am deeply sorry,鈥
The company has released a series of blog posts directly users to specific privacy features, including one specifically aimed at and virtual healthcare appointments.
On April 1, Zoom also issued a clarification surrounding its encryption practices, noting 鈥淶oom has implemented robust and validated internal controls to prevent unauthorized access to any content that users share during meetings, including -- but not limited to -- the video, audio, and chat content of those meetings.鈥
鈥淶oom has never built a mechanism to decrypt live meetings for lawful intercept purposes, nor do we have means to insert our employees or others into meetings without being reflected in the participant list,鈥 reads the blog post.