Cabinet and the Epidemic Response Committee have been using Zoom for meetings during the lockdown - but now questions are being raised about the video conferencing platform's security. Photo / File
Security expert Daniel Ayers is asking why our top politicians are using Zoom at a time when sharp questions have been raised over the popular video chat service's privacy and security.
READ MORE:
• Chorus, retail ISPs split on best way to help 50,000 broadband-less students
• Working
from home: The best video chat solutions and tips
• Kiwi video chat contender Sylo on why it's better than Zoom
Ayers notes that Zoom's terms and conditions - until a change just days ago - allowed it to keep chat messages and files exchanged in meetings, and that a recent regulatory filing reveals it has some 700 staff employed at research and development centres in China (the US-listed Zoom was founded by Shandong-raised Eric Yuan; see profile end of story).
"It is interesting that the Government intervened to restrict the use of Huawei equipment in our 5G networks but continues to discuss national security information via an insecure video conferencing application," he said, after watching Prime Minister Jacinda Ardern's Wednesday afternoon press briefing, then sharing his thoughts with the Herald.
He also points out that, overnight, two new "Zero Day" vulnerabilities were revealed in Zoom. Wired and other US media say the flaws could give an attacker control over a victim's microphone and camera.
A spokeswoman for Zoom told the Herald this morning, "We are actively investigating and working to address these issues. We are in the process of updating our installer to address one issue and will be updating our client to mitigate the microphone and camera issue."
The latest problems follow another vulnerability, exposed earlier this month, that allowed an attacker to steal a Zoom user's Windows credentials without them being aware.
In covering the latest holes, Wired quotes security researcher Kenn White, who says, "Zoom has never been known as the most hardcore secure and private service, and there have certainly been some critical vulnerabilities, but in many cases there aren't a lot of other options."
White praises Zoom for its user-friendliness, which has allowed it to steal a march on the likes of Facebook Live and Skype during worldwide lockdowns, but adds that, in his view, it's just not engineered for privacy. "It's like everyone is driving a 1989 Geo and security folks are worrying about the air flow in a Ferrari," he says.
Wired also notes Zoom collected meeting information for the purpose of targetted advertising, and that in one case it shared users' information with Facebook without their permission.
Video chat programmes that do include end-to-end encryption include Facebook-owned WhatsApp and Apple's FaceTime.
Ardern was asked earlier this week about the security of holding a Cabinet meeting via Zoom.
The PM said Zoom had been vetted by security agencies and okayed for conversations up to "Restricted" level - or below the Secret and Top Secret levels in the GCSB's official guidelines.
"It has been guaranteed to us up to the level of 'Restricted'. So we keep in mind what we are discussing on the call," Ardern said.
And the Ardern reiterated that stance at her press conference yesterday. When told of the latest controversy over Zoom's alleged encryption inadequacies, shef said Cabinet took a cautious approach.
"There are certain agenda items that we just will not discuss on Zoom," she said.
"We are acting cautiously in line with the advice that we've had from officials."
But beyond Zoom's apparent lack of security crimping Cabinet's style, Ayers asks why it was chosen at all when there are alternatives that do feature full end-to-end encryption.
He points out that the Government's official security manual requires that "Information classified RESTRICTED or SENSITIVE MUST be encrypted with an approved encryption algorithm if information is transmitted over any insecure or unprotected network such as the Internet."
• Covid19.govt.nz: The Government's official Covid-19 advisory website
Zoom claims end-to-end encryption on its website, but an article published overnight by well-regarded security journal The Intercept says that claim is not correct.
"In fact, Zoom is using its own definition of the term, one that lets Zoom itself access unencrypted video and audio from meetings," The Intercept said.
The accusation came on top of New York Attorney-General Letitia James' announcement this week that her office would look into Zoom's data privacy and security practices.
On Monday, her office sent Zoom a letter asking what, if any, new security measures the company had put in place to handle increased traffic on its network and to detect hackers, according to The New York Times, which saw a copy of the correspondence.
Although the letter referred to Zoom as "an essential and valuable communications platform", it outlined several concerns, noting that the company had been slow to address security flaws such as vulnerabilities "that could enable malicious third parties to, among other things, gain surreptitious access to consumer webcams", the NY Times said.
Over the past few weeks, internet trolls have exploited a Zoom screen-sharing feature to hijack meetings and do such things as interrupt educational sessions or post white supremacist messages to a webinar on anti-Semitism — a phenomenon called "Zoombombing", the NY Times said.
The letter seen by the paper said the New York Attorney-General's office is "concerned that Zoom's existing security practices might not be sufficient to adapt to the recent and sudden surge in both the volume and sensitivity of data being passed through its network."
A spokesperson for Zoom did not respond to a Herald question about whether the video chat platform supported end-to-end encryption, but sent the following statement:
"Zoom takes its users' privacy, security, and trust extremely seriously. During the Covid-19 pandemic, we are working around the clock to ensure that hospitals, universities, schools, and other businesses across the world can stay connected and operational. We appreciate the New York Attorney-General's engagement on these issues and are happy to provide her with the requested information."
The Herald has asked the office of the Prime Minister for comment.
In the meantime, the information vacuum makes Ayers nervous.
"It is unclear whether the PM has been incorrectly advised on the security of Zoom - perhaps by a security agency relying on Zoom's claims - or whether the security requirements have been loosened to accommodate the Covid-19 crisis," he told the Herald.
"This would make Zoom an attractive target for hostile countries as if they could break into Zoom's network, or compromise Zoom staff, they could potentially obtain access to national security information from NZ and other countries. The UK Cabinet also uses Zoom, despite the UK Ministry of Defence dropping it recently due to security concerns."
Ayers elaborated: "Full or 'end-to-end' encryption means the protected data is encrypted when it enters the internet and decrypted by another trusted party, such as a conference participant, when it is received by them. No other party on the internet would be able to decrypt the information.
"Despite apparently claims to the contrary, Zoom does not provide full or end-to-end. Information is encrypted when a conference participant transmits it to Zoom, and it is decrypted by Zoom and readable by them. Staff of Zoom, or any hacker who has compromised Zoom, would be able to access the information. This does not comply with the NZISM [NZ Information Security Manual] clause 17.1.36.C.02 requirement."
A spokesman for the GCSB said, "The Bureau is aware of commentary overnight relating to the security of the Zoom platform and will consider if additional guidance around its use is required."
He also added the general comments that, "The GCSB has provided advice to government about security considerations when working remotely during the Covid-19 level 4 response. This includes information security advice and advice on encrypted messaging and conferencing platforms including Zoom. We are working on a security guide for government users that can be distributed more widely.
"The advice we have provided to date reinforces the need for users to consider the nature and sensitivity of information being communicated, and the level of security available on the platform.
"Our advice aims to enable organisations to have some flexibility in the tools they are using to enable effective operations in these extraordinary times while managing and mitigating security risks."
Ayers says the GCSB should investigate alternatives to Zoom.
The Covid-19 crisis has cast a spotlight on Zoom, a company founded nine years ago by its CEO Eric Yuan, now 50, after he defected from US company Cisco Systems and took about 40 engineers with him.
Yuan wanted to refine a concept he first dreamed up during the 1990s as a college student in China, when he dreaded the 10-hour train trips to see his then-girlfriend, now his wife.
Now Zoom is booming, just 11 months after it made its debut on the stock market. While the Standard & Poor's 500 index has fallen by 25 per cent since its record high on February 19, Zoom's stock has soared around 46 per cent as investors bet on its service becoming a mainstream staple in life after the coronavirus.
With agencies.
Financial Times: Tycoon and others accused of lying to land lucrative contracts.