Paper 2021/486

Security Analysis of End-to-End Encryption for Zoom Meetings

Takanori Isobe and Ryoma Ito

Abstract

In the wake of the global COVID-19 pandemic, video conference systems have become essential for not only business purposes, but also private, academic, and educational uses. Among the various systems, Zoom is the most widely deployed video conference system. In October 2020, Zoom Video Communications rolled out their end-to-end encryption (E2EE) to protect conversations in a meeting from even insiders, namely, the service provider Zoom. In this study, we conduct thorough security evaluations of the E2EE of Zoom (version 2.3.1) by analyzing their cryptographic protocols. We discover several attacks more powerful than those expected by Zoom according to their whitepaper. Specifically, if insiders collude with meeting participants, they can impersonate any Zoom user in target meetings, whereas Zoom indicates that they can impersonate only the current meeting participants. Besides, even without relying on malicious participants, insiders can impersonate any Zoom user in target meetings though they cannot decrypt meeting streams. In addition, we demonstrate several impersonation attacks by meeting participants or insiders colluding with meeting participants. Although these attacks may be beyond the scope of the security claims made by Zoom or may be already mentioned in the whitepaper, we reveal the details of the attack procedures and their feasibility in the real-world setting and propose effective countermeasures in this paper. Our findings are not an immediate threat to the E2EE of Zoom; however, we believe that these security evaluations are of value for deeply understanding the security of E2EE of Zoom.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. IEEE Access
DOI
10.1109/ACCESS.2021.3091722
Keywords
ZoomEnd-to-End EncryptionImpersonation attacks
Contact author(s)
takanori isobe @ ai u-hyogo ac jp
itorym @ nict go jp
History
2021-06-21: revised
2021-04-16: received
See all versions
Short URL
https://ia.cr/2021/486
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2021/486,
      author = {Takanori Isobe and Ryoma Ito},
      title = {Security Analysis of End-to-End Encryption for Zoom Meetings},
      howpublished = {Cryptology {ePrint} Archive, Paper 2021/486},
      year = {2021},
      doi = {10.1109/ACCESS.2021.3091722},
      url = {https://eprint.iacr.org/2021/486}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.