The newly popular videoconferencing app Zoom has endured a torrid few weeks since the coronavirus crisis resulted in hundreds of thousands of new users and a substantial increase in scrutiny of their code and security provisions.
In response to the deluge of negative publicity that followed, Zoom pledged a 90-day plan to tighten things up and improve the security of its users and their videoconferences.
The result is Zoom version 5, which the company has launched to great fanfare yesterday. And if some recent Zoombombing accounts are anything to go by, it can’t come a moment too soon.
The new Zoombombing phenomenon
Zoombombing is the phenomenon which involves hackers infiltrating a videoconference on Zoom and sharing offensive or illegal content with those taking part.
The BBC reports this morning on three cases where video conferencing have been interrupted by hackers sharing extreme and hugely distressing clips of children being sexually abused.
According to the report, one videoconference was on the topic of legal education and had around 40 participants. Another was run by the Open Rights Group, an organisation VPNCompare proudly supports, while the third confirmed case was a videoconference organised by the Federation of Young European Greens.
All three cases have been reported to the police and the Internet Watch Foundation, an organisation that works to remove child abuse images from the internet. Zoom’s response to the incident is frankly far from satisfactory. So far, all they have said is that they are “looking into” the incidents.
These three incidents appear to be the tip of the iceberg. Other reports of racist abuse and uninvited guests crashing calls have proliferated and while Zoom has grudgingly admitted that it has struggled to cope with the increase in demand for their service and the problems it has caused, to date it has offered few meaningful solutions.
Will Zoom version 5 help?
One of the biggest concerns that security researchers, privacy activists, and journalists have raised about Zoom is the lack of end-to-end encryption. This means that it is relatively easy for hackers to hijack a videoconference and even enter themselves without being invited and entering a password.
Zoom states that version 5 includes support for 256-bit AES-GCM encryption, which is a type of end-to-end encryption that VPN users will be familiar with.
The current version of Zoom only uses AES-ECB, which was far from adequate and made it relatively simple for hackers to access data in transit. The introduction of 256-bit AES end-to-end encryption should improve this.
Another big worry has been that Zoom was found to be passing a fair bit of its data through servers based in Communist China. What this effectively means is that the Chinese Communist Party would be able to access any of this data.
Given that Zoom is being used by big businesses and governments around the world, that presents very significant potential security implications.
Zoom claims that version 5 will give users the option to choose which region of the world they want their data to be processed in. This is a diplomatic way of saying if you don’t trust Communist China, you can stop your data being sent there.
It is a positive step for the privacy and security of Zoom users. But there are still plenty of unanswered questions. How easy will it be to make this change in practice? How will it affect Zoom’s speeds and other functions in practice? How will their infrastructure cope if the majority of users opt to send traffic elsewhere?
To try and stop hackers getting into videoconferencing by brute force attacks or scanning social media for shared access details, Zoom version 5 will also have its waiting room feature enabled by default for all users. This allows hosts to vet all participants before they are allowed onto a call.
The wait continues
All of these developments sound extremely positive and given the tsunami of criticism Zoom has received in recent weeks, it will come as no surprise that they are shouting about version 5 from the rooftops.
Zoom is already urging all users to “upgrade to version 5 now”. There is just one problem with that. Head over to the download page of their website and, at the time of writing, version 5 is not actually available yet.
Scrutinise the details of Zoom’s announcement and it becomes clear that there isn’t actually a confirmed launch date for version 5 yet either.
In reference to the introduction of end-to-end encryption, Zoom’s Colleen Rodriguez is quoted as saying “System-wide account enablement will take place on May 30.”
This could mean that the introduction of end-to-end encryption will not be formalized until the end of next month. Or it could mean version 5 will not actually see the light of day until then either.
Whichever is the case, it seems that Zoom users still have a considerable wait ahead of them before they can use its videoconferencing technology with confidence.