90-Day Security Plan Progress Report: April 15
Thanks again to all who attended today’s “Ask Eric Anything” webinar, Zoom CEO Eric S. Yuan’s second weekly session to update you on Zoom’s ongoing privacy and security efforts.
This week, Eric was joined by Zoom CPO Oded Gal, Zoom CTO Brendan Ittelson, and new security adviser Alex Stamos to discuss the progress we’ve made in the two weeks since the start of our 90-day plan and how we’re moving forward.
Some updates from the past week and on what’s coming:
Highlights from this week’s session
Some key takeaways from this week’s “Ask Eric Anything” webinar:
New Security icon in the meeting controls
The newly released Security icon in the toolbar provides Zoom Meetings hosts and co-hosts with one-click access to a number of existing Zoom security features, including Lock Meeting and Enable the Waiting Room.
Changes to Zoom’s default settings
We’ve made changes to Zoom’s default meeting settings to improve security before a meeting starts. Both meeting passwords and Waiting Rooms are enabled by default for our free Basic users and single Pro users, while those in our K-12 education program need a password to join a meeting. Waiting Rooms also are on by default for those K-12 users.
Enhanced meeting password complexity
Account owners and admins can now configure minimum meeting password requirements to include numbers, letters, and special characters, or allow only numeric passwords. Free Basic account users will now use alphanumeric passwords by default instead of numeric passwords.
Changes to data center routing
Starting April 18, account admins will have the ability to choose whether or not their data in transit is routed through specific data center regions, giving users more control of their interactions with Zoom’s global network. Data in transit, or data in motion, is data actively moving from one location to another such as across the internet or through a private network. Data at rest is data that is not actively moving from device to device or network to network such as data stored in a cloud data center. Learn more about the process in our blog post.
Bug bounty program with Katie Moussouris of Luta Security
Zoom will be working with Luta Security to reboot our bug bounty program. Luta Security was founded by Katie Moussouris, who created some of the most important vulnerability programs still running today. She started Microsoft Vulnerability Research and Symantec Vulnerability Research, and also started Microsoft’s and the Pentagon’s bug bounty programs. Luta Security will be assessing Zoom’s program holistically with a 90-day “get well” plan, which will cover all internal vulnerability handling processes. Read more in Katie’s blog post.
Introducing Alex Stamos
Eric introduced Alex Stamos, former CSO of Facebook and the director of Stanford’s Internet Observatory, who will be joining Zoom as a consultant to help us identify and implement enhanced security measures. “There is no more interesting or impactful issue than allowing people to live their lives through this quarantine,” Alex said. “There’s never been a company that has had to scale this quickly, and supporting hundreds of millions of people is a fascinating technical challenge. I’m very excited to join this incredibly fast-moving team.”
The panel also answered questions from webinar attendees live. Here are some of the topics that Eric and his guests addressed this week:
Which is more secure — free Basic accounts or paid accounts?
Although paid accounts have more features to customize meetings and user settings than Basic accounts, Eric assured attendees that the majority of security features were available for both Pro and Basic accounts. In fact, free accounts now have many security settings on by default.
Can you provide more details on Zoom’s bug bounty program?
Alex explained that a bug bounty program is a system that rewards users and security researchers for identifying bugs within a company’s product. He also mentioned that all Zoom users and security researchers are invited to participate, including researchers who have previously reported on Zoom vulnerabilities. Visit our security page to submit potential bugs.
Can you share updates on Zoom’s encryption?
Alex explained that Zoom’s short-term focus for encryption is migrating from a 256-bit AES ECB encryption to a more secure 256-bit AES-GCM encryption, while our long-term focus will involve a totally new cryptographic design that greatly reduces risk to Zoom’s system.
What about credentials on the dark web?
It was recently reported that some Zoom credentials on the dark web were available for purchase; however, as Alex explained, this is an issue faced by most large companies such as Yahoo, Facebook, and Amazon. He also explained that these credentials were most likely stolen from users elsewhere but use the same password across multiple accounts, or from users who have malware installed on their system. Zoom is building systems to detect whether people are trying out username and password pairings and block them from trying again. We have also hired multiple intelligence firms to find these password dumps and the tools used to create them, as well as a firm that has shut down websites attempting to trick users into downloading malware or giving up their credentials.
Can other people listen in on a Zoom Meeting?
Brendan explained that only the users within your meeting will be able to listen to the conversation and that those users will show up on the participant’s list, so no unauthorized users will be able to listen in. He also explained that Zoom never records any meeting unless a host specifically selects Record.
If you missed this week’s session, you can view the recording here:
Editor’s note: This post was updated Nov. 6, 2020, to clarify language around customizing your data routing settings.
Editor’s note: This blog post was edited on Aug. 2, 2021 to include the most up to date information on Zoom encryption.