AARNet’s response to Zoom security and privacy issues
Online safety and privacy is extremely important to us at AARNet, and as Zoom has become more widely used recently, AARNet wishes to address the increasing concern our customers may have with privacy and security relating to this service.
At AARNet we have taken steps to assist our customers with addressing these issues by providing:
Responses to some of the security and privacy concerns that have been highlighted in the press and on social media.
Links to Zoom’s own responses to security and privacy issues and the applicable Zoom policies.
Recommendations for how users should configure their Zoom sessions to protect their meetings and recordings from unwanted access. More detail can be found in our AARNet Zoom Knowledge Base.
The following information is provided to draw your attention to resources that may help you with addressing concerns your organisation or staff may have in relation to the use of Zoom:
29 June Update
Implementation of AES 256 GCM encryption
On 30th May Zoom implemented AES256 GCM encryption for all calls which was coupled with a mandatory upgrade to version 5.x of the client software. This move increased the encryption to a high grade industry standard and also ensured the user software was running a new release version which included the patching for recent discovered vulnerabilities. As part of this update, Zoom included the ability to see the level of encryption you active call is using and the location of the data centre where your call is being hosted. AARNet hosted calls will present as an on-premise rather than cloud in the case of Zoom hosted.
Image: Detail provided while in a call
Release of End-to-End Encryption Plan
Zoom are working on the implementation of true end-to-end encryption which will be released in beta version late July. This encryption will mean the users control the encryption keys rather than the current system where the server infrastructure maintains control of these keys. The implementation will be similar to the Apple FaceTime and iMessage services.
Passcode and Waiting Room 19 July 2020
To increase the overall security posture of meetings, all Zoom calls from July 19th will mandate either a Passcode (Previously referred to password) or Waiting Room for all paid accounts. This Knowledge Base article covers the changes in more detail.
Announcement of New CISO
On June 24th, Zoom announced the appointment of a new CISO, Jason Lee to increase the security posture of the company and with him comes a wealth of industry experience with Salesforce and Microsoft.
90 Day Security Plan
Zoom are coming to the end of the 90 day security plan which maintained a hold on new features to focus on security. At eh end of this plan, the security posture will be much better and the ongoing security of the products have been assured through a far more integrated secure development process being implemented across the entire company.
30 April Update
Here are the latest updates to Zoom from a security perspective as at 30th April:
Release of Zoom Version 5.0
Introduces the support for AES 256-bit GCM encryption which will be implemented post Zoom Infrastructure upgrades to be completed by May 30 when version 5 will be mandated for meeting access.
Introduction of a Report a User Function – This report goes to the Zoom Trust and Safety team to review.
Introduction of an Encryption icon in the Zoom meeting.
Display which Data Centre the meeting is connected to while meeting is in progress.
Recent relevant media commentary on Zoom Use and Security
Some security researchers have identified the amazing speed at which the company has been responding to the security and privacy concerns as a result of the huge increase in use and popularity in recent months. All the media attention is resulting in an improved product for users.
Zoom has made important update to help make meetings more private and secure. The most visible change that meeting hosts will see is an option in the Zoom meeting controls called Security. This new icon simplifies how hosts can quickly find and enable many of Zoom’s in-meeting security features:
Use of Zoom in the Australian research and education sector has grown by more than 3000% in the past month. This extraordinary growth has led to a focus on security and privacy which is welcome and which will ultimately serve to better inform users and to make the product more secure.
A number of new articles in the media have raised concerns about the security of Zoom calls.
Zoom’s CEO has responded directly to criticisms of the platform in the media:
Notably Zoom has committed to a feature freeze and to dedicate its engineering resources to focus on safety, privacy and trust.
Some of the recent press articles relate to Zoom recordings and how they are handled. Where AARNet hosts Zoom for customers, recordings of meetings or events go straight from AARNet’s Zoom servers onto CloudStor, without leaving the AARNet network.
If you are concerned about privacy of Zoom recordings, you can also record locally rather than into the cloud.
The University of Toronto’s Citizen Lab recently raised questions about the location of servers used for meetings. Even during periods of high traffic, Zoom’s systems are designed to maintain geo-fencing around China for both primary and secondary datacenters — ensuring that users outside of China do not have their meeting data routed through Zoom’s mainland China datacenters (which consist of infrastructure in a facility owned by Telstra, a leading Australian communications provider, as well as Amazon Web Services).
All customers on the AARNet hosted Zoom platform have their encryption keys maintained within Australia on the AARNet infrastructure and all calls maintained on a Zoom to Zoom basis are encrypted as per the explanation provided in the Zoom Blog post. All content recorded on the AARNet platform is encrypted at rest and is not accessible by Zoom admins.
There was some mis-communication provided by Zoom which has since been addressed relating to the term end-to-end (E2E) encryption. Whilst the communications on all Zoom to Zoom sessions are encrypted, it is not E2E and the only instances where Zoom calls are not encrypted is when they traverse H323 or SIP gateways.
Security Flaws in Zoom Software
Recently the media have referenced Zoom security flaws as part of the ongoing dialogue around Zoom security. This coverage relates to the patched issues highlighted in CVE-2019-13567 (Score 6.8) and CVE-2019-13450 (Score 4.3), so as long as the regular update mechanisms are followed, these will not be an issue for users.
Zoom Recordings Exposed on Internet
A recent article from the Washington Post called out Zoom recordings freely available on the internet. To provide some clarification on this, Zoom recordings are never openly exposed to the internet, unless they are placed in another system separate to Zoom after the recording has been made and the access is not restricted which would be the same for any data placed in this type of repository.
Zoom and Interception Capabilities
As Zoom have stated on their blog, “Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes, nor do we have means to insert our employees or others into meetings without being reflected in the participant list.”
To address Zoombombing by screen sharing, on 26 March 2020, Zoom released an update to Screen Sharing so that Zoom meetings do not allow anyone in the meeting to screen share unless permitted by the host of the meeting:
AARNet encourages all customers to review the available security features in the Zoom platform and to start applying them as soon as possible. Students should also be reminded on the safe and acceptable use policy of information technology services.
Privacy and Zoom