Zoom still has a way to go when it comes to improving its security
“Zoom is malware.” If you Google that phrase, you will see that it returns hundreds of recent posts and articles; some were claiming that the statement is true and others that it is untrue. In a sense, it doesn’t really matter if it is true or not (it isn’t) because once something is discussed on the internet, it takes a life of its own. The genie is out of the bottle, and some people will never change their minds. The shareholders of Zoom Video Communications probably won’t mind too much, though, as it has now over 300 million users. It’s become too big to fail.
However, perhaps the most rational take on Zoom was that it wasn’t malware but “an app full of security vulnerabilities.” Is that fair? Probably. But talk to any decent hacker, and they’ll claim that just about any piece of commercial software on the planet is “full of security vulnerabilities.” In Zoom’s case, this came in the form of ‘Zoom-bombing’, i.e. entering into a virtual meeting with the intent to disrupt it. It might seem harmless, but some of the most frequent targets were Alcoholics Anonymous meetings.
Zoom was unclear on its security
Zoom certainly shouldn’t be immune from criticism. One big issue it had was that it claimed to have end-to-end encryption when, for all intents and purposes, this was not true. The company took a liberal approach to its definition of end-to-end encryption, and it was rightly hammered for it in the tech-based media. In short, it used TLS – a bit like the tech used to secure https sites – meaning it’s relatively easy to eavesdrop on the call. For true end-to-end encryption, the call should only be able to be decrypted by the participants alone. This wasn’t the case.
Another issue was targeting. You would expect the security for a sensitive business conference call to be much stronger than the security used for a virtual drinks party, but Zoom never distinguished. That’s different elsewhere. For instance, similar use of video streaming technology can be found in live dealer games, which is basically a real-time feed of a casino game delivered from a studio to a computer or smartphone. The security needs will be different, but the specifics of the product means software developers like Playtech and Evolution Gaming can focus on targeted solutions.
New security updates for Zoom 5.0
Zoom will argue that this is a moot point now, however, as the company released an app update with enhanced security on April 23. Casual users of what is now Zoom 5.0 will be happy with the security report button, allowing them to block and report trolls. Still, it’s the incorporation of AES 256-bit GCM encryption that is perhaps the most reassuring. As the Guardian reports, it’s considered the gold standard of encryption. However, it still begs the question: Was Zoom’s rush to roll-out these new security measures proof that it wasn’t up to standard before? Or was it simply a reaction to the media’s insatiable desire to point the finger at a successful company? The evidence seems to suggest a bit of both.
The new security update is part of a 90-day plan by Zoom to beef up its security measures, so you should expect more improvements in the coming weeks. Will it be enough to satisfy the critics? Probably not. But that’s also a good thing, as it should push Zoom to continue to evolve its security measures. Indeed, such criticism can often force tech companies to become proactive rather than reactionary to security concerns.
Can you, therefore, Zoom with confidence now that the app is secured with AES 256-bit GCM encryption? Well, one issue is that, despite its robustness, it’s still not end-to-end encryption. But it is nevertheless a positive step forward. Like any piece of tech, you should take advantage of it, yet, at the same time, remain skeptical of it.