Amidst the coronavirus pandemic, work from home policy has led to employees using video conferencing apps like Zoom. The video calling app is not just used for business-related purposes, but also for conducting online classes, virtually connecting with friends, etc. Along with the growing popularity, Zoom is under the scanner for claiming to offer end-to-end encryption on its website, but that is not really the case.
“Zoom's solution and security architecture provides end-to-end encryption and meeting access controls so data in transit cannot be intercepted”, according to the company’s website. However, a recent report by The Intercept reveals that video calls on Zoom are not end-to-end encrypted. Instead, only the text messages shared on the platform follow the security protocol.
When the company was asked for a clarification by The Intercept, it said, “Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.”
A TLS, which stands for Transport Layer Security, secures the connection between you and the server you’re connected to. When using TLS, the server (Zoom, in this case) can see your data, which is not possible in end-to-end encryption. This basically means that the video and audio content during a Zoom meeting will stay private from anyone trying to snoop through Wi-Fi, but not from the company.
In the case of end-to-end encryption, the data can be accessed and decrypted only by the sender and receiver as they are the only ones with the unique decryption keys.
Zoom further clarified, “When we use the phrase ‘End to End’ in our other literature, it is in reference to the connection being encrypted from Zoom endpoint to Zoom endpoint.” While it does consider Zoom servers to be the endpoints, it is necessary to know that the server sits between the Zoom clients when on call.
The company claims that it does not directly access, mine, or sell user data.
This is not the first time that Zoom has been under the radar for the security measures on its platform. Zoom was reportedly forced to update the iOS app and remove the code that allowed it to send data from the user device to Facebook.
The company was also accused of leaking user email addresses and media to strangers. According to a Vice report, the company leaked personal information of at least thousands of users, including their email address and photo, and giving strangers the ability to attempt to start a video call with them through Zoom. The issue occurred due to a ‘Company Directory’, which stores all the email addresses from a particular domain. This comes across as people with similar domain names (like Gmail) are working for the same company. If your email address is saved under any such directory, then a stranger can make you a Zoom call or even see your media content.
The same method could have been used by miscreants, who hacked into BARC’s second post-COVID-19 viewership insights
conference and posted abusive messages.