Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Zoom Announces Better Encryption, Other Security Improvements

Zoom rolling out more security improvements

Zoom rolling out more security improvements

Zoom on Wednesday announced a series of security improvements designed to address many of the concerns raised in recent weeks.

Researchers warned in early April that Zoom had been sending the keys used to encrypt and decrypt meetings to servers in China, even if all participants were located in other countries. Zoom has now announced that account administrators will be able to choose which data center regions they want to use for real-time meeting traffic. Data center regions include Australia, Canada, China, Europe, Hong Kong, India, Japan, Latin America and the United States.

The same researchers also warned that Zoom meetings were encrypted with an AES-128 key used in ECB mode, which is not recommended. The vendor says the upcoming Zoom 5.0, scheduled for release within the next week, will introduce AES 256-bit GCM encryption, which should provide better protection for meeting data.

“This provides confidentiality and integrity assurances on your Zoom Meeting, Zoom Video Webinar, and Zoom Phone data. Zoom 5.0, which is slated for release within the week, supports GCM encryption, and this standard will take effect once all accounts are enabled with GCM. System-wide account enablement will take place on May 30,” Zoom said in a blog post.

The company also told customers that it has grouped security features under a Security Icon that can be found in the meeting menu bar.

Many of the steps described by Zoom on Wednesday are in response to Zoombombing, where an unauthorized individual joins a video conference in an effort to cause disruption. Many Zoombombing incidents have been reported after Zoom’s popularity skyrocketed due to the COVID-19 coronavirus outbreak.

Hosts will be able to report users to Zoom, and they can also prevent meeting participants from renaming themselves.

The Waiting Room feature has been one of the most effective measures against Zoombombing as participants first enter a virtual waiting room before they are allowed to join in. The Waiting Room is now enabled by default for education, Basic, and single-license Pro accounts, and hosts can now enable the feature even while a meeting is in progress — hosts previously had to enable Waiting Room before creating a meeting.

Meeting passwords and cloud recording passwords are now on by default for most users, and administrators can define how complex the passwords have to be.

Other improvements include secure account contact sharing for larger organizations, more information in the admin dashboard, and measures meant to make it more difficult to accidentally share meeting IDs.

Zoom also announced recently that it has teamed up with Luta Security to revamp its bug bounty program.

Related: Flaw Could Have Allowed Hackers to Identify All Zoom Users in a Company

Related: Zoom Working on Security Improvements Amid More Bans

Related: Zoom’s Security and Privacy Woes Violated GDPR, Expert Says

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...