Security News > 2020 > April > Keys Used to Encrypt Zoom Meetings Sent to China: Researchers
A recent analysis of the Zoom video conferencing application revealed that the keys used to encrypt and decrypt meetings may be sent to servers in China, even if all participants are located in other countries.
"A scan shows a total of five servers in China and 68 in the United States that apparently run the same Zoom server software as the Beijing server. We suspect that keys may be distributed through these servers. A company primarily catering to North American clients that sometimes distributes encryption keys through servers in China is potentially concerning, given that Zoom may be legally obligated to disclose these keys to authorities in China," Citizen Lab explained in a report published on Friday.
As for the encryption itself, the organization noticed that Zoom meetings are encrypted with an AES-128 key, contrary to Zoom documentation, which claims AES-256 encryption is used.
"Zoom's most recent SEC filing shows that the company employs at least 700 employees in China that work in 'research and development.' The filing also implies that 81% of Zoom's revenue comes from North America. Running development out of China likely saves Zoom having to pay Silicon Valley salaries, reducing their expenses and increasing their profit margin. However, this arrangement could also open up Zoom to pressure from Chinese authorities," researchers said.
UPDATE. Zoom has published a blog post claiming certain meetings connected to servers in China due to an error, which the company has addressed.