Abstract
In the wake of the global COVID-19 pandemic, video conference systems have become essential for not only business purposes, but also private, academic, and educational uses. Among the various systems, Zoom is the most widely deployed video conference system. In October 2020, Zoom Video Communications rolled out their end-to-end encryption (E2EE) to protect conversations in a meeting from even insiders, namely, the service provider Zoom. In this study, we conduct thorough security evaluations of the E2EE of Zoom (version 2.3.1) by analyzing their cryptographic protocols. We discover several attacks more powerful than those expected by Zoom according to their whitepaper. Specifically, if insiders collude with meeting participants, they can impersonate <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">any Zoom user</i> in target meetings, whereas Zoom indicates that they can impersonate only the current meeting participants. Besides, even without relying on malicious participants, insiders can impersonate any Zoom user in target meetings though they cannot decrypt meeting streams. In addition, we demonstrate several impersonation attacks by meeting participants or insiders colluding with meeting participants. Although these attacks may be beyond the scope of the security claims made by Zoom or may be already mentioned in the whitepaper, we reveal the details of the attack procedures and their feasibility in the real-world setting and propose effective countermeasures in this paper. Our findings are not an immediate threat to the E2EE of Zoom; however, we believe that these security evaluations are of value for deeply understanding the security of E2EE of Zoom.
Highlights
Video conference systems are being increasingly used for a variety of purposes – for business meetings and functioning, private communications, educational purposes, and so on – since the Covid-19 pandemic has severely limited the practicality of physical meetings
2) Impersonation of any Zoom User We show that insiders without colluding with participants can impersonate any legitimate Zoom user, even an uninvited user, for the target meeting
In this study, we evaluated the security of E2EE for Zoom and revealed several attacks more powerful than that expected by Zoom according to their whitepaper
Summary
Video conference systems are being increasingly used for a variety of purposes – for business meetings and functioning, private communications, educational purposes, and so on – since the Covid-19 pandemic has severely limited the practicality of physical meetings. Security measures such as end-to-end encryption (E2EE) have become essential. The E2EE of Zoom, which is one of the most used software for video communication worldwide today, is thoroughly examined for potential security gaps
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
