As much of the world works from home, an explosion of video conference calls has provided a playground not just for Zoombombers, phishermen and cybercriminals, but also for spies. Everyone from top business executives to government officials and scientists are using conferencing apps to stay in touch during the new coronavirus lockdowns and U.S. counterintelligence agencies have observed the espionage services of Russia, Iran, and North Korea attempting to spy on Americans’ video chats, three U.S. intelligence officials tell TIME.
But the cyberspies that have moved fastest and most aggressively during the pandemic, the intelligence officials say, have been China’s. “More than anyone else, the Chinese are interested in what American companies are doing,” said one of the three. And that, in turn, has some U.S. counterintelligence officials worrying about one video conference platform in particular: Zoom. While the Chinese, Russians, and others are targeting virtually every tool Americans and others are using now that they’re forced to work from home, Zoom is an attractive target, especially for China, the intelligence officials and internet security researchers say.
An Apr. 3 report by The Citizen Lab, a research organization at the University of Toronto, found a number of shortcomings in Zoom’s security, including some that made it particularly vulnerable to China. It found that Zoom’s encryption scheme “has significant weaknesses,” including routing some encryption keys through Chinese servers, and that its ownership structure and reliance on Chinese labor could “make Zoom responsive to pressure from Chinese authorities.”
The U.S. intelligence officials stress there is no evidence that Zoom is cooperating with China or has been compromised by it, only that Zoom’s security measures leave gaps, some of which may make the application less secure than others. All three intelligence officials, who requested anonymity because they are not authorized to discuss ongoing operations with the media, said spies are using multiple applications to search government, corporate, and academic conversations for financial, personal, product development, research, and intellectual property information and leads. Federal experts have warned both government and private officials not to use video conference applications to discuss or exchange sensitive information. In a memo on Thursday, the Senate Sergeant-at-Arms told Senators not to use Zoom, according to one person who received the memo.
Zoom has responded to the particular criticism of its security with multiple public efforts to address the concerns. After initially claiming that its platform provides end-to-end encryption for all its conversations, Zoom later said encryption was in fact absent from some online messaging tools. “While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it,” wrote Oded Gal, the chief product officer for Zoom Video, in an April 1 blog post.
The subsequent investigation by The Citizen Lab found other weaknesses. During a test of a Zoom meeting with two users, one in the United States and one in Canada, the Citizen Lab’s researchers found that the key for conference encryption and decryption was sent to one of the participants from a Zoom server apparently located in Beijing. A scan located a total of five servers in China and 68 in the United States that apparently run the same Zoom server software as the Beijing server, their report says.
Zoom’s headquarters are in San Jose, California and it is listed on the NASDAQ. The company’s main applications have been developed in part by three companies in China that all are named Ruanshi Software, the Citizen Lab study found. Two are owned by Zoom, and one is owned by a company called American Cloud Video Software Technology Co., Ltd. Zoom’s most recent SEC filing says the company employs at least 700 “research and development” employees in China, and job postings for Ruanshi Software in Suzhou, China include positions for C++ coders, Android and iOS app developers, and testing engineers, the Citizen Lab reported.
Zoom says it is not alone in having workers and servers in China. “Zoom is not unique among its U.S. based teleconferencing peers in having a data center and employees in China; Zoom is perhaps just more transparent about it,” the company said in a statement to TIME. “Ruanshi is the Chinese name that Zoom uses to name our subsidiaries in China,” the company said, and “Our engineers are employed through these three subsidiaries and we are fully transparent about it—all of this is disclosed in our filings.” The company added that it “has a number of documented controls and protections in place to protect data and prevent unauthorized access, including from Zoom employees. These controls are strictly enforced across the Company, regardless of jurisdiction.”
In the wake of the Citizen Lab report, Zoom has taken other steps to reassure users about its commitment to security. On April 8, Alex Stamos, former chief security officer at Facebook and Yahoo, posted a note on Medium saying Yuan had called and “asked if I would be interested in helping Zoom build up its security, privacy and safety capabilities as an outside consultant, and I readily agreed”.
Sens. Amy Klobuchar of Minnesota and Michael Bennet of Colorado and Reps. Frank Pallone of New Jersey, the Chairman of the House Energy and Commerce Committee, and Jan Schakowsky of Illinois have called for the Federal Trade Commission to investigate whether Zoom has taken the measures necessary to protect its users. Multiple state attorneys general already have begun looking into the company, Politico reported. And despite Zoom’s reassurances, some intelligence experts remain concerned about its vulnerabilities. “Zoom’s links to China, regardless of what its CEO promises, create a persistent threat,” former director of the National Security Agency and the Central Intelligence Agency Michael Hayden, tells TIME.
Please send tips, leads, and stories from the frontlines to virus@time.com.