How Zoom moved toward end-to-end encryption

How Zoom security is evolving, what threats are still current, and how developers plan to eliminate them.

How Zoom security is evolving, what threats are still current, and how developers plan to eliminate them

Zoom’s presentation at RSA Conference 2021 focused on end-to-end encryption in Zoom Cloud Meetings. The company explained why its developers are focusing on the issue, how they plan to make calls more secure, and what other new, security-related features users can expect.

A little history

The pandemic forced many of us to switch to long-term remote work and communicate with colleagues and loved ones through teleconferencing software. Zoom’s high popularity aroused the interest of security experts and cybercriminals alike, whereupon many quickly learned that not all was well with the platform’s security. For example, the software was found to contain vulnerabilities that allowed attackers to spy on users through their cameras and microphones, and raids by online trolls even got their own name: Zoombombing. Zoom’s response was quick and far-reaching, but issues remained.

A major gripe about Zoom was that the platform used point-to-point encryption (P2PE) instead of end-to-end encryption (E2EE).

E2EE vs P2PE

At first glance, the two systems may seem similar: Both encrypt the data that users exchange. But with P2PE, the server can access users’ messages, whereas E2EE encrypts information on the sender’s device and decrypts it only on the recipient’s end. However, this detail has potential for trouble, which Zoom developers highlighted at the conference:

  • Cybercriminals could breach the server, steal the encryption keys stored there, and join meetings in real invitees’ places or spoof their messages;
  • Opportunistic employees of the cloud provider or Zoom itself could gain access to keys and steal users’ data.

No one wants private conversations with family and friends, let alone secret business talks, made public. What’s more, if a hacker were to use stolen keys only for passive eavesdropping, that would be extremely difficult to detect.

E2EE solves those problems by storing decryption keys on users’ devices, and only there. That means hacking the server would not enable an intruder to eavesdrop on a video conference.

Naturally, then, many have been longing for Zoom to switch to E2EE, already a de facto standard for messaging apps.

End-to-end encryption in Zoom: State of play

The developers listened to the criticism and took steps to improve platform security, including implementing E2EE.

Zoom has used E2EE for audio and video calls as well as chat since the fall of 2020. When it is enabled, Zoom protects participants’ data with a so-called conference encryption key. The key is not stored on Zoom’s servers, so even the developers can’t decrypt the content of conversations. The platform stores only encrypted user IDs and some meeting metadata such as call duration.

To guard against outside connections, developers also introduced the Heartbeat feature, a signal that the meeting leader’s app automatically sends to other users. It contains, among other things, a list of attendees to whom the meeting leader sent the current encryption key. If someone not in the list joins the meeting, everyone immediately knows something is wrong.

Another way to keep out uninvited participants is to lock the meeting (using the appropriately titled Lock Meeting feature) once all of the guests have gathered. You have to lock meetings manually, but once you have, no one else can join, even if they have the meeting ID and password.

Zoom also protects against man-in-the-middle attacks with encryption key replacement. To make sure an outsider isn’t eavesdropping, the meeting leader can click a button at any time to generate a security code based on the current meeting encryption key. The code is likewise generated for the other meeting participants automatically. It remains for the leader to read this code aloud; if it matches everyone else’s, then everyone is using the same key and all is well.

Finally, if the meeting leader leaves the meeting and someone else takes over, the app reports the handoff. If it seems suspicious to others on the call, they can pause any top-secret discussions to work everything out.

Of course, if you’re just having a Zoom party with friends, you probably have no need to use all of those security mechanisms. But if business (or other) secrets are on the virtual table, these protection tools can really come in handy, so participants of important meetings should be aware of them and know how to use them.

Despite the innovations, Zoom developers admit they still have a lot to do. The RSA 2021 talk also shed light on Zoom’s development path.

What the future holds for Zoom

The developers identified a number of threats for which they have yet to implement effective countermeasures. One is outside infiltration of meetings by people posing as invited users. Another is that E2EE protection does not prevent attackers from learning some metadata, such as call duration, names of participants, and IP addresses. Nor can we exclude vulnerabilities in the program from the list of risks; in theory, cybercriminals could embed malicious code in Zoom.

With these threats in mind, Zoom’s developers listed the following goals:

  • Prevent all but invited and approved participants from gaining access to events;
  • Prevent any participants removed from an event from reconnecting to it;
  • Prevent interference from anyone not admitted to the meeting;
  • Let bona fide attendees report abuses to Zoom’s security team.

Road map

To achieve these goals, the developers created a four-stage road map. Stage one has already been implemented. As we said, they’ve changed the system for managing the conference encryption key so that it is stored only on users’ devices, as well as improved the means of protection against outsiders joining meetings.

At stage two, they plan to introduce user authentication that is not reliant on Zoom’s servers but will instead be based on single sign-on (SSO) technology involving independent identity providers (IDPs).

As a result, a would-be intruder cannot fake a user’s identity, even by gaining control of the Zoom server. If someone joins an event pretending to be an invitee but with a new public key, others will be alerted to the potential threat.

Stage three will introduce the transparency tree concept, storing all identities in an authenticated, auditable data structure to ensure all users have a consistent view of any identity and detect impersonation attacks. Zoom’s intent is to strengthen the platform’s protection from man-in-the-middle attacks.

At the final, fourth stage, the developers plan to make checking an identity easier when a user connects from a new device. To link a new gadget, the user will need to confirm its legitimacy, for example by scanning a QR code on the screen of a trusted phone or computer. That will prevent an attacker from linking a device to someone else’s account.

Security without sacrifice

When implementing additional security mechanisms, it is important to consider how they will affect ordinary users. Zoom’s developers are considering this aspect as well. For example, one proposed innovation is the use of personal device clouds. Such technology will simplify the process of adding new gadgets to an account while helping secure it.

For example, if you normally use a computer for Zoom calls but then download and sign in from your smartphone, the next time you open Zoom on your computer, you’ll see that a new gadget has signed in. If you approve it, both devices will be linked to a single cloud, and other meeting participants will know it is you and not an interloper.

A device cloud also lets you check which gadgets are logged in to your account and revoke trusted status for any of them. On top of that, the developers plan to add an option to switch to E2EE mid-meeting and many other useful features.

Will Zoom become more secure?

The short answer is yes, Zoom’s security continues to improve. The company has already done a great deal to guard against outside interference, and it has even more protection tools in development. On a separate note, it is nice to see that Zoom is trying to blend security with ease of use.

Of course, a lot depends on Zoom’s users. As with everything online, videoconferencing requires common sense and knowledge of the available protection mechanisms. It is important to heed warnings from the platform and refrain from confidential talks if something looks suspicious and you cannot rule out a data leak.