Zoom security

Meeting bombing is an end-user behavior pattern: Zoom India head

COVID-19 crisis has turned out to be a game-changer for many companies. While some companies have seen their business model tumble, few others, including the collaboration and communication solution and service providers have seen their numbers swelling. The one that leads the pack is Zoom, whose number of average per day users grew from 10 million in December 2019 to 300 million by April 2020. This, despite some major security gaps, including Zoombombing, UNC link issue, and concern about some Zoom calls being routed through data centers in China. However, the company was quick to respond with its founder and CEO Eric Yuan unveiling a 90-day plan to strengthen the platform’s security. In a video-call with Shubhendu Parth, Zoom Video Communications India head Sameer Raje talks about the security issues, the plans to plug these, Keybase acquisition, and Version 5.0.

 Sameer Raje, Zoom India HeadV&D: Eric Yuan had earlier stated that Zoom was not geared to handle such a massive surge in user volume. What steps has the company since then taken to augment its capacity?
Sameer Raje: I think it would be fair to say that nobody had really imagined that all of us would be working and socializing from home. So yes, it is absolutely true that we had not imagined that every second or third person in the world would start using Zoom or a virtual platform to socialize, or to meet and collaborate.
During this period, we have seen different kind of users coming on board—young kids and schools, and users who had never used collaboration platforms. These first-time users are bringing in our new use cases. I read an article that some marriages in India were happening on Zoom. We had not anticipated that Zoom would be a platform for people to get married. And then there are people hosting a get-together with family and friends. We did not anticipate this either.

So there are a few things to be done. One, we need to be absolutely sure that users coming on our collaboration platform are using it in the right way. For young, under 16 years’ users, it is important to enforce certain discipline and parental control. Hence, under-16 kids cannot sign up for a Zoom account without permission from the school or parents. Next, is the technical aspect to deal with where we need to ensure that there is no downtime in service.

While all new users are coming and the entire traffic is piling on and we’re scaling up, we want to ensure that not only our services remain up 24×7, but we are also able to enhance the security and privacy level of our platform.

V&D: And what is Zoom doing on this front?
Sameer Raje: We have embarked on coaching, guiding, and training the individual users and also mandating certain rules. For example, while starting a meeting one has to initiate it with a password. We have set up a CISO counsel and a 90-day plan where we’ve decided to freeze all our future feature roadmap, but focusing purely on security and privacy aspects where we are enhancing our platform from what it was to make it even more robust, secure and private.

While these things will keep happening, the external third party agencies and CISOs are advising us and conducting the requisite tests to ensure that everything is safe and sound. Whatever the gaps they report will be actively bridged. That is our focus during this period.

Keybase, with over two dozen world-class security and encryption engineers, will help us build end-to-end encryption into the Zoom platform.

V&D: Is the acquisition of Keybase part of the 90-day plan to fix security issues? How will it help Zoom strengthen the security of the platform?
Sameer Raje: Keybase, with over two dozen world-class security and encryption engineers, will hit the ground running, continuing the development and implementation of features and standards that will make Zoom the industry leader in security and privacy. This will help us build end-to-end encryption into the Zoom platform. Our goal is to build Zoom’s security and encryption capabilities with help from Keybase’s world-class engineers. While we will also own the Keybase product, we expect that it will remain separate from Zoom’s offerings.

V&D: The company recently released its version 5.0 which includes encryption and new privacy controls. What makes the new version safer?
Sameer Raje: The most important feature of the new version is the enhanced level of encryption. We have now migrated to the AES 256-bit GCM encryption, which is probably the latest, most secure, and used by very few players in the industry. So that’s one of the key developments that we have brought in. Besides, there are other features and functionality. For example, the enhancement of the security tab for the host to lock the room or deal with the security aspects of the meeting.

We have also introduced functionalities that help control how the chat functions, including saving or recording the meeting. We have introduced a very critical “report a user” feature. The functionality allows users to report unwanted intrusions in the meeting by just clicking a button. Once reported, it will automatically take a screen capture and report it back to Zoom. Our security and privacy team will validate complain and if it is found that inappropriate content has been used or there has been an intrusion, there is a provision to disable or suspend, and even terminate the respected zoom account. If required, we can report it to the relevant authorities for further action. This is an extremely important feature and I think this will give the confidence to those teachers or tutors and schools which probably stopped using Zoom for whatever reasons.

Zoom always encrypted the call data and with version 5.0 we have further enhanced the level of encryption.

V&D: Is the AES 256-bit GCM encryption being used for end-to-end encryption?
Sameer Raje: We need to understand what an end-to-end-encryption actually means in case of a collaboration platform. When participants are using Zoom clients to connect it effectively means that the meeting is encrypted. It was so even before and the AES 256-bit encryption in Zoom 5.0 means this encryption level has gone even higher.

What we need to understand is that Zoom is a collaboration platform and hence, by default, we need to allow other devices and other means of communication to connect into Zoom for collaboration purposes. For example, a person might choose to join the Zoom platform via PSTN or the mobile voice without using the client on the Zoom. Similarly, one might want to dial a number and get into a conference call on the zoom platform. Besides, a company might have some video conferencing endpoints that it wants to connect into the Zoom platform for collaboration.

Now, each of these devices will have their own different levels of encryption, or some of them may not have encryption at all. So when the meeting data leaves the Zoom cloud that’s where the encryption format changes to meet the requisite end-client needs. One may communicate through a phone or a video-conferencing device or anything else, but till the time it is on the Zoom cloud the data is encrypted.

The moment we bring in different tools and varied devices on a collaboration platform, the format of encryption changes. But we have the Zoom Cloud Connectors which encrypts and decrypts at the entering and exit level and hence the entire meeting data is encrypted. Zoom always encrypted the call data and with version 5.0 we have further enhanced the level of encryption.

V&D: Talking about encryption, we have seen cases where some platforms have refused to share the keys with the government agencies. What is Zoom’s stand on this?
Sameer Raje: On the Zoom platform, when the data is encrypted, we don’t have the keys unless the user is recording it on the cloud. It is only then that we need the keys to decrypt and transcribe it. Otherwise, we don’t have any means of decrypting or intercepting the information or even accessing it. So, it is completely encrypted and if the government says they want to access, we will have to go into the details of it. We will be glad to engage with the government to understand their requirements and come to a conclusion as to what best we can do.

V&D: So, when did Zoom first notice the security gaps? Or did Zoombombing trigger the 90-day security plan?
Sameer Raje: Meeting bombing itself is not a security gap, but it’s an end-user behavior pattern. It is like going out of the house without locking it. Similarly, if you’re hosting an online meeting and posting it on social media and do not have a password for it, you’re inviting trouble. What happens when someone walks into the conference room you are using in the office? You don’t call it “bombing” as we know that it happened because the room was not locked.

If you don’t want anybody to pop in we need to lock the room. People need to understand that it is the same while using online meeting rooms. So, it is actually not a security issue, but an end-user behavior issue. However, there were certain other aspects and some mistakes on our part. It will be wrong to deny this.

When we started to scale up, there were some human errors and we took corrective steps in some of the critical issues in less than 24 hours. We also released some new patches and upgrades. In fact, we released the fourth version of patches in the 15 days, which is quick turnaround time.

V&D: Amongst other issues, there were two major security and privacy concerns: a bug that allowed hackers to take control over the user’s computer, and call data being routed through China. How is the company addressing these?
Sameer Raje: The UNC link was something we missed and we disabled it in less than 24 hours after it was brought to the notice. However, it was really not a bug on our platform. It is a well-known issue on a well-known platform and it has been there ever since and for someone to click it, the users had to give permission. Having said that, we accept that having it as a clickable link was a mistake and we fixed it.

Same as the case with the issue related to the China data center. Any organization would understand that data servers in China are geo-fenced because of the local requirements. We have them there because the participants or the hosts in China need to go through these servers when they join or initiate a meeting. Since those servers are always geo-fenced the global traffic doesn’t ever go there. However, again, when we were scaling up we made a mistake and some of the servers carried the global traffic.

I will like to add that our architecture is such that the calls are always sent to the nearest data center and so most of the global users would have automatically gone to their respective data centers and a minuscule number, those who wouldn’t have found space on a particular day in their nearest data center, would have gone to China. This number is in single digits. But it was a mistake on our part that we did allow this to happen for a short period of time while we were scaling the server. It was a human error and we have dealt with it.

V&D: Zoom has two data centers in India—in Mumbai and Hyderabad. Are all calls from India being handled only through these?
Sameer Raje: Absolutely. Data of all paid Zoom users go to Mumbai or Hyderabad. Mumbai is the primary server while Hyderabad is the secondary one and both these data centers are operated and hosted through Indian ISP. The second aspect of this is the way we handle data for free users. This data goes to the US and from there it is sent to the respective data centers that connect the calls. That’s how we function.

V&D: So the Indian data centers are primarily meant to handle the enterprise customers?
Sameer Raje: Not only enterprise but all paid customers, irrespective of the number of licenses they have. We also have an additional feature for our paid customers, which is an industry first, that allows users to select geography and the data center. This also means that one can actually opt-out of certain geographies.

V&D: Has the advisory from MHA changed the equation? Is there a change in the way the customers are now looking at the platform?
Sameer Raje: Well, the MHA advisory focuses more on the Government of India employees. For the private sectors, they have released an advisory of the best practices. But yes, there have been customers who reached out to us, asked questions about the government advisory. Obviously, any individual or organization would seek answers since it’s a respectable government document. So we have gone back to them and have responded to the advisory.

We have also replied to all the customers. We explained to them what’s happening and responded to each and every query, including the questions related to encryption or other security and privacy issues. As far as the government is concerned, we are engaging with them—from the MHA to the other ministries, including the Ministry of Electronics and Information Technology. We want to share all the requisite documents in terms of technical features and the privacy and security features of users so that they are able to make the right informed decisions and communicate it to their own employees.


Leave a Reply

Your email address will not be published. Required fields are marked *