Last Updated 1st July 2020
New Updates : blog.zoom.us/category/company-news/security-privacy
Implementation of AES 256 GCM encryption
On 30th May Zoom implemented AES256 GCM encryption for all calls which was coupled with a mandatory upgrade to version 5.x of the client software. This move increased the encryption to a high grade industry standard and also ensured the user software was running a new release version which included the patching for recent discovered vulnerabilities. As part of this update, Zoom included the ability to see the level of encryption you active call is using and the location of the data centre where your call is being hosted. AARNet hosted calls will present as an on-premise rather than cloud in the case of Zoom hosted.
New Security Icon in the user interface
The Security Icon provides hosts and co-hosts instant access to important security controls in meetings, including the ability to lock meetings and enable waiting rooms, and the options to manage participants' ability to share their screen, participate in chat, and rename or unmute themselves.
Release of Zoom Version 5.0
Introduces the support for AES 256-bit GCM encryption which will be implemented post Zoom Infrastructure upgrades to be completed by May 30 when version 5 will be mandated for meeting access.
Introduction of a Report a User Function – This report goes to the Zoom Trust and Safety team to review.
Introduction of an Encryption icon in the Zoom meeting.
Display which Data Centre the meeting is connected to while meeting is in progress.
In recent weeks, as the world reels from the effects of social distancing due to the COVID-19 outbreak, there has been a significant uptake in Zoom across the world which the University has also adopted. So along with the fantastic way technology has risen to the challenge comes some problems, which seems be a regular occurrence in the technology space, and we're seeing a rise of cyber trolling or criminal activity.
There have been cases of 'Zoombombing' reported in recent days, which is the simple act of trolls or users entering a Zoom Meeting ID and joining into an open meeting and then broadcasting very confronting or sexually explicit content to the meeting. This content is broadcast by the user's webcam or through screen sharing.
Zoom released an enhancement on 26th March 2020 that will default screen sharing by host only instead of all participants in a meeting. This will prevent 'Zoombombing' by screen sharing.
Publicly sharing a Zoom Meeting ID/URL is also not advisable as this provides options for compromise of the session or fraudulent use.
Zoom Security Improvements
Zoom have committed to a 90-day plan to improve the platform security. These improvements will be implemented incrementally throughout the 90 days and will be posted below.
New Security icon in the meeting controls
The newly released Security icon in the toolbar provides Zoom meeting hosts and co-hosts with one-click access to a number of existing Zoom security features, including Lock meeting and Enable the Waiting Room.
Zoom Client feature updates
- Removed from the title bar
- One-time meeting IDs for newly scheduled meetings will be 11 digits
Security icon in the toolbar
- Available for hosts and co-hosts in meeting client
Disabled renaming participants
- Added an account or host setting to disable renaming of participants
- Passwords are now on by default
- Require complex password
- Mask the content of the message in the notification
- File sharing security enhancement
Changes to data center routing
Starting April 18, Zoom account admins will have the ability to choose whether or not their data is routed through specific data center regions, giving users more control over their interactions with Zoom's global network. The University will ensure that all data is routed to Australian hosted data centers only once this feature is available (note this only affects users hosted within the Zoom public cloud. To date, this is a few dozen only).
- Zoom provides services out of their Zoom managed data centers. The regional selection will be honoured regardless of which underlying resource is leveraged for the meeting.
- Zoom conference room connectors in disabled regions will not be allowed to connect to meetings or webinars.
- Regional dial-in numbers are disabled when a region is disabled.
- Currently the regions are grouped into: United States, Canada, Europe, India, Australia, China, Latin Ameria, and Japan/Hong Kong.
Bug Bounty program with Katie Moussouris of Luta Security
Zoom will be working with Luta Security to reboot their bug bounty program. Luta Security was founded by Katie Moussouris, who created some of the most important vulnerability programs still running today. She started Microsoft Vulnerability Research and Symantec Vulnerability Research, and also started Microsoft's and Pentagon's bug bounty programs. Luta Security will be assessing Zoom's program holistically with a 90-day 'get well' plan, which will cover all internal vulnerability handling processes. More information.
Zoom's use of Facebook's SDK in iOS Client
Zoom originally implemented the 'Login with Facebook' feature using the Facebook SDK for iOS (software development kit) in order ot provide users with another convenient way to access the platform. However, Zoom were made aware on Wednesday, March 25th 2020 that the Facebook SDK was collecting device information unnecessary for providing the online meeting services. The information collected by the Facebook SDK did not include information and activities related to meetings such as attendees, names, notes, etc. but rather included information about devices such as the mobile OS type and version, the device time zone, device OS, device model and carrier, screen size, processor cores, and disk space.
Zoom removed the Facebook SDK from the iOS client and have reconfigured the feature so that users will still be able to login with Facebook via their browser. Users will need to update to the latest version of the Zoom iOS app that's already available since Friday, March 27 2020 in order for the changes to take hold.
Founded nine years ago, Zoom has found itself suddenly become a vital social and professional lifeline for millions around the world. But that rapid growth has led to it already being hit by the kind of controversies that far larger tech companies like Facebook and Google frequently grapple with.
Zoom have emphasied that:
- Zoom does not sell user data.
- Zoom has never sold user data in the past and has no intention of selling user data going forward.
- Zoom does not monitor meetings or content.
- Zoom complies with all applicable privacy laws, rules, and regulations in the jurisdictions within which it operates, including the GDPR and CCPA.