Online safety and privacy is extremely important to us at AARNet, and as Zoom has become more widely used recently, AARNet wishes to address the increasing concern our customers may have with privacy and security relating to this service.
At AARNet we have taken steps to assist our customers with addressing these issues by providing:
The following information is provided to draw your attention to resources that may help you with addressing concerns your organisation or staff may have in relation to the use of Zoom:
29 June Update
On 30th May Zoom implemented AES256 GCM encryption for all calls which was coupled with a mandatory upgrade to version 5.x of the client software. This move increased the encryption to a high grade industry standard and also ensured the user software was running a new release version which included the patching for recent discovered vulnerabilities. As part of this update, Zoom included the ability to see the level of encryption you active call is using and the location of the data centre where your call is being hosted. AARNet hosted calls will present as an on-premise rather than cloud in the case of Zoom hosted.
Image: Detail provided while in a call
Zoom are working on the implementation of true end-to-end encryption which will be released in beta version late July. This encryption will mean the users control the encryption keys rather than the current system where the server infrastructure maintains control of these keys. The implementation will be similar to the Apple FaceTime and iMessage services.
To increase the overall security posture of meetings, all Zoom calls from July 19th will mandate either a Passcode (Previously referred to password) or Waiting Room for all paid accounts. This Knowledge Base article covers the changes in more detail.
On June 24th, Zoom announced the appointment of a new CISO, Jason Lee to increase the security posture of the company and with him comes a wealth of industry experience with Salesforce and Microsoft.
Zoom are coming to the end of the 90 day security plan which maintained a hold on new features to focus on security. At eh end of this plan, the security posture will be much better and the ongoing security of the products have been assured through a far more integrated secure development process being implemented across the entire company.
30 April Update
Here are the latest updates to Zoom from a security perspective as at 30th April:
Release of Zoom Version 5.0
More details are available at the Zoom Blog
Here is the latest Zoom release timeline from the Zoom Blog:
Here is the icon displayed in the meeting for the encryption level currently in use:
Statistics displaying on the updated Zoom Client showing the encryption level of the meeting:
AARNet is in the process of upgrading their infrastructure to support the version 5 core system support requirements ready for the release on May 30 of the full AES 256-bit GCM support.
17 April Update
Zoom has completed a number security updates since April 8, as part of their 90-day security plan commitments.
Alex Stamos, ex Facebook CSO and Adjunct Professor at Stanford University has begun work with Zoom in a security advisor role.
A CISO Council Advisory Board Members group has been formed to advise Zoom on security. The group includes representatives from HSBC, NTT Data, Procore and Ellie Mae.
New features have been rolled out:
Here’s the Zoom blog post covering the updates:
Zoom 90 day security plan progress report 15 april (Zoom Blog)
Zoom have provided a release date for paid subscribers to have control over the routing of their Zoom calls. This will be released on 18th April as per this blog post.
Coming April 18-Control your Zoom data routing (Zoom Blog)
Some security researchers have identified the amazing speed at which the company has been responding to the security and privacy concerns as a result of the huge increase in use and popularity in recent months. All the media attention is resulting in an improved product for users.
Get off Zooms case: I trust them and so should you (Medium)
Interview with Patrick Wardle, the researcher who found bugs in Zoom and his responses to the speed at which Zoom has responded to the issues:
Patrick Wardle on security flaws in Zoom software (Kiro Nights)
Singapore Ministry of Education have resumed use of Zoom as security concerns are being actively addressed.
Singapore MOE will allow teachers to ‘progressively’ resume use of Zoom (Channel New Asia)
AARNet released recommended Zoom settings for secure meetings. We recommend that all institutions and users review the Zoom settings.
8 April Update
Zoom has made important update to help make meetings more private and secure. The most visible change that meeting hosts will see is an option in the Zoom meeting controls called Security. This new icon simplifies how hosts can quickly find and enable many of Zoom’s in-meeting security features:
Read the Zoom blog post for more information (Zoom Blog)
7 April Update
Use of Zoom in the Australian research and education sector has grown by more than 3000% in the past month. This extraordinary growth has led to a focus on security and privacy which is welcome and which will ultimately serve to better inform users and to make the product more secure.
A number of new articles in the media have raised concerns about the security of Zoom calls.
Zoom’s CEO has responded directly to criticisms of the platform in the media:
Read Zoom’s Message to Our Users (Zoom Blog 1 April 2020 by Eric S. Yuan)
Notably Zoom has committed to a feature freeze and to dedicate its engineering resources to focus on safety, privacy and trust.
Some of the recent press articles relate to Zoom recordings and how they are handled. Where AARNet hosts Zoom for customers, recordings of meetings or events go straight from AARNet’s Zoom servers onto CloudStor, without leaving the AARNet network.
If you are concerned about privacy of Zoom recordings, you can also record locally rather than into the cloud.
View instructions on how to record locally (Zoom Support)
The University of Toronto’s Citizen Lab recently raised questions about the location of servers used for meetings. Even during periods of high traffic, Zoom’s systems are designed to maintain geo-fencing around China for both primary and secondary datacenters — ensuring that users outside of China do not have their meeting data routed through Zoom’s mainland China datacenters (which consist of infrastructure in a facility owned by Telstra, a leading Australian communications provider, as well as Amazon Web Services).
Read Zoom’s response to the UoT report (Zoom Blog, 3 April 2002)
All customers on the AARNet hosted Zoom platform have their encryption keys maintained within Australia on the AARNet infrastructure and all calls maintained on a Zoom to Zoom basis are encrypted as per the explanation provided in the Zoom Blog post. All content recorded on the AARNet platform is encrypted at rest and is not accessible by Zoom admins.
There was some mis-communication provided by Zoom which has since been addressed relating to the term end-to-end (E2E) encryption. Whilst the communications on all Zoom to Zoom sessions are encrypted, it is not E2E and the only instances where Zoom calls are not encrypted is when they traverse H323 or SIP gateways.
Recently the media have referenced Zoom security flaws as part of the ongoing dialogue around Zoom security. This coverage relates to the patched issues highlighted in CVE-2019-13567 (Score 6.8) and CVE-2019-13450 (Score 4.3), so as long as the regular update mechanisms are followed, these will not be an issue for users.
A recent article from the Washington Post called out Zoom recordings freely available on the internet. To provide some clarification on this, Zoom recordings are never openly exposed to the internet, unless they are placed in another system separate to Zoom after the recording has been made and the access is not restricted which would be the same for any data placed in this type of repository.
As Zoom have stated on their blog, “Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes, nor do we have means to insert our employees or others into meetings without being reflected in the participant list.”
To address questions around Zoom’s claims for end-to-end encryption for Zoom meetings and webinars raised in the media, Zoom published the article below on 1 April, 2020:
AARNet and Zoom have published the following articles to assist with preventing ‘Zoombombing’ and mitigating security breaches with video conferencing:
To address Zoombombing by screen sharing, on 26 March 2020, Zoom released an update to Screen Sharing so that Zoom meetings do not allow anyone in the meeting to screen share unless permitted by the host of the meeting:
AARNet encourages all customers to review the available security features in the Zoom platform and to start applying them as soon as possible. Students should also be reminded on the safe and acceptable use policy of information technology services.