The chief product officer of video conference provider Zoom has apologized for any confusion about its encryption capability after a news service this week complained the company is misleading users by saying it offers end-to-end encryption.
“While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it,” Oded Gal said in a blog Thursday.
In a separate blog CEO Eric Yuan said “we recognize that we have fallen short of the community’s – and our own – privacy and security expectations. For that, I am deeply sorry.”
Recently Zoom has improved privacy by removing an attendee attention tracker feature, releasing fixes for both Mac-related issues first raised by Motherboard recently, and releasing a fix for a UNC link issue identified by Bleeping Computer. It also removed the LinkedIn Sales Navigator app after identifying unnecessary data disclosure by the feature.
He also said Zoom over the next three months will shift all of its software engineering resources to focus on trust, safety and privacy issues, as well as conduct a comprehensive review with third-party experts and representative users to understand and ensure the security of all of our new consumer use cases.
Their statements came after The Intercept reported in marketing material Zoom says it offers end-to-end encryption for internet audio and video connections (but not dial-in phone audio), giving the impression that no one can intercept web-based sessions. But, says the story, what Zoom really provides is TLS or transport encryption — the same encryption web servers use to secure HTTPS websites. That, in theory, means Zoom could access unencrypted video and audio from meetings, say experts interviewed in the article.
By contrast, says The Intercept, the Signal messaging app service — which promises end to end encryption — doesn’t have the keys for decrypting messages and therefore can’t access content.
Privacy issues have become more important due to the COVID-19 pandemic crisis with more organizations and individuals using audio and video conferencing. Zoom alone has seen the maximum number of daily meeting participants, both free and paid, conducted on its platform rise from approximately 10 million sessions at the end of December to more than 200 million daily meeting participants, both free and paid last month.
Gal admitted there has been “confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption.” He then goes on to give a detailed explanation of the company’s privacy protocols
“In a meeting where all of the participants are using Zoom clients, and the meeting is not being recorded, we encrypt all video, audio, screen sharing, and chat content at the sending client, and do not decrypt it at any point before it reaches the receiving clients.”
“Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes, nor do we have means to insert our employees or others into meetings without being reflected in the participant list.”
Where all participants are using the Zoom app on a computer or smartphone or in a Zoom Room no user content is available to Zoom’s servers or employees at any point during the transmission process, he wrote.
Audio is not encrypted with the Zoom system for users who join Zoom meetings on a traditional telephone line or through SIP/H.323 room-based conferencing systems, Gal said. However, specialized clients called Zoom Connectors to translate between Zoom encrypted meetings and legacy systems. “These connectors are effectively Zoom clients that operate in Zoom’s cloud. Content remains encrypted to each connector, and when possible we will encrypt data between each connector and the eventual destination (such as a non-Zoom room system),” Gal wrote. “To ensure this entire process [the web-based conferencing and the Connectors system] meets the needs of our customers around the clock and around the world, Zoom currently maintains the key management system for these systems in the cloud. Importantly, Zoom has implemented robust and validated internal controls to prevent unauthorized access to any content that users share during meetings, including – but not limited to – the video, audio, and chat content of those meetings.”
For those who want additional control of their keys, Gal noted, Zoom still offers an on-premise solution. Later this year a solution will be offered to allow organizations to use Zoom’s cloud infrastructure but host the key management system within their environment. Additionally, enterprise customers have the option to run certain versions of our connectors within their own data centers if they would like to manage the decryption and translation process themselves.
The Intercept’s article captured headlines and several security researchers have noted a rise in the number of posts in hacking forums with tips on exchanging Zoom conferencing codes and ways to disrupt meetings. However, at least one expert suggested CISOs and individuals have more serious threats to worry about.
“Few attackers will ever bother to intercept Zoom communications,” said Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, “Even fewer will extract any value from the alleged data sharing with Facebook. Instead, they will bet on the skyrocketing number of poorly configured VPNs and RDP technologies, abandoned servers and unprotected cloud storage, exposed databases and shadow IT resources that widely open the door to companies’ crown jewels. Others will hone their skills in large-scale phishing and BEC campaigns. Unfortunately, most of their attacks will likely be tremendously successful.”