With several countries worldwide taking measures to contain the contagion from Covid-19, smart working become the password. The "agile work", that is, the possibility of carrying out the same work done on site but precisely between the home walls, requires the contact with colleagues and in these weeks the use of videoconferencing and collaboration platforms has seen an exponential increase.
On the crest of the wave there is certainly Zoom, a teleconferencing platform that in recent years had managed to gain a lot of space in professional and corporate communications, but which in this lockdown period from Coronavirus saw the number of uses explode. Popularity always ends up on the one hand under the magnifying glass of security experts, on the other in the sights of hackers. We recently talked about some privacy issues related to the Login with Facebook function using the Facebook SDK and a vulnerability that allows attackers capable of exploiting it to steal the operating system authentication credentials.
In the past few hours CitizenLab had highlighted other privacy issues related to the video calls made on Zoom, in particular concerning the transit of data from Chinese servers is without end-to-end encryption. The Zoom system divides the traffic on different data centers with the proximity principle, in this way – theoretically – the conversations made in Europe remain in the Old Continent and the American ones in America. In times of very heavy congestion this principle can be overcome and connections sorted on datacenters outside the continental borders. Generally Zoom excludes Chinese servers from Western conference routing capabilities, precisely because of the rules imposed by the Chinese government regarding the data passing through its territory, on which it wants to have an eye always open.
According to what reported by TechCrunch in moments of particularly heavy traffic for Chinese servers have also been 'accidentally' whitelisted for communications between western countries. Zoom confirmed, but stated that it happened in extremely limited circumstances, without quantifying the number of connections affected by the problem. He stated that none of the users who use the government force plan have been touched by the problem and that the possibility of accidental rerouting on Chinese servers has been eliminated.
In recent days Zoom had intervened on his blog to clarify the terms of service: from them it could easily be understood that all communications were covered by end-to-end encryption, but the blog post makes it clear that it is possible only in some specific cases.
