How Zoom moved toward end-to-end encryption

[harlan4096]

How Zoom security is evolving, what threats are still current, and how developers plan to eliminate them.

Zoom’s presentation at RSA Conference 2021 focused on end-to-end encryption in Zoom Cloud Meetings. The company explained why its developers are focusing on the issue, how they plan to make calls more secure, and what other new, security-related features users can expect.

A little history

The pandemic forced many of us to switch to long-term remote work and communicate with colleagues and loved ones through teleconferencing software.

Zoom’s high popularity aroused the interest of security experts and cybercriminals alike, whereupon many quickly learned that not all was well with the platform’s security. For example, the software was found to contain vulnerabilities that allowed attackers to spy on users through their cameras and microphones, and raids by online trolls even got their own name: Zoombombing. Zoom’s response was quick and far-reaching, but issues remained.

A major gripe about Zoom was that the platform used point-to-point encryption (P2PE) instead of end-to-end encryption (E2EE).

E2EE vs P2PE

At first glance, the two systems may seem similar: Both encrypt the data that users exchange. But with P2PE, the server can access users’ messages, whereas E2EE encrypts information on the sender’s device and decrypts it only on the recipient’s end. However, this detail has potential for trouble, which Zoom developers highlighted at the conference:

• Cybercriminals could breach the server, steal the encryption keys stored there, and join meetings in real invitees’ places or spoof their messages;
  
• Opportunistic employees of the cloud provider or Zoom itself could gain access to keys and steal users’ data.
  

No one wants private conversations with family and friends, let alone secret business talks, made public. What’s more, if a hacker were to use stolen keys only for passive eavesdropping, that would be extremely difficult to detect.

E2EE solves those problems by storing decryption keys on users’ devices, and only there. That means hacking the server would not enable an intruder to eavesdrop on a video conference.

Naturally, then, many have been longing for Zoom to switch to E2EE, already a de facto standard for messaging apps.

End-to-end encryption in Zoom: State of play

The developers listened to the criticism and took steps to improve platform security, including implementing E2EE.

Zoom has used E2EE for audio and video calls as well as chat since the fall of 2020. When it is enabled, Zoom protects participants’ data with a so-called conference encryption key. The key is not stored on Zoom’s servers, so even the developers can’t decrypt the content of conversations. The platform stores only encrypted user IDs and some meeting metadata such as call duration.

To guard against outside connections, developers also introduced the Heartbeat feature, a signal that the meeting leader’s app automatically sends to other users. It contains, among other things, a list of attendees to whom the meeting leader sent the current encryption key. If someone not in the list joins the meeting, everyone immediately knows something is wrong.

Another way to keep out uninvited participants is to lock the meeting (using the appropriately titled Lock Meeting feature) once all of the guests have gathered. You have to lock meetings manually, but once you have, no one else can join, even if they have the meeting ID and password.

Zoom also protects against man-in-the-middle attacks with encryption key replacement. To make sure an outsider isn’t eavesdropping, the meeting leader can click a button at any time to generate a security code based on the current meeting encryption key. The code is likewise generated for the other meeting participants automatically. It remains for the leader to read this code aloud; if it matches everyone else’s, then everyone is using the same key and all is well.

Finally, if the meeting leader leaves the meeting and someone else takes over, the app reports the handoff. If it seems suspicious to others on the call, they can pause any top-secret discussions to work everything out.

Of course, if you’re just having a Zoom party with friends, you probably have no need to use all of those security mechanisms. But if business (or other) secrets are on the virtual table, these protection tools can really come in handy, so participants of important meetings should be aware of them and know how to use them.

Despite the innovations, Zoom developers admit they still have a lot to do. The RSA 2021 talk also shed light on Zoom’s development path.
...

Continue Reading