back to article After intense scrutiny, Zoom tightens up security with version 5. New features include not, er, spilling video calls to network snoops

Zoom's ongoing game of whack-a-mole with security bugs in its code continued today with the imminent emission of version 5, replete with support for 256-bit AES-GCM encryption. It's the latest in the video-conferencing software maker's 90-day plan to overhaul its platform's dodgy security after a hellish few weeks at the hands …

  1. Anonymous Coward
    Anonymous Coward

    Their response to everyone calling them incompetent was to announce that they have a new version that fixes everything, and direct people to a download link for the old version?

    Seems like the perfect company to be recording confidential meetings. Anyone have the URL to download all of the UK cabinet meetings?

    Also, where are GCHQ and the NSA and their equivalents around the world? They have been telling us all these years that their main job is securing government communications, and spying on other people was a spare-time sort of thing... but they couldn't set up downing street with a video conferencing solution that met even the most basic security requirements? Do they not have a placement student who could modify the template on one of the many WebRTC demos to "create a bespoke secure government grade video conferencing platform using military grade end to end cryptographic encryption cryptography" in less than a daymonth?

    1. Pascal Monett Silver badge
      Coat

      I'm sorry, you are obviously operating under the obsolete idea that security services exist to ensure that government activity is secure.

      That is last-millennium thinking.

      These days, security services are there to ensure the government that the people they govern are happy and complacent and won't come with pitchforks to put their heads on a spike. To ensure that, their job is to listen to everybody, scrape all social networks and record every tweet to ensure that pubic ire is directed to the acceptable scapegoats (immigrants, foreigners, the French, arabes, asians, etc).

      Therefor, the GCHQ is perfectly happy with the Chinese being able to listen in to UK gov meetings, since they will get the information anyway through Huawei 5G routers that have yet to be installed.

      Ah, the miracles of technology have no bounds.

    2. Anonymous Coward
      Anonymous Coward

      Government communications

      The UK Gov has had a secure communications team working near a train maintenance depot in southern middle England for decades. Their kit is used for secure communications with embassies abroad, for instance.

      Do they really not have a video versions?

      1. Doctor Syntax Silver badge

        Re: Government communications

        Whether or not they have a video version is immaterial. Cabinet meetings need something that can be operated without assistance by the average minister (Hacker was a very average minister the "Yes Minister" scripts). Convenience beats security every time.

        1. WanderingHaggis
          Coat

          Re: Government communications

          Remember civil servants do what their masters tell them so I can imagine GCHQ being told don't blind me with science this zoom wagga boom magic works so stop messing around and let a chap get on with it.

  2. Anonymous Coward
    Anonymous Coward

    Makes my job harder

    Already having enough trouble persuading higher powers to read the Ts&Cs before signing up, version 5 doesn't fix everything (it's still decrypted at the server as far as I can tell for example) but the headline is "Zoom tightens up security" so all previous arguments will be ignored because everything's ok now.

    1. ovation1357 Bronze badge

      Re: Makes my job harder

      I'm not getting this whole "decrypted at the server" thing... They have a separate TLS encrypted channel which distributes a one-time key to all participants and I'm sure I've read somewhere in Zoom's docs that the video and audio is then sent through their servers in its encrypted format so that only participants can access it. So that's basically end-to-end encryption.

      In spite of some naive mistakes which aren't ideal, the product has essentially been secure enough most use cases for ages and is now improving to be even tighter.

      The "zoom bombing" stories of late seem to be mainly down to users publishing private meeting links and most recently also either disabling the waiting room or approving people to join without checking who they are.

      There's only so much that can be done to mitigate some of the user errors - Zoom's trying to do what it can and it now has very clear guides about to use the service safely

      Personally I find the new default waiting room to be a pain and I certainly get the argument that it may be putting off some users. I'm sure it's very useful in some scenarios but for smaller private meetings I've turned it off.

      For now I'm continuing to use it and pay a subscription because it's by far the best and most reliable tool I've tried.

      Teams is just horrible and hangouts feels terribly basic although I really like the automatic closed caption transcript feature. The current 4 (visible) videos limitation is an especially big drawback in my view. Zoom is slick and scalable, feature-rich, fast and stable so I use it for everything from business meetings to chatting to my family.

      1. Warm Braw Silver badge

        Re: Makes my job harder

        only participants can access it

        And Zoom. So your security is then dependent on how easily you can become a participant (not originally difficult by default), or how easily you can become Zoom (for example, by having control over one of their Chinese servers). And how good their encryption is, anyway - which wasn't great in previous versions.

        It's probably sufficiently secure for most people most of the time. When security really matters, though, it's probably unwise to rely on someone else to own and distribute the keys...

    2. Mike 137 Silver badge

      Re: Makes my job harder

      "persuading higher powers to read the Ts&Cs"

      Nobody expects to have to read the T&Cs (or the Spanish Inquisition).

      1. Lotaresco Silver badge

        Re: Makes my job harder

        "Nobody expects to have to read the T&Cs"

        Blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah. Blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah.. including without possibility of rescinding the contract surrender of your immortal soul for the exclusive purposes of EvilCorp SA blah blah blah blah blah blah blahblah blah blah blah blah blah blah blah. Blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah, blah blah blah blah, blah blah blah blah. Blah blah blah blah blah blah blah blah blah blah blah blah blah. Surrender of any and all vital organs blah blah blah blah blah blah blah blah blah blah blah blah without right of restitution in law. Blah blah blah blah blah blah blah blah blah… Iä! Iä! Cthulhu fhtagn! Ph'nglui mglw'nfah Cthulhu R'lyeh wgah'nagl fhtagn! Blah blah blah...

    3. Doctor Syntax Silver badge

      Re: Makes my job harder

      "Already having enough trouble persuading higher powers to read the Ts&Cs before signing up"

      If you have a legal department (and assuming you aren't that legal department!) you could simply get into the habit of running all T&Cs past them. That way they can intervene with the higher powers.

    4. tellytart

      Re: Makes my job harder

      You're forgetting one vital part of these conferencing systems - they ALL have to be able to be decrypted by the servers of the company if you want to be able to use features like the ability to join the conference by telephone.

      If the supplier can't decrypt the streams on their servers, how do they get at the audio to send it to the telephone participant, and how do they inject the telephone participant's audio into the conference?

  3. Anonymous Coward
    Anonymous Coward

    My bigger problem isn't the security issues per se. Even in aggregate, discovered so closely together I've seen worse in my time.

    My concern was the tone and character of the response Zoom would return to their concerned customers. I'm fairly often on the hook for managing our response to our customers for security incidents we're possibly responsible for [open source middleware - weekly occurrence, naturally]. When a customer says something like "Help me understand what was going on CVE-2022-192729" what they _actually_ want to know are the answers to little questions like "How did you let this happen?", "How did you find out about this?" and most importantly "What are you going to do to stop this happening again?"

    When we went to Zoom and asked them to provide us a formal response to their recent security incidents, the text returned was nowhere near up to snuff for an enterprise software vendor. The text was trite, dismissive and arrogant. For example on the topic of how they installed a fully unauthenticated, open to the world web server on everyone's machines without asking, the response reads thusly:

    "Zoom is not malware. Zoom is safe to use for both you personally and businesses, but you should read through on how to best protect yourself and your company. Throughout the past few days, social media (mostly infosec twitter) is gushing with various opinions and hot takes about Zoom being malware due to multiple issues found with it. Some of these issues are indeed problematic (and are/were taken care of by Zoom) and some of the issues that are being raised and discussed in social media are in fact not bugs or issues with Zoom itself but issues with the way operating systems work."

    They quote some nobody infosec blogger [yeah - that's not even their own words they sent to us] in order blame us for getting hit, they blame the "gushing infosec twitter" for finding their massive security fuckup and they blame operating systems for letting them get away with it. This is the calibre of company we're dealing with, and frankly I do not believe that is good enough for other companies to be trusting Zoom with their secure, corporate communications.

    1. Captain Scarlet Silver badge

      Nice so they respond "Zoom is not malware" even though it was a question based on a decision in software to bypass the security of an OS to bypass the need to press one button.

  4. Lorribot Bronze badge

    The website says the download is 4.6.12 but the file you downlaod reports as 5.0.0.0.

    They need to put more effort in to the details.

    1. Mike 137 Silver badge

      "They need to put more effort in to the details."

      Nobody puts any effort into the details - which is why, four decades into the life of internet-based services, we have a constantly worsening security position.

      The sad reality is that almost all of us are running on autopilot with attention reduced to mere collision avoidance, and services and systems developers are drawn from the same population.

    2. Anonymous Coward
      Anonymous Coward

      Unless you're using Linux, in which case you get version 3.5.392530.0421

      1. Anonymous Coward
        Anonymous Coward

        Even auto updating doesn't work! *

        Just tried updating my local install (Windows) currently on 4.6.11, latest version shows as 4.6.12!

        Release notes 4.6.12 (20613.0421)

        Changes to existing features

        -Re-enable clickable links in meeting chat

        Resolved issues

        -Security enhancements

        Nice clear notes there!

        Now I'm on 4.6.12, another check states I'm on the latest version!?

        * Have to use it at Work for one of our suppliers, who use Zoom with an Enterprise license! I only turn it on when needed, and then immediately of as soon as any meeting is finished.

      2. Anonymous Coward
        Anonymous Coward

        Yeah, the linux client seems to have languished the same way Skype for Linux did/has for years (I haven't used Skype in ages).

        1. Captain Scarlet Silver badge

          You arent missing much, except with added gifs and emojis

    3. Lazlo Woodbine Bronze badge

      It might say version 5.0.0.0 on the file details, but when launched after updating it's showing 4.6.12 (20613.0421) on the splash screen, and the file version is 4.6.20613.421 when I check in Users/ AppData/ Roaming

  5. A random security guy Bronze badge

    So they are using AES-GCM? and decrypting at the server? With what keys?

    Don't trust them at all.

    What does "using AES-GCM" even mean?

    How is the counter mode managed?

    How is the key chosen?

    How is the key exchange performed?

    How are users actually authenticated?

    Why are they decrypting at the server?

    Are they running analytics or transcription services on the streams?

    Can we question their engineers and support staff about their accessing the data? I know we can't; 80% are in China.

    Any company that deliberately wrote extra code instead of using TLS for secure streaming is suspect.

    1. Yet Another Anonymous coward Silver badge

      Re: So they are using AES-GCM? and decrypting at the server? With what keys?

      Yes those were all the questions my mom was asking before being able to see video of her new grand daughter.

      Meanwhile my condo association has switched to holding their online meetings.over quantum fibre links from their individual tempest screened classified data centers.

      Wait till el'reg readers find out what level of secure key distribution is used by their landlines phone

      1. Claptrap314 Silver badge
        Pint

        Re: So they are using AES-GCM? and decrypting at the server? With what keys?

        The snark is strong in this one.

        Have one. ----->

    2. Lotaresco Silver badge

      Re: So they are using AES-GCM? and decrypting at the server? With what keys?

      "What does "using AES-GCM" even mean?"

      AES-GCM is an implementation of Galois/Counter Mode which gives high speed encrypted comms on inexpensive hardware. NIST Special Publication 800-38D gives guidelines for reducing stream cipher attack and I'm guessing that Zoom's techies didn't bother to read it, because it sounds as if they are using nonces more than once. GCM isn't good at handling large messages because there's a relationship between short tags and large messages that permits an attacker to construct a ciphertext forgery with increasing probability of success. If the attacker has a good run of success they can determine the hash subkey which means that the authentication assurance is compromised.

      AES-GCM is used widely and gives decent security if used in compliance with NIST guidance. Fail to implement it properly and there's not much point using it.

  6. Anonymous Coward
    Anonymous Coward

    Microsoft monitoring

    You assume that Zoom is the only problem here. Anybody on domestic versions of Windows 10 is already monitored by Microsoft, can MS see the keys, tap the audio etc

    1. MatthewSt Bronze badge

      Re: Microsoft monitoring

      In most cases yes, because they offer meeting recordings and live transcripts. Those two things are quite difficult to do without access to the stream. Same goes for the business versions. That's not a surprise and they've never claimed that it's end to end encrypted.

      1. Doctor Syntax Silver badge

        Re: Microsoft monitoring

        "Those two things are quite difficult to do without access to the stream. "

        As regards recording they could archive the stream as a recording and make provision for the customer to archive the key on their own device. That way they can't access the content (assuming they don't have a copy of the key) and anyone who wanted a transcript of a secure meeting should arrange for the transcript to be made by an agent whom they have vetted to their own satisfaction.

  7. B83
    WTF?

    Dumteedumers

    Every time I read something about Zoom I will always think of this story and have a chortle/chuckle to myself.

    For those of you who are not familiar with a Dumteedumer just think of a person in their middle age, that are mostly middle class, 100% British, 100% posh and proper, drinking tea, eating cream scones or crumpets.

    With that gentile image in your head have a laugh at this link https://www.bbc.co.uk/news/entertainment-arts-52243209

    1. Anonymous Coward
      Anonymous Coward

      Re: Dumteedumers

      What a treat for all those that just joined the room to have a look lol

  8. EnviableOne Silver badge

    Better, but still not fit for a secure channel

    ok so moving from CBC to GCM is more secure, but they still decrypt in their cloud, and they still have bad default settings on passwords etc

    Encryption is fine, that handles the Integrity angle, but what about the authentication for the confidentiality part, ok there is options for 2FA, but nothing is by default

    and the measly 3 nines of uptime for the availability part....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020