Zoom to roll out fresh cyber security updates

Zoom, the videoconferencing application that has captured the zeitgeist of 2020, has announced it will be rolling out a new version supporting advanced encryption to provide increased protection for its users.

The firm shot to prominence in March as millions of people around the world suddenly found they needed new ways to keep in touch with each other during the Covid-19 coronavirus pandemic.

However, its meteoric rise from 10 million daily users at the end of 2019 to over 200 million now, brought to light a litany of cyber security failings that have led many organisations to restrict its use or even ban it outright.

The next iteration of the product, Zoom 5.0, is due to be launched within the next week and will form a “key milestone” in the firm’s 90-day plan to identify, address and enhance the security and privacy capabilities of the service, said CEO Eric Yuan.

“We built our business by delivering happiness to our customers,” he said. “We will earn our customers’ trust and deliver them happiness with our unwavering focus on providing the most secure platform.”

At the core of the upgrade will be support for the AES 256-bit GCM encryption standard. AES, or Advanced Encryption Standard, was initially developed in the 1990s by the US government and is now in use at organisations around the world that require the highest levels of data protection.

The standard uses three block ciphers, 128, 192 and 256, referring to the bit key length used to encrypt and decrypt messages. The 256-bit key length is considered the hardest to crack – according to Computer Weekly’s sister site WhatIs.com, a hacker would require a virtually unobtainable amount of computing power in order to guess it.

Zoom said using this standard would offer increased protection of meeting data in transit and resistance against tampering, providing assurances of confidentiality and integrity on Zoom meeting, video webinar and phone data.

Zoom 5.0 will also let account admins choose what datacentre regions their meetings use for real-time traffic at the account, group or user level, easing concerns that Zoom had been sending user data to China.

Other new features and controls include reporting options for any malicious users, default waiting rooms, definable password complexity settings, secure contact sharing for larger organisations, and dashboard enhancement for admins to see how their users are connecting to the service. More details of these changes can be read on Zoom’s website.

Commenting on the new release, Wayne Kurtzman, IDC research director for social, communities and collaboration, said: “When faced with questions over security and privacy, Zoom reacted quickly and very publicly to the challenges, including their CEO holding weekly public security briefings.

“Zoom was also quick to take actions on changing the defaults that helped address meeting privacy concerns, as well as setting a 90-day plan for deeper actions, and communicating it publicly.”

Cybereason CSO Sam Curry said he thought the backlash Zoom has received had been, to some extent, overhyped and unfair.

“The security vulnerabilities, while certainly nothing to sneeze at, were much less severe than their competitors would actually admit,” said Curry.

“Hackers tend to gravitate towards actions that have widespread consequences, so inevitably, as Zoom’s user base grew, so too did the attention of hackers. Breaching Zoom now means possibly impacting 200 million people. Increased users leads to increased hacking activity, which will inevitably lead to the discovery of additional software flaws and vulnerabilities. There were then, and still are likely today, vulnerabilities that Zoom’s competitors are addressing and fixing on a regular basis.”

Curry added: “Overall, as the popularity of platforms such as Zoom grows, so will the threat of hacking. Security issues are not erased by migrating from Zoom to WebEx, it simply dresses the problem in a new outfit. If WebEx and Skype failed to actively combat the security flaws Zoom faced, they would likely fall victim to these hacks as well. It is to be hoped that the security community will pile on behind a company doing the right things as much as, or more than, the pile-on around the issues.”

But Jonathan Knudsen, senior security strategist at Synopsys, said that even with the adoption of a more advanced standard, questions still remained over Zoom’s commitment to true end-to-end encryption.

“For cyber security experts and privacy advocates, this means that information encrypted at one end of the conversation travels over the network and is decrypted at the other end of the conversation,” he said.

“Zoom’s interpretation of ‘end-to-end security’ does vary from this. While information is always encrypted in transit, it gets decrypted and encrypted again as it passes through Zoom’s meeting infrastructure.

“This means that a compromise of parts of Zoom’s infrastructure could give an attacker access to plaintext Zoom meeting content.

“In Zoom 5.0, the encryption algorithm has been strengthened, but this still does not change the fundamental architecture of Zoom, which does not fully implement end-to-end encryption.”