The confinement declared as an exceptional measure to stop the spread of the COVID-19 has forced millions of people in businesses, schools and households to interact virtually. Pushed to use group video calling apps for work, classes, or simply to be in touch with family and friends; users were faced with the daunting challenge of choosing which app to use.
Typically, the prevailing criterion for choosing one has been popularity or free −without considering security or privacy. After all, if it’s free and “everyone uses it”, why bother? For better or worse, the most popular app among the public turned out to be Zoom. Weeks after the beginning of the quarantine, it is still at the top of the list of the most downloaded free apps for both iOS and Android, with the fabulous figure of 300 million daily users.
As it is well known, the more popular a program or application becomes, the more it attracts cybercriminals. Perhaps even Zoom itself couldn’t imagine its overwhelming success, or maybe they didn’t take security seriously from the beginning, but the truth is that they didn’t come prepared.
The Three Big Blows to Zoom Security
Among the many security and privacy issues and scandals, three were particularly significant:
- Zoombombing: This attack consists of breaking into a Zoom room and sharing the screen while showing images of extreme violence, pornography or any other form of trolling. Zoombombing became popular in schools and universities, forcing teachers to suspend classes. Many education institutions went so far as to ban Zoom replacing it with other applications. Zoom learned its hard lesson and implemented numerous measures to combat zoombombing: mandatory passwords, session blocking, removing of participants, restricted screen sharing and chat operation, more visible security icon, etc. They also published a guide called Best Practices for Securing Your Virtual Classroom.
- Data sharing with Facebook: Like many other apps, Zoom on iOS uses a Facebook SDK to allow its users to log in through their Facebook account. This is called social login. This SDK collects some data about users, such as the device model, app version, or telephone operator. Then it sends such data to Facebook servers, even if they do not have a Facebook account and therefore do not use it to log in. It is not known how Facebook uses this information, but in response to numerous complaints, Zoom removed the Facebook SDK completely.
- False claims about secure end-to-end encryption: Zoom claimed on their website to be using end-to-end encryption on their connections. But it turned out that they were actually using TLS encryption to encrypt communications between clients and servers, which means that Zoom’s servers have access to all video calls. The company had no choice but to retract its statement: “In light of recent interest in our encryption practices, we want to start by apologizing for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption”.
90-day Security Plan
With the aim of restoring their image and user base, on April 1st Zoom surprised with a 90-day security plan. As part of this plan, on April 8 Zoom created a security board including some very prominent CISOs. On the same day, they hired Stanford’s well-known cybersecurity expert Alex Stamos, a former CISO of Facebook, as a security advisor to review the platform.
On April 27th, Zoom 5.0 was released, with support for AES 256-bit GCM encryption. But (and this is a huge “but”) the encryption keys for each meeting are generated by Zoom servers. In other words, a cybercriminal can’t spy on a conversation between two users but Zoom would if they wanted to.
In contrast, other services such as Facetime, Signal or WhatsApp do use true end-to-end encryption: no one but the two users at either end of the communication can view their content because they generate the encryption keys themselves. As a result, neither the cybercriminals nor the service provider’s servers can spy on the conversations.
Without end-to-end encryption, Zoom could be forced to turn over meeting records to a government in response to legal requests. These requests are made all the time around the world. In fact, companies such as Apple, Google, Facebook and Microsoft publish transparency reports detailing how many user data requests they receive, from which countries and how many of them they grant. However, Zoom does not publish such transparency reports.
The Keybase End-to-end Encryption That Zoom Seeks for Its Video Calls
On paper, end-to-end encryption seems simple: Clients generate the temporary session keys and exchange them with the recipient’s public key. Unfortunately, generating and managing all these keys to provide scalable end-to-end encryption for high-quality video calls with dozens of participants and over 300 million users connecting daily to your servers is a huge technological challenge. That’s why Zoom turned to Keybase.
On 7 May, they bought the messaging and file transfer company with end-to-end cryptographic protection Keybase.io, and they paid an undisclosed amount. Thanks to this help, Zoom aims to provide an end-to-end encrypted meeting mode. However, this is only for payed accounts.
Furthermore, as they state:
- They will continue to work with users to improve the feedback mechanisms available to meeting hosts in order to report unwelcome and problematic attendees.
- Zoom does not and will not proactively monitor meeting content, but its security team will continue to use automated tools to search for evidence of abusive users on the basis of other available data.
- Zoom has not and will not develop a mechanism to decrypt live meetings for lawful interception purposes.
- Nor do they have a means of including their employees or other users into meetings without them being showed within the list of participants. They will not build any cryptographic backdoors to allow secret surveillance of the meetings.
In short, Zoom is committed to remaining transparent and open while developing their end-to-end encryption solution. As a matter of fact, Zoom plans to release a draft detailing the cryptographic design by Friday, May 22nd.
How Zoom Is Seen after the Purchase of Keybase
Zoom’s reaction was admirable. Far from denying criticism or suing researchers who found their vulnerabilities, Zoom’s answer has been an ambitious 90-day security plan whose Holy Grail will be the end-to-end encryption provided by Keybase.
Zoom made some bad security decisions in the past but seems clearly determined to become the most powerful and secure video calling app on the market. They are showing how self-criticism and transparency help to emerge strengthened from a serious security crisis.