How Safe Is Zoom Really?
Chances are, with the lockdown in full swing at this current moment, you'll have heard of Zoom, the video conferencing platform with an ever-growing following since everyone's now staying at home. As its popularity has skyrocketed with more than 300 million people a day using the platform, more and more has been said about the security problems that the application can bring. Is Zoom really that safe?
The success of the business has prompted giants of social media, such as Facebook, to allow similar high volumes of people onto Messenger, allowing for up to 50 people to join a Messenger video chat. Age-old favourite Skype also upgraded their restrictions from 25 people to 50, in a bid to compete and move with the times.
A digital comms lab based at the University of Toronto, The Citizen Lab, were one of the first major exponents of the thought that Zoom isn't as safe as they suggest. The Citizen Lab uncovered that some of the security keys that allow for the encrypted calling were being sent to China. In a response to this, Zoom themselves came out and said that was a mistake and that traffic wasn't being routed through China at all. However, another twist in the tale emerged when Taiwan, a country not recognised by China, announced that they would be banning the usage of products such as Zoom where associated security risks had emerged.
The main problem with the encryption specifically is that it's not the usual end-to-end encryption that the likes of WhatsApp use. Zoom's encryption isn't end to end and is instead based on transport encryption. Cyware explains the difference between to the two as the following: "With end-to-end encryption, a plaintext message that you sent gets encrypted at your end and gets decrypted only after reaching the recipient's device. However, in TLS, a plaintext message gets encrypted at your end and decrypted at the server. The message further gets encrypted depending on whether or not the recipient is also using TLS." . The problem with TLS, or transport encryption, is that it's decrypted on a server, and in this case, Zoom's keys were being decrypted at servers in China, which is where the problems seem to lie.
It's little surprise that Zoom had attracted the attention of governments worldwide, including the British one, especially given its meteoric rise in popularity. As a result of this popularity however, The Citizen Lab stated that Zoom could become a "high priority target for signals intelligence gathering and targeted intrusion operations”. The reason for this is due to the fact that Zoom owns three firms in China that work on the software development side of the application who are likely to be more susceptible to influence from the Chinese state, whilst Zoom themselves are actually based in Silicon Valley. Such security issues has meant that the platform has been banned by the likes of Google, Siemens and even the Australian Military.
There's been an argument circulating round the Internet at the moment that many of Zoom's security vulnerabilities are as a result of people failing to even do the most basic of things to protect themselves on the application. This can range from failing to password-protect your account, or even posting their own room ID online, meaning that all this 'Zoom-bombing' that's been going on isn't really Zoom's fault. Instead, it's the people who are leaking their own room ID that are leaving themselves vulnerable to the 'Zoom-bombing' that's been going on. The most high profile case of this, although the call was left unscathed, was when Prime Minister Boris Johnson hosted a Cabinet meeting on Zoom and tweeted a picture from the meeting that included the room ID for all to see. By the time he'd posted this, the meeting had concluded, meaning no 'Zoom-bombing' could occur, but if that hadn't been the case, a government meeting could've been interrupted by anyone from anywhere.
In some props to the Silicon Valley firm however, they did recently announce a whole host of security fixes and changes to the internals of the application in a bid to make a lot more robust. These include changes to a stronger and higher level of encryption, from AES 128 to AES 256, as well as changing the length of IDs to 11 digits for added complexity. Most notably on this front however is them moving the meeting ID and invite option to a separate menu as opposed to the main screen, which in turn makes it more difficult for any user to accidentally share their meeting ID to the world.
As a platform, Zoom seems to be a dubious one. It was never designed to be a platform for those big quiz nights or coffee mornings between friends, having been developed first and foremost as a video conferencing application for businesses. This means that some of the issues that are being had can really be forgiven, as no one expected a global pandemic a few months into a new decade. It's only a good thing that the security side to the application is being developed in-line with people's expectations and it's now only up to Zoom to keep the updates and fixes rolling out to make the app as safe as houses whilst we're all staying in.