Zoom 5 Moves Toward Security

Zoom has become quite popular, had some security issues early on, and now has addressed those in release #5. The following article has summarized the improvements.

Jim Hamm

Comment from John R Carter Sr:

It should be noted that Mac Users should NEVER accept an update for the Zoom client from ANY source other than zoom.us. A bug was found last April that allowed third party pranksters to take control of a Mac computer by installing a bogus Zoom app.

Zoom developers have made their service more secure. We review what’s changed.

Technologies can develop very rapidly, especially those in the spotlight. One such case is Zoom, whose developers have, as promised, given the app a data-protection makeover. As a result, version 5.0 has changed a lot from precoronavirus Zoom.

The change in security focus quickly bore fruit. Previously, large companies and institutions turned their noses up at Zoom, but it now has the seal of approval of New York’s attorney general and is back in NYC schools, and version 5 brings with it some useful features.

Conveniently located security settings

Starting with Zoom 5, all settings for managing conference participants appear in one place. Security does not supersede convenience.

Here you can restrict user rights, block access to meetings to keep out uninvited guests, add watermarks to screenshots and audio recordings in case someone decides to publish them, and so on. Click on the shield icon in the conference menu to open the security settings.

Anti-troll protection

A number of new settings stop invasions by anonymous trolls. First, passwords and the Waiting Room feature, which requires a host’s permission to join a conference, are now enabled by default. Second, you can now prevent participants from renaming themselves.

Owners of paid accounts can also require members to supply information about themselves: name, e-mail address, and the like. And with a business account, you can block unauthorized users or those with a certain type of e-mail address domain (for example, public instead of corporate) from connecting.

Data routing

Zoom’s approach to data routing has also changed. Now your video call will not be routed by mistake to a Chinese or other foreign server. If for some reason the conversation has to remain inside your home country, then you have nothing to worry about: Free conferences will stay in the domestic region, and paid subscribers, as of April 18, can choose which countries their information goes through.

In addition, all conference participants can now see which data center they are connected to by clicking the “i” icon within the upper left corner of the screen. So, if your data is routed somewhere else, you can find out about it and complain to the developer.

Screen sharing security

The old Zoom always showed previews of chat messages in notifications. That could lead to an awkward situation if, say, someone wrote you a personal message during screen sharing. Now, during free conferences the service does not display notifications at all and does not show chat when screen sharing, even if it is open.

Updated encryption

The developers have upgraded the encryption algorithm as well. First, Zoom now uses longer (and hence more reliable) encryption keys. Second, the integrity of transmitted data is now checked — a protection measure against intruders who might corrupt or alter an encrypted message without deciphering it.

If you like such esoteric details (and who doesn’t?), you’ll be interested to learn that Galois/Counter Mode now handles the integrity check. In addition to being more secure, GCM is considered less demanding on resources, so better encryption doesn’t mean sacrificing computer performance.

End-to-end encryption

Lastly, users will soon be able to communicate without anyone — outsiders or Zoom employees — being able to eavesdrop. The service plans to add end-to-end encryption of video calls, for which purpose it has even acquired Keybase, a company specializing in secure messengers and apps for data exchange.

At first, Zoom planned to provide maximum-level privacy to paid subscribers only. But the news that it was going to leave free users without end-to-end encryption provoked a lot of criticism: Zoom was accused of collaborating with intelligence agencies, or at least of leaving the door open for them.

Those accusations conveniently ignore an important point: Practically none of Zoom’s competitors provide e2e, either. End-to end encrypted video calls are available only in instant messengers with limited video call capability or in high-cost business tools that offer it only on request and clearly not free.

Developers have good reason not to love end-to-end video encryption, which is incompatible with many useful features including the ability to record conferences in the cloud, broadcast them on YouTube, or join meetings by phone — anything that requires management through a server. In terms of convenience, most users are better off without it.

That said, on June 17, Zoom announced that end-to-end encryption would be made available to all, including those who use the service free. It won’t happen overnight though, the company plans to start early beta testing in July.

No time to relax

All in all, Zoom 5 is far more secure than past iterations. Its developers have approached security in a very responsible manner, promptly fixing most of the issues that surfaced during the lockdown period.

However, that doesn’t mean that you can take your eye off the ball. Is your conference open or closed? Is recording allowed or not? The developers can’t answer these and some other questions for everyone. So you need to configure conference calls according to your own requirements. Thankfully, Zoom now has more settings to help you get it right.

Second, absolute security does not exist. For example, two vulnerabilities were discovered in the relatively recent Zoom 4.6.10. One of them allowed a malicious chat message to execute arbitrary code on the Zoom server. That bug was fixed before the release of version 5.

The second vulnerability was related to the integration of the chat feature with online GIF repository GIPHY. The bug allowed arbitrary files to be downloaded to conference participants’ computers instead of animated images. The developers temporarily disabled the vulnerable function, and they promise to return it as soon as the problem is fixed.

So far, no horrors have been found in Zoom 5, but that doesn’t mean there aren’t any. As long as the service remains in the spotlight, there will be no shortage of people trying to find its soft spots. Therefore, if you use Zoom, be sure to keep an eye out for updates and install them immediately.