Monday, 23 December 2024

About Zoom End-to-End encryption

Zoom’s presentation at RSA Conference 2021 focused on end-to-end encryption in Zoom Cloud Meetings. The company explained why its developers are focusing on the issue, how they plan to make calls more secure, and what other new, security-related features users can expect.

The Background

Zoom’s high popularity aroused the interest of security experts and cybercriminals alike, whereupon many quickly learned that not all was well with the platform’s security. For example, the software was found to contain vulnerabilities that allowed attackers to spy on users through their cameras and microphones, and raids by online trolls even got their own name: Zoombombing. Zoom’s response was quick and far-reaching, but issues remained. A major gripe about Zoom was that the platform used point-to-point encryption (P2PE) instead of end-to-end encryption (E2EE).

E2EE vs P2PE

In P2PE, the server can access users’ messages, whereas E2EE encrypts information on the sender’s device and decrypts it only on the recipient’s end. However, this detail has potential for trouble, which Zoom developers highlighted at the conference:

  • Cybercriminals could breach the server, steal the encryption keys stored there, and join meetings in real invitees’ places or spoof their messages;
  • Opportunistic employees of the cloud provider or Zoom itself could gain access to keys and steal users’ data.

End-to-end encryption in Zoom: State of play

Zoom has used E2EE for audio and video calls as well as chat since the fall of 2020. When it is enabled, Zoom protects participants’ data with a so-called conference encryption key. The key is not stored on Zoom’s servers, so even the developers can’t decrypt the content of conversations. The platform stores only encrypted user IDs and some meeting metadata such as call duration. To guard against outside connections, developers also introduced the Heartbeat feature, a signal that the meeting leader’s app automatically sends to other users. Another way to keep out uninvited participants is to lock the meeting (using the appropriately titled Lock Meeting feature). Zoom also protects against man-in-the-middle attacks with encryption key replacement

Will Zoom become more secure?

The short answer is yes, and Zoom’s security continues to improve. The company has already done a great deal to guard against outside interference, and it has even more protection tools in development.

Direct Publication Source: https://www.kaspersky.com/blog/rsa2021-zoom-end-to-end-encryption/40562/

Comments


You May Like These Too


Get Latest Updates