A DEEPER LOOK INTO THE ZOOM SITUATION: ZOOMBOMBING, ENCRYPTION, PHISHING, AND MORE!
Since the beginning of quarantine, a number of cybersecurity concerns have been placed front and center before the public. These months of sheltering-in-place and has given a wake-up call for companies to integrate cybersecurity and privacy into their fundamental prototyping processes. The largest example of these concerns coming to light has been seen with Zoom Video Communications, the company founded in 2011 whose namesake video conferencing software has exponentially increased in popularity due to COVID-19. In today’s blog, we hope to break down the root of these concerns with Zoom and further explore the updates that have happened since the initial public revelation of Zoom’s vulnerable encryption.
For years, Zoom has been criticized for lack of visibility regarding security rules since their products have experienced a bump in usage since the onset of the COVID-19 pandemic. In March, the company itself was revealed to have the encryption of standard web browsers rather than end-to-end.
In late May, an article was released by Forbes entitled “Zoom Security: Here’s One Big Reason To Update Your App Right Now” that gave many simplified warnings of the dangers of Zoom, especially privacy issues. Perhaps the most notable example is “Zoom bombing”, where an individual enters a chat without host permission. The article also brought up how Zoom has become used in phishing schemes. While the article encouraged its users to update their Zoom application – and introduced an added feature of requiring a passcode when joining a chat – it added that Zoom chats would still not be encrypted, even comparing the application unfavorably to FaceTime. But this could all change very soon.
An article was released by The Verge on June 17 written by Nick Statt with its underlying message in the title itself, “Zoom says free users will get end-to-end encryption after all”. However, while it appears to address the concerns of Zoom users regarding privacy, the beta version of Zoom with end-to-end will not be available effectively until July.
Source: NDTV Gadgets 360
End-to-end encryption is where a method of communication – usually involving communicating through audio, text, or video – where the context exchanged is restricted to those who are permitted members. One well-known example is WhatsApp, the messaging platform and Facebook subsidiary which publicly announced they would provide full end-to-end encryption for its services in April 2016.
Additionally, the beta version containing end-to-end has been available since July and is not restricted to paid users. Free users will be able to manually opt into having end-to-end connectivity. Recently, Zoom expressed concern about enabling end-to-end encryption for free users due to Zoom’s history with illegal activity – such as phishing scams – that law enforcement entities such as the FBI could find difficult to track. In fact, after the company’s recent quarterly earnings release (which reported $328 million in revenue between February and April), an organization spokesperson addressed the security topic with, “We plan to provide end-to-end encryption to users for whom we can verify identity, thereby limiting harm to these vulnerable groups. Free users sign up with an email address, which does not provide enough information to verify identity.” In addition, users will also provide a phone number when registering for an account.
While few details are known about the beta version of end-to-end that will become available in July, it is known that the encryption system is – specifically – an AES 256 GCM transport system as well as the fact that administrators will be able to have permissions to disable and/or enable it in group as well as one-on-one settings.
Source: Bloomberg News
In early May, Stephen McBride – editor of RiskHedge Report – penned an article “Why The Largest Cyberattack In History Could Happen Within Six Months”. He predicted that the ongoing pandemic and its impact on people – including increased use of personal technology – could segue into a potentially catastrophic global attack. McBride recommended readers to invest in cybersecurity-related stocks. However, the most important thing everyday users can do is to be careful about the safety of their devices. This could mean updating software and login credentials as well as frequently cleaning your devices of viruses and malware.
As previously stated, WhatsApp infamously did not provide full end-to-end encryption for its services until April 2016, a whole 7 years after it was founded and 2 years after it became a subsidiary of Facebook. Zoom, which was founded 9 years ago, has reached a long-overdue security milestone.
