Zoom Acknowledges Encryption Problems
The University of Toronto's Citizen Lab has examined Zoom's encryption and concluded that the teleconferencing app is "not suitable for secrets." Zoom initially claimed it offered "end-to-end encryption" for meetings, but last week published a blog saying that it "recognize[s] that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it." Citizen Lab also found a security issue with Zoom's Waiting Room feature and recommends that Zoom meetings use passwords.
On 5 April, Zoom changed defaults to enable passwords and start with the waiting room feature. I'll pretty much repeat what I said last Friday in Newsbites: "The easy answer is there are more secure alternatives to Zoom and companies should be providing and recommending those. The real answer is that many employees working at home and their families will be using Zoom for the next few months." On the end-to-end crypto issue - a term that is thrown around a lot - many issues arise across many products. The bigger issue with Zoom has been user-stored sessions being easily findable and accessible on the Internet - another issue Zoom is working on. Great webcast on how to mitigate many Zoom issues by SANS instructor Mick Davis is available at https://www.sans.org/webcasts/zomg-zoom-114670: ZOMG it's ZOOM
Great work by Citizen Lab analyzing the Zoom encryption issues. The part I find most concerning is the fact that simple statements, like the length of the key used, were obviously wrong in Zoom's description of the encryption protocol. This shows, yet again, a common tech startup problem: a leadership group that is over-confident in the capabilities of their product but has little connection to the reality of what their product is actually capable of doing. This is not uniquely a Zoom issue; it is pervasive among startups including security startups. Always double check the vendor's claims.
It is important to understand the security of any video teleconferencing system used. The Zoom Blog below explains the encryption options for Zoom, including noting they have an option for customers to use their own key management systems. Understanding and accepting the risk of where the encryption keys are and how they are managed is important for any outsourced service. User guides need to be clear regarding the differences in security of room meeting systems, telephone and using the native meeting client. Irrespective of the software used, using the native client for all functions by all participants is the most secure option for meeting participation.