It has been reported that Zoom is upgrading the encryption features on its video conferencing app to better safeguard meeting data and offer protection against tampering. The new version of the app, Zoom 5.0, will release within the week, the company said in a statement. Zoom, which has soared to 200 million daily users from 10 million in less than three months, had faced backlash from users after security researchers found bugs in its codes and the company failing to disclose that its service was not end-to-end encrypted. The app’s issues, including “Zoombombing” incidents where uninvited guests crash meetings, led to several companies, schools and governments to stop using the platform.
Congratulations to Zoom for hitting their 90-day security goals, and as an industry we look forward to watching their future success and growth. Overall, the backlash facing Zoom over the past few weeks was overhyped and unfair in many regards, because the security vulnerabilities, while certainly nothing to sneeze at, were much less severe than their competitors would actually admit
Look, hackers tend to gravitate towards actions that have widespread consequences. So inevitably, as Zoom’s user base grew, so too did the attention of hackers. Breaching Zoom now means possibly impacting 200 million people as opposed to the 10 million users the platform notched prior to the massive migration of workers to remote/home offices due to COVID-19. Increased users lead to increased hacking activity, which will inevitably lead to the discovery of additional software flaws and vulnerabilities. There were then and still likely today are vulnerabilities that Zoom\’s competitors are addressing and fixing on a regular basis.
Overall, as the popularity of platforms such as Zoom grows, so will the threat of hacking. Security issues are not erased by migrating from Zoom to WebEx, it simply dresses the problem in a new “outfit.” If WebEx and Skype failed to actively combat the security flaws Zoom faced, they would likely fall victim to these hacks as well. It’s to be hoped that the security community will pile-on behind a company doing the right things as much or more than the pile-on around the issues.
Much of the controversy swirling around Zoom security has to do with the claim of “end-to-end security.” For cybersecurity experts and privacy advocates, this means that information encrypted at one end of the conversation travels over the network and is decrypted at the other end of the conversation. Zoom’s interpretation of “end-to-end security” does vary from this; while information is always encrypted in transit, it gets decrypted and encrypted again as it passes through Zoom’s meeting infrastructure. This means that a compromise of parts of Zoom’s infrastructure could give an attacker access to plaintext Zoom meeting content.
In Zoom 5.0, the encryption algorithm has been strengthened, but this still does not change the fundamental architecture of Zoom, which does not fully implement end-to-end encryption. At the same time, given the recent intense scrutiny of Zoom’s infrastructure, the new changes in version 5.0 represent a renewed commitment to helping users safeguard confidentiality. For many of us, the risk of an adversary powerful enough to compromise Zoom’s infrastructure and intercept meeting content is low.
For the most part, you can configure a reasonable degree of confidentiality by using a meeting password, monitoring participants, locking meetings after they start, and managing recordings carefully. On the other hand, if you are a government, or a defence contractor, or a research lab, or any other type of organisation with sensitive, high-value information, then end-to-end encryption could be critically important. These types of organisations need to be cognizant of the features and architecture of their communication infrastructure, including their online meeting platform.