How safe is Zoom? The role of end-to-end encryption

How safe is Zoom? The role of end-to-end encryption

posted in Backup & Recovery ● 27 Apr 2020

The video conferencing platform Zoom has come under increasing scrutiny for data security and privacy vulnerabilities despite its recent, rapid surge in popularity.

Since a third of the global population first went into lockdown, daily users of the service have shot up from 10 million to 300 million.

However, this heavy usage exposed gaping security flaws in the app.

Zoom bombings has become a familiar media phrase as uninvited guests crash meetings.

Virtual services in London synagogues were targets for far-right groups, while there have been reports of remote classrooms all around the world being interrupted by racial abuse and pornographic images.

Eric Yuan, Zoom’s CEO, was forced to issue an apology following these more high-profile incidents.

Zoom also promised to overhaul its approach to encryption with the aim of better protecting private meeting data.

End-to-end encryption is widely understood as the most private form of internet communication, protecting conversations from all outside parties.

In fact, Zoom’s own definition of the term has allowed them access to unencrypted video and audio from meetings.

A policy, later updated, seemed to give the company permission to mine messages and files shared during meetings for the purpose of ad targeting.

The release this week of the newest version of the platform, Zoom 5.0, claims to have fixed security bug issues and strengthened the app’s end-to-end encryption algorithm – one of the main sources of security and privacy concern.

So has Zoom done enough to allay concerns?

Chief product officer Oded Gal says that the update’s encryption protocols “raise the bar securing our users’ data in transit” while also introducing a host of front-end security features that allow meeting hosts to control who can access private meeting rooms, and how they can do so.

However, security experts insist that the way Zoom interprets “end-to-end encryption” is still at odds with standard industry opinion.

Cybersecurity observers maintain that the true definition should be reserved for when information is encrypted at one endpoint and decrypted at the other end, after being transmitted over the network.

Zoom, though, claims it is enough that data is encrypted in transit, gets decrypted, and then re-encrypted while passing through Zoom’s network infrastructure.

In theory, this provides a cyberattacker with a chance to compromise part of Zoom’s network and gain access to private data in that way.

Jonathan Knudsen, senior security strategist at Synopsys, confirms that the strengthening of the encryption algorithm in Zoom 5.0 is a significant improvement on previous iterations of the service.

However, he warned: “This still does not change the fundamental architecture of Zoom, which does not fully implement end-to-end encryption.”

For a Zoom meeting to be end-to-end encrypted under Knudsen’s criteria, the video and audio content would need to be encrypted in such a way that only the participants in the meeting have the capability to decrypt it.

The Zoom service itself might have access to encrypted meeting content, but wouldn’t have the encryption keys required to decrypt it.

Only meeting participants would have these keys and therefore, would not have the technical ability to listen in on private meetings.

End-to-end encryption for data on laptops

The issue of end-to-end encryption is just as pertinent when it comes to protecting the data on the laptops of a growing number of home-workers.

To ensure the complete safety of data, organisations need backups to be encrypted at source, in transit and at rest.

Best practice dictates that the individual blocks making up an organisation’s data should be compressed and encrypted using the 256-bit AES in Galois Counter Mode (GCM) before they are transferred from laptops or servers to the provider’s storage platform.

As well as verifying the integrity of each block of data before it is stored for the first time, and using TLS to authenticate all data transfers, it is recommended that the encryption key is only ever available to the data owner.

No encryption keys should be stored by or even visible to anyone at the business that is providing the backup and recovery service.

This prevents anyone other than an authorised data administrator from accessing backed-up data.

WhatsApp raises limit on group calls

WhatsApp may be about to capitalise on the bad publicity that Zoom has received recently by improving its video-calling capabilities.

With most people stuck at home, missing friends and family, the limit of guests on WhatsApp group calls has now been raised from four to eight.

POPIA makes SA CEOs more accountable

Following a three-month delay due to coronavirus – and more than seven years after its enactment – the Protection of Personal Information (POPI) Act has finally come into force. 

Continue reading

Six reasons why you need Microsoft Teams backup

The huge uptake in Microsoft’s Teams app is yet another indication that we have changed the way we work – maybe forever.

Continue reading

Protecting G Suite data - who's responsible?

As millions of people work from home to reduce the spread of coronavirus, the adoption of cloud computing, productivity and collaboration tools such as G Suite continues to grow at a pace.

Continue reading