[Security Weekly] Zoom Faces Security Crisis: Weak Encryption, Calls Mistakenly Routed Through Chinese Servers
2nd Week of April 2020
1. Zoom faces further security concerns, admits calls routed through Chinese servers by mistake
Video conferencing company Zoom has gained another week of public attention. Just as the company was working around the clock to fix multiple security flaws, Citizen Lab, a research group based in the University of Toronto, released last Friday a report that raised some fundamental concerns about the company.
According to Citizen Lab’s research, Zoom uses a single AES-128 encryption key in electronic codebook (ECB) mode to encrypt and decrypt contents during conferencing. As the simplest encryption mode, ECB mode encrypts plaintext into identical ciphertext. It lacks the ability to hide data patterns, which is not appropriate for Zoom’s context.
Citizen Lab also described Zoom as an “American company with a Chinese heart”, where most software developments are done by three companies it owns in China, employing more than 700 employees. Labor outsourcing can help save costs, but leaves the company vulnerable to pressure from the Chinese government.
There is nothing wrong with outsourcing labor to China, but there is a reason for concern. The encryption keys are generated from Zoom’s servers and delivered to the users during the calls. Citizen Lab has found that oftentimes the key gets generated from servers located in China, despite all meeting members being outside China. Since the application is not end-to-end encrypted, the company has access to the keys and the content of the users’ meetings. The keys generated from Chinese servers could potentially be handed over to Chinese authorities under pressure.
Zoom responded to the issue by admitting that during times of heavy traffic, servers from nearby regions could be used to route calls to avoid congestion. However, they claimed that China had been listed as an exception and that the use of Chinese servers to route calls outside China was a mistake.
Many governments and corporations around the world are now banning the use of Zoom within their organization. These include the governments of Germany, Taiwan, Australia, school boards of New York, SpaceX, and Google.
Nevertheless, the company shows no sign of giving up. It has just hired former Facebook CSO Alex Stamos as an outside security consultant, working towards creating a fully secure application.
2. DarkHotel APT hacks Chinese government agencies by exploiting VPN vulnerability
DarkHotel hacker group, categorized as an advanced persistent threat (APT), has reportedly hacked a number of Chinese government agencies, including diplomatic offices abroad.
The attack was detected in late March by Qihoo 360, a Chinese security giant known for its antivirus software. According to Qihoo, the hackers exploited a flaw in the Sangfor SSL VPN servers. One of the largest VPN service providers in China, Sangfor VPNs are widely used in the country by large corporations and government agencies to connect remote workers to their networks.
The hackers cleverly exploited a zero-day vulnerability of Sangfor to gain access to some of the VPN servers, and replaced the software update executable file “SangforUD.exe” with their own fake version that is actually a backdoor malware. When users log in to the VPN service, the software update would get triggered, injecting a backdoor in their device.
More than 200 VPN servers were hacked in this attack, including those located in diplomatic offices in at least 20 countries. Experts at Qihoo suspected that the attack may be related to the COVID-19 pandemic, where the hackers could be looking for secretive information on the outbreak possibly hidden by the communist government.
Located in one of the Koreas (unsure of which), DarkHotel APT is one of the most capable hacker groups on the planet. The group exploited five vulnerabilities in 2019, and is already on its third in 2020.
3. Washington State becomes the first to legalize use of facial recognition technology
Despite how facial recognition technology has become one of the most debated innovations today, most governments around the world do not yet have laws regarding its usage.
The United States also has no federal laws on the use of facial recognition technology, but many local governments have introduced their own laws. So far, cities like San Francisco and Boston have completely banned the use of the technology. However, Washington State decided to head to the opposite direction, becoming the first state to pass a bill that legalizes facial recognition technology.
The bill was passed by the State House of Representatives on March 12, signed on March 31, and will go into effect starting next year. It allows the state and municipal governments to use facial recognition technology to identify missing and deceased people, subjects of Amber and silver alerts, as well as crime victims, for the purpose of enhancing public safety.
Nevertheless, many constraints are applied. Any government agency wishing to use the technology must file a notice of intent with a legislative body and produce an accountability report. The intention must not be based on the subject’s social, political, religious views, participation in lawful events, or other demographic characteristics including gender, race, and nationality.
4. Italian email provider Email.it hacked, 600,000 user data sold online
Email.it, an email provider based in Italy, had their web servers hacked by the NN Hacking Group. The incident was first discovered last Sunday when the hackers advertised on Twitter about selling the compromised data. Email.it confirmed the attack on Monday.
The data were available for sale on the dark web. The hackers organized the data into different files and sold them for a price of between 0.5 and 3 bitcoins (roughly $3,600 and $21,800, respectively). One of the files included the usernames and passwords, as well as other personal information of 600,000 users who signed up between 2007 and 2020, all compiled into a CSV file. Another file included the complete source codes of the web application, while another contained all the sent and received emails, as well as their attachments.
The hackers posted a statement on their website claiming that the attack was actually launched two years ago in January 2018. They also stated that shortly after the attack, they noticed Email.it about the vulnerability and asked for a ransom payment. The company refused to pay and did not notify its customers about the data breach.
Email.it did not contest the claims made by the hackers. However, they stated that they did contact the police immediately after they were made aware of the attack, and also added that no financial information was leaked.
Check out Penta Security’s product lines:
Web Application Firewall: WAPPLES
Web Application Firewall for Cloud: WAPPLES SA
Database Encryption: D’Amo
Smart Car Security: AutoCrypt