ZOOM Security Bug Lets Attackers Steal Windows Passwords
ALERT – Beware of “Re-Validating Your E-mail” Phishing Scams
Show all

Zoom under fire for ‘misleading’ encryption claims

Video conferences and communications held on the Zoom platform are not actually end-to-end encrypted, a new report has revealed. Zoom offers video conferencing technology and has enjoyed a huge growth in popularity in light of people around the world having to work from home due to the COVID-19 pandemic. The company states on its website and an accompanying white paper that it supports end-to-end encryption for meetings held on the platform.

This would mean that the video and surrounding communications would not be able to be accessed at all by the company, like the protections used by WhatsApp. But a new report by The Intercept has found that this is not the case, with the platform actually offering only “transport encryption” instead, the same protection used to secure HTTPS websites. This form of protection means that the data is encrypted between the Zoom users and its servers, but the company could still access it in an unencrypted form.

The report said Zoom has been using “misleading marketing”. The issue appears to be around the use of the phrase “end-to-end encryption”, with Zoom claiming their use of the phrase was not meant to imply the widely used definition of this form of encryption. “When we use the phrase ‘end to end’ in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point…content is not decrypted as it transfers across the Zoom cloud,” a Zoom spokesperson told The Intercept.

The company has said it has now disabled this feature. New York Attorney General Letita James has opened an investigation into Zoom’s data privacy and security practices, asking it what new security measures have been put in place to deal with the vastly increased traffic.

James also questioned the company’s response to identified vulnerabilities and flaws, saying they could “enable malicious third parties to, among other things, gain surreptitious access to consumer webcams”. “If you’re having a committee meeting via Zoom and you use the chat function to privately write to someone, your colleagues may not see it in real time, but it shows up when the chat is downloaded and put in the minutes folder,” they posted.

In response, a Zoom spokesperson said this can be easily avoided depending on what feature is being used. “If a host chooses to record a Zoom meeting to the cloud, only chats sent publicly (to everyone in the meeting) are saved,” the spokesperson said. “If a host chooses to record a Zoom meeting locally, then chats sent publicly, as well as any private chat exchanges that the host who chose to record the meeting participated in during session, are saved.”

While Zoom’s stocks have risen rapidly in recent weeks, so too have shares in a mysterious China-based company that has the ZOOM ticker. After investors were apparently confused about which was the real video conferencing company, the SEC moved to suspend trading in the Chinese company, which hadn’t provided any update to the market in several years.