Security Experts:

Zoom Announces Better Encryption, Other Security Improvements

Zoom rolling out more security improvements

Zoom on Wednesday announced a series of security improvements designed to address many of the concerns raised in recent weeks.

Researchers warned in early April that Zoom had been sending the keys used to encrypt and decrypt meetings to servers in China, even if all participants were located in other countries. Zoom has now announced that account administrators will be able to choose which data center regions they want to use for real-time meeting traffic. Data center regions include Australia, Canada, China, Europe, Hong Kong, India, Japan, Latin America and the United States.

The same researchers also warned that Zoom meetings were encrypted with an AES-128 key used in ECB mode, which is not recommended. The vendor says the upcoming Zoom 5.0, scheduled for release within the next week, will introduce AES 256-bit GCM encryption, which should provide better protection for meeting data.

“This provides confidentiality and integrity assurances on your Zoom Meeting, Zoom Video Webinar, and Zoom Phone data. Zoom 5.0, which is slated for release within the week, supports GCM encryption, and this standard will take effect once all accounts are enabled with GCM. System-wide account enablement will take place on May 30,” Zoom said in a blog post.

The company also told customers that it has grouped security features under a Security Icon that can be found in the meeting menu bar.

Many of the steps described by Zoom on Wednesday are in response to Zoombombing, where an unauthorized individual joins a video conference in an effort to cause disruption. Many Zoombombing incidents have been reported after Zoom’s popularity skyrocketed due to the COVID-19 coronavirus outbreak.

Hosts will be able to report users to Zoom, and they can also prevent meeting participants from renaming themselves.

The Waiting Room feature has been one of the most effective measures against Zoombombing as participants first enter a virtual waiting room before they are allowed to join in. The Waiting Room is now enabled by default for education, Basic, and single-license Pro accounts, and hosts can now enable the feature even while a meeting is in progress — hosts previously had to enable Waiting Room before creating a meeting.

Meeting passwords and cloud recording passwords are now on by default for most users, and administrators can define how complex the passwords have to be.

Other improvements include secure account contact sharing for larger organizations, more information in the admin dashboard, and measures meant to make it more difficult to accidentally share meeting IDs.

Zoom also announced recently that it has teamed up with Luta Security to revamp its bug bounty program.

Related: Flaw Could Have Allowed Hackers to Identify All Zoom Users in a Company

Related: Zoom Working on Security Improvements Amid More Bans

Related: Zoom's Security and Privacy Woes Violated GDPR, Expert Says

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.