Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Zoom Announces Better Encryption, Other Security Improvements

Zoom rolling out more security improvements

Zoom rolling out more security improvements

Zoom on Wednesday announced a series of security improvements designed to address many of the concerns raised in recent weeks.

Researchers warned in early April that Zoom had been sending the keys used to encrypt and decrypt meetings to servers in China, even if all participants were located in other countries. Zoom has now announced that account administrators will be able to choose which data center regions they want to use for real-time meeting traffic. Data center regions include Australia, Canada, China, Europe, Hong Kong, India, Japan, Latin America and the United States.

The same researchers also warned that Zoom meetings were encrypted with an AES-128 key used in ECB mode, which is not recommended. The vendor says the upcoming Zoom 5.0, scheduled for release within the next week, will introduce AES 256-bit GCM encryption, which should provide better protection for meeting data.

“This provides confidentiality and integrity assurances on your Zoom Meeting, Zoom Video Webinar, and Zoom Phone data. Zoom 5.0, which is slated for release within the week, supports GCM encryption, and this standard will take effect once all accounts are enabled with GCM. System-wide account enablement will take place on May 30,” Zoom said in a blog post.

The company also told customers that it has grouped security features under a Security Icon that can be found in the meeting menu bar.

Many of the steps described by Zoom on Wednesday are in response to Zoombombing, where an unauthorized individual joins a video conference in an effort to cause disruption. Many Zoombombing incidents have been reported after Zoom’s popularity skyrocketed due to the COVID-19 coronavirus outbreak.

Hosts will be able to report users to Zoom, and they can also prevent meeting participants from renaming themselves.

The Waiting Room feature has been one of the most effective measures against Zoombombing as participants first enter a virtual waiting room before they are allowed to join in. The Waiting Room is now enabled by default for education, Basic, and single-license Pro accounts, and hosts can now enable the feature even while a meeting is in progress — hosts previously had to enable Waiting Room before creating a meeting.

Meeting passwords and cloud recording passwords are now on by default for most users, and administrators can define how complex the passwords have to be.

Other improvements include secure account contact sharing for larger organizations, more information in the admin dashboard, and measures meant to make it more difficult to accidentally share meeting IDs.

Zoom also announced recently that it has teamed up with Luta Security to revamp its bug bounty program.

Related: Flaw Could Have Allowed Hackers to Identify All Zoom Users in a Company

Related: Zoom Working on Security Improvements Amid More Bans

Related: Zoom’s Security and Privacy Woes Violated GDPR, Expert Says

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.