Intel report warns Zoom could be vulnerable to foreign surveillance

DHS document urges government users to assess their risk.

April 28, 2020, 4:11 AM

The Zoom videoconferencing platform, so popular with people forced to stay home because of the coronavirus pandemic, could be vulnerable to intrusions by foreign government spy services, including China, according to a federal intelligence analysis obtained by ABC News. The analysis urges organizations to carefully consider the risk if they should continue working with the system.

The report was issued jointly by the Department of Homeland Security’s Cyber Mission and Counterintelligence Mission centers, and was distributed to law enforcement and government agencies around the country. It comes less than a month after the FBI’s Boston office warned that hackers were able to hijack or disrupt videoconferences in what has come to be known as “Zoom-bombing.”

Hackers “likely will identify new or use existing vulnerabilities in Zoom to compromise user devices and accounts for further exploitation of corporate networks,” the notice says. Even security fixes don’t eliminate the concerns, analysts said, because “the patching process is undermined by … actors who often capitalize on delays and develop exploits based on the vulnerability and available patches.”

A Zoom spokesperson told ABC News the company disagrees with the intelligence analysis and that it is “heavily misinformed, includes blatant inaccuracies about Zoom’s operations, and the authors themselves admit only ‘moderate confidence’ in their own reporting. We are disappointed the authors did not engage with Zoom to verify the accuracy of these claims and understand the real facts about Zoom.”

Regarding previously reported security issues, the company said, "We actively and quickly addressed specific security concerns as they were raised over the past few weeks.”

DHS intelligence experts noted the popularity of Zoom has skyrocketed with the platform’s daily user base growing, according to company statistics, from 10 million a day to 200 million since December. While in the last six weeks, government stay-home orders have forced learning, government and business operations to migrate from physical spaces to the internet.

“Zoom’s sudden immense growth and use across both public and private sector entities in combination with its highly publicized cybersecurity issues creates a vulnerable, target-rich environment,” the intelligence notice says. “Any organization currently using – or considering using – Zoom should evaluate the risk of its use.”

Among the specific concerns laid out by analysts is the risk posed by some development work for Zoom that is done in China. Because of China’s strict intelligence and intellectual property rules, “China’s access to Zoom servers makes Beijing uniquely positioned to target US public and private sector users,” according to the document. “China’s unique position does not prevent other nation-states from using Zoom vulnerabilities to achieve their objectives.”

And, analysts said, hackers could use Zoom’s system to deploy malware that could then make a third party’s computer system susceptible to a security breach.

The Zoom spokesperson said that the company "has layered safeguards, robust cybersecurity protection, and internal controls in place to prevent unauthorized access to data” and that its “developers in China do not have any access to Zoom’s production environment, the power or access to make substantive changes to our platform or the means to access any meeting content."

The spokesperson said Zoom's systems are "designed to maintain geo-fencing around China ensuring that users outside of China do not have their meeting data routed through servers in China." Additionally, paid Zoom customers "are now able to further customize which data center regions their account can use for real-time meeting traffic," which allows them to "opt in or out of specific data center locations," the spokesperson said.

The spokesperson said that in addition to the use of cloud data centers globally, Zoom had 17 data centers "around the world,” but only one is in China. "All Zoom source code is stored and versioned in the United States," the spokesperson said.

John Cohen, a former DHS acting undersecretary who used to oversee the department’s intelligence operations, said in general, “China, Russia and other hostile nations view the coronavirus as an opportunity to expand their intelligence-gathering efforts and they are actively targeting the private communications of those in government, the private sector, academia and others, who have increasingly turned to online communications."

“Private conversations using online communications and video conferencing apps are vulnerable to being intercepted by criminals and foreign intelligence operatives," said Cohen, a current ABC News contributor. "Securing these platforms must be a priority especially since they are being used more frequently during the current public health crisis.”