Zoom to hit 90-day security fix promise – but will it be enough?
- It set out to overhaul its approach to encryption within 90 days
- As it meets that target, has the platform done enough to allay concerns?
The recent social isolation protocols globally have reduced a lot of our communication means to videoconferencing, and it is fortunate that a lot of consumer communication technology has caught up to the extent that multi-person chats with video and audio can now be supported.
Over the past two months a lot of people were introduced to Zoom for the first time, with Zoom’s publicly listed value shooting up and user numbers skyrocketing to over 200 million from 10 million in less than three months.
However, the heavy usage exposed security flaws in the overnight-popular app, and the Zoom CEO Eric Yuan was forced to issue an apology as ‘Zoom bombings’ became a familiar media phrase of this COVID-19 period. The Zoom team also promised to fix the gaping security flaws within 90 days.
Most recent reports indicated that Zoom was upgrading its encryption technology to better protect private meeting data and guard against Zoom bombing-type mischief, to become more in line with more trustworthy enterprise-leaning conferencing platforms such as Google Meets and the BlueJeans Network which was recently acquired by Verizon’s Business division.
The newest version, Zoom 5.0, will be released this week and claims to have fixed security bug issues and strengthened the app’s end-to-end encryption algorithm – one of the main sources of security and privacy concern. As Jonathan Knudsen, senior security strategist at Synopsys, said: “Much of the controversy swirling around Zoom security has to do with the claim of end-to-end security.”
Zoom’s chief product officer Oded Gal says that the 5.0 update’s encryption protocols “raise the bar securing our users’ data in transit” while also introducing a host of front-end security features that allow meeting hosts to control who can access private meeting rooms, and how they can do so.
However, security experts including Knudsen say that Zoom’s interpretation of “end-to-end encryption” differs from the standard industry opinion. Cybersecurity observers believe that the proper definition is that information that is encrypted at one endpoint is decrypted at the other end, after being transmitted over the network.
Zoom’s definition is that data encrypted in transit gets decrypted, and then re-encrypted while passing through Zoom’s network infrastructure. This means that in theory, a cyberattacker could compromise part of Zoom’s network and gain access to private data in that way.
While this in theory is still a system vulnerability, Knudsen told Metro that this is still a far better improvement that previous iterations of the service. “In Zoom 5.0, the encryption algorithm has been strengthened, but this still does not change the fundamental architecture of Zoom, which does not fully implement end-to-end encryption,” he said.
“At the same time, given the recent intense scrutiny of Zoom’s infrastructure, the new changes in version 5.0 represent a renewed commitment to helping users safeguard confidentiality,” he continued. “For many of us [security specialists], the risk of an adversary powerful enough to compromise Zoom’s infrastructure and intercept meeting content is low.”
Still, the burgeoning popularity of platforms like Zoom’s will definitely attract the attention of hackers, and there are bound to be security concerns for any service that rapidly scales its business while also involving personal data privacy concerns.