At AARNet we have taken steps to assist our customers with addressing these issues by providing:

• Responses to some of the security and privacy concerns that have been highlighted in the press and on social media.
• Links to Zoom’s own responses to security and privacy issues and the applicable Zoom policies.
• Recommendations for how users should configure their Zoom sessions to protect their meetings and recordings from unwanted access. More detail can be found in our AARNet Zoom Knowledge Base.

The following information is provided to draw your attention to resources that may help you with addressing concerns your organisation or staff may have in relation to the use of Zoom:

29 June Update

Implementation of AES 256 GCM encryption

On 30th May Zoom implemented AES256 GCM encryption for all calls which was coupled with a mandatory upgrade to version 5.x of the client software. This move increased the encryption to a high grade industry standard and also ensured the user software was running a new release version which included the patching for recent discovered vulnerabilities. As part of this update, Zoom included the ability to see the level of encryption you active call is using and the location of the data centre where your call is being hosted. AARNet hosted calls will present as an on-premise rather than cloud in the case of Zoom hosted.

Image: Detail provided while in a call

Release of End-to-End Encryption Plan

Zoom are working on the implementation of true end-to-end encryption which will be released in beta version late July. This encryption will mean the users control the encryption keys rather than the current system where the server infrastructure maintains control of these keys. The implementation will be similar to the Apple FaceTime and iMessage services.

Passcode and Waiting Room 19 July 2020

To increase the overall security posture of meetings, all Zoom calls from July 19^th will mandate either a Passcode (Previously referred to password) or Waiting Room for all paid accounts. This Knowledge Base article covers the changes in more detail.

Announcement of New CISO

On June 24^th, Zoom announced the appointment of a new CISO, Jason Lee to increase the security posture of the company and with him comes a wealth of industry experience with Salesforce and Microsoft.

90 Day Security Plan

Zoom are coming to the end of the 90 day security plan which maintained a hold on new features to focus on security. At eh end of this plan, the security posture will be much better and the ongoing security of the products have been assured through a far more integrated secure development process being implemented across the entire company.

30 April Update

Here are the latest updates to Zoom from a security perspective as at 30^th April:

Release of Zoom Version 5.0

• Introduces the support for AES 256-bit GCM encryption which will be implemented post Zoom Infrastructure upgrades to be completed by May 30 when version 5 will be mandated for meeting access.
• Introduction of a Report a User Function – This report goes to the Zoom Trust and Safety team to review.
• Introduction of an Encryption icon in the Zoom meeting.
• Display which Data Centre the meeting is connected to while meeting is in progress.

More details are available at the Zoom Blog

Here is the latest Zoom release timeline from the Zoom Blog:

Here is the icon displayed in the meeting for the encryption level currently in use:

Statistics displaying on the updated Zoom Client showing the encryption level of the meeting:

AARNet is in the process of upgrading their infrastructure to support the version 5 core system support requirements ready for the release on May 30 of the full AES 256-bit GCM support.

17 April Update

Zoom has completed a number security updates since April 8, as part of their 90-day security plan commitments.

Alex Stamos, ex Facebook CSO and Adjunct Professor at Stanford University has begun work with Zoom in a security advisor role.

A CISO Council Advisory Board Members group has been formed to advise Zoom on security. The group includes representatives from HSBC, NTT Data, Procore and Ellie Mae.

New features have been rolled out:

• Waiting room on by default for free and pro accounts (This is fully configurable by Zoom Admins on Enterprise versions)
• Password on by default for free and pro accounts (This is fully configurable by Zoom Admins on Enterprise versions)
• Alphanumeric characters in passwords for Basic Accounts (Enterprise accounts can control this)
• Removed meeting ID from title bar
• One time meeting ID’s will be 11 digits for new scheduled meetings
• Security Icon in meeting now available (Host and co-hosts only)
• Host can disable renaming of participants
• Passwords on by default for cloud recordings (complexity requirements are included in this)
• Chat changes to mask the content of messages in the notification
• File sharing security enhancement in Chat
• Admins have the ability to define meeting/webinar password guidelines

Here’s the Zoom blog post covering the updates:

Zoom 90 day security plan progress report 15 april (Zoom Blog)

New Data Routing Control Feature

Zoom have provided a release date for paid subscribers to have control over the routing of their Zoom calls. This will be released on 18^th April as per this blog post.

Coming April 18-Control your Zoom data routing (Zoom Blog)

Recent relevant media commentary on Zoom Use and Security

Some security researchers have identified the amazing speed at which the company has been responding to the security and privacy concerns as a result of the huge increase in use and popularity in recent months. All the media attention is resulting in an improved product for users.

Get off Zooms case: I trust them and so should you (Medium)

Interview with Patrick Wardle, the researcher who found bugs in Zoom and his responses to the speed at which Zoom has responded to the issues:

Patrick Wardle on security flaws in Zoom software (Kiro Nights)

Singapore Ministry of Education have resumed use of Zoom as security concerns are being actively addressed.

Singapore MOE will allow teachers to ‘progressively’ resume use of Zoom (Channel New Asia)

Recommended Zoom settings for secure meetings

AARNet released recommended Zoom settings for secure meetings. We recommend that all institutions and users review the Zoom settings.

• For Admins: What Zoom settings should Zoom Owners and Admins apply to secure meetings (AARNet Support)
• For Users: What Zoom settings should users hosts apply to secure virtual meetings-classrooms (AARNet Support)
• To prevent Zoombombing: Zoombombing and tips for preventing it (AARNet Blog)

8 April Update

Zoom Security

Zoom has made important update to help make meetings more private and secure. The most visible change that meeting hosts will see is an option in the Zoom meeting controls called Security. This new icon simplifies how hosts can quickly find and enable many of Zoom’s in-meeting security features:

Read the Zoom blog post for more information (Zoom Blog)

7 April Update

Use of Zoom in the Australian research and education sector has grown by more than 3000% in the past month. This extraordinary growth has led to a focus on security and privacy which is welcome and which will ultimately serve to better inform users and to make the product more secure.

A number of new articles in the media have raised concerns about the security of Zoom calls.

Zoom’s CEO has responded directly to criticisms of the platform in the media:

Read Zoom’s Message to Our Users (Zoom Blog 1 April 2020 by Eric S. Yuan)

Notably Zoom has committed to a feature freeze and to dedicate its engineering resources to focus on safety, privacy and trust.

Cloud Recordings

Some of the recent press articles relate to Zoom recordings and how they are handled. Where AARNet hosts Zoom for customers, recordings of meetings or events go straight from AARNet’s Zoom servers onto CloudStor, without leaving the AARNet network.

If you are concerned about privacy of Zoom recordings, you can also record locally rather than into the cloud.

View instructions on how to record locally (Zoom Support)

The University of Toronto’s Citizen Lab recently raised questions about the location of servers used for meetings. Even during periods of high traffic, Zoom’s systems are designed to maintain geo-fencing around China for both primary and secondary datacenters — ensuring that users outside of China do not have their meeting data routed through Zoom’s mainland China datacenters (which consist of infrastructure in a facility owned by Telstra, a leading Australian communications provider, as well as Amazon Web Services).

Read Zoom’s response to the UoT report (Zoom Blog, 3 April 2002)

AARNet Hosted Zoom Customers Encryption Key Management

All customers on the AARNet hosted Zoom platform have their encryption keys maintained within Australia on the AARNet infrastructure and all calls maintained on a Zoom to Zoom basis are encrypted as per the explanation provided in the Zoom Blog post. All content recorded on the AARNet platform is encrypted at rest and is not accessible by Zoom admins.

There was some mis-communication provided by Zoom which has since been addressed relating to the term end-to-end (E2E) encryption. Whilst the communications on all Zoom to Zoom sessions are encrypted, it is not E2E and the only instances where Zoom calls are not encrypted is when they traverse H323 or SIP gateways.

Security Flaws in Zoom Software

Recently the media have referenced Zoom security flaws as part of the ongoing dialogue around Zoom security. This coverage relates to the patched issues highlighted in CVE-2019-13567 (Score 6.8) and CVE-2019-13450 (Score 4.3), so as long as the regular update mechanisms are followed, these will not be an issue for users.

Zoom Recordings Exposed on Internet

A recent article from the Washington Post called out Zoom recordings freely available on the internet. To provide some clarification on this, Zoom recordings are never openly exposed to the internet, unless they are placed in another system separate to Zoom after the recording has been made and the access is not restricted which would be the same for any data placed in this type of repository.

Zoom and Interception Capabilities

As Zoom have stated on their blog, “Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes, nor do we have means to insert our employees or others into meetings without being reflected in the participant list.”

Relevant Reference Articles on Zoom Security

• Zoom Response to Citizen Labs Research on Geo-Fencing (Zoom blog)
• Why Zoom Isn’t Malware (Medium – covers the broad spectrum of Zoom criticisms)
• Thousand of Zoom video calls left exposed on open web (Washington Post)
• Common Vulnerabilities and Exposures (CVE) list for Zoom (cvedetails.com)
• Australian Cyber Security Centre Advice on Video Conferencing (cyber.gov.au)
• ZOMG it’s ZOOM webcast (sans.org)

1 April 2020

Encryption for Webinars/Meetings

To address questions around Zoom’s claims for end-to-end encryption for Zoom meetings and webinars raised in the media, Zoom published the article below on 1 April, 2020:

• The Facts Around Zoom Encryption for Meetings/Webinars (Zoom Blog, 1 April 2020)

Zoombombing and security with video conferencing

AARNet and Zoom have published the following articles to assist with preventing ‘Zoombombing’ and mitigating security breaches with video conferencing:

• Best practices for securing your virtual classroom (Zoom Blog)
• Zoombombing and tips for preventing it (AARNet Blog)
• How to mitigate the security risks of video conferencing (AARNet Blog)

To address Zoombombing by screen sharing, on 26 March 2020, Zoom released an update to Screen Sharing so that Zoom meetings do not allow anyone in the meeting to screen share unless permitted by the host of the meeting:

• Update to sharing settings for Education accounts (Zoom Support)

AARNet encourages all customers to review the available security features in the Zoom platform and to start applying them as soon as possible. Students should also be reminded on the safe and acceptable use policy of information technology services.

Privacy and Zoom

To address concerns raised in the media about Zoom’s handling and use of user and meeting data and its Privacy Policy, Zoom has released the following public statements:

• Zoom’s Use of Facebook’s SDK in iOS Client (Zoom Blog, 27 March, 2020 )
• Zoom’s Privacy Policy Response to Media (Zoom Blog, 29 March 2020)
• Zoom’s latest Privacy Policy (Zoom website, 29 March, 2020)

If you have any further questions relating to these statements and/or the updated Zoom Privacy Policy, we are happy to assist and channel them to our Zoom contacts.