As the COVID-19 pandemic began to spread rapidly in March 2020, several countries introduced lockdown to tackle it in order to “flatten the curve”. This led to many corporations, especially IT companies to go completely remote during the lockdown period. With more and more employees working from home, apps like Zoom, which are quite handy for video meetings became the norm. The userbase of Zoom increased from 10 million to 200 million in March.
However, as the number of users saw a meteoric rise, several security risks and loopholes within Zoom started coming to surface. Some examples include a meeting host able to gather data about participants, Zoombombing by hackers (Hijacking a video conference to display pornographic content), the app secretly sending data to Facebook, claims that the Windows client for Zoom could be hacked to steal passwords, Malware-like behaviour of Zoom installer for MacOS, etc.
To tackle all such security issues, Zoom released its 5.0 update on 27th April 2020. This release comes after about three weeks the company announced its 90-day plan. One of the most critical changes in the Zoom 5.0 update is the use of AES-256 GCM encryption. The encryption algorithms previously used by Zoom were deemed below par. Hence this update is essential, especially for daily users of Zoom.
What is GCM Encryption?
GCM stands for Galois/Counter Mode. It is a block cipher (data is divided into blocks and then encrypted) mode of operation used with many block cipher algorithms, popularly with the Advanced Encryption Standard (AES) algorithm. The algorithm offers authenticated encryption on the data and is very commonly used as it offers a required level of security without compromising performance and efficiency.
GCM provides encryption by using a counter. For each block of data, it inputs the current value of counter to the block cipher algorithm. Then it takes the output of the block cipher algorithm and EXOR’s that with the plain text/data to generate the cipher text/data. Any block cipher algorithm can be used with GCM in this way. Most popular is the AES-256 algorithm.
Zoom is making use of AES-256 GCM starting from the 5.0 update. It establishes a giant leap in the Zoom infrastructure, from the previous security algorithms used. Although this update does not present End-to-End encryption in Zoom, it is still a massive security upgrade from the older versions.
Next Actions by Zoom Users
Currently, Zoom is allowing the use of previous versions, up to 30th of May 2020. If a user using an older client tries to join a meeting, he/she will be prompted for confirmation before updating. After 30th May, all Zoom clients on older versions cannot connect to a meeting. Therefore, users must download and update the Zoom app to version 5.0 or above.
If you are a Zoom Administrator managing Zoom for multiple users in a cluster, you might want to check out this page to see more details about the phased rollout of Zoom 5.0 across all supported platforms.