Security measures of Zoom: overview

During the pandemic the demand for video conferencing platforms increased. They allow employees to call and discuss company’s businesses. And personnel often speak about the information that is not to be transmitted to third-parties. Unfortunately, not all platforms care for users’ security. It is necessary to understand what security measures they take. The Analytical department of Falcongaze overviewed the security measures of Zoom platform.

So, Zoom client connects to company’s servers via secure connection https.

The platform uses symmetric and asymmetric encryption algorithms. Session keys are generated with a device-unique hardware ID. It prevents data tracking from other devices. Chats are encrypted in the way only a receiver can read a message.

Zoom also encrypts all media content (audio, video, screen sharing) on the app’s level using AES (Advanced Encryption Standard). The rest of data are encrypted according to TLS-standard. It concerns interactions in Zoom Rooms – the same standard is used. It is important that encryption is available for all users, not just for premium account users.

Zoom has 2FA. The second security layer can be either a single use code or a text message. The conference administrators can require users to use 2FA.

The company follows 2 principles concerning users’ data:

  • Zoom doesn’t sell private information regardless of who uses the platform: a businessman, a school or an ordinal user.
  • Zoom doesn’t use users’ data for advertising. The company uses only those data which it receives when a user visits its web-sites (ex. zoom.us). And a user can change cookie files configurations.

Nevertheless, in 2020, Zoom was criticized for lying about end-to-end encryption use. The company stated that all video calls are encrypted, but researchers figured out that there is no such function by default. Then the company promised to solve the issue.

They didn’t want to implement end-to-end encryption because it prevents monitoring if a user misuses the platform (they spread pornography, violence etc.). That is why along with encryption, machine learning algorithms were also implemented. They scan video calls for presence of nudity or cruelty via camera.

 

Important publications

What is UBA? 6 August 2019
What is DLP systems? 13 February 2019