Zoom's New App Update Combats 'Zoombombing' and Boosts Encryption

Video-conferencing application Zoom is set to receive additional security updates that are designed to increase "resistance against tampering."

The software, which experienced a surge in use during the COVID-19 pandemic as users started working, learning, and socializing from home, attracted criticism for security and privacy bugs, including the meetings that were susceptible to hijacking, a process called "Zoombombing."

Now, the team behind the application says a new version will add support for better encryption and give hosts the ability to report other users through a dedicated security icon.

Meeting passwords are now default and administrators will also have the option of defining password complexity, such as length and special character requirements. The suite of security features, previously scattered in meeting menus, is now grouped together in a dedicated area.

"Hosts can require all participants to register for the meeting, where they enter their first name, last name, email address, and other information, which the host can then confirm. Hosts can also use the security icon to disable the ability for participants to rename themselves," the firm said in a blog post.

Zoom said "report a user" and encryption will be supported in Zoom 5.0, which is releasing within the week. To get the update, visit zoom.com/download or follow the steps within the client.

The changes come as part of a 90-day security plan that was put in place after Zoom CEO Eric Yuan conceded the app had "fallen short of the community's privacy and security expectations."

As of March, Zoom said it was used by roughly 200 million daily meeting participants, both free and paid. That was up from approximately 10 million daily meeting participants in December 2019.

The influx of fresh users brought a new set of problems for the software, which was previously focused towards an enterprise audience. The FBI warned public meetings were being disrupted across the U.S., hijacked in real-time to show pornography, hate images or threatening language.

Governments and businesses, including Google, Nasa and SpaceX, urged their employees to avoid the app as a result of mounting security concerns, and Zoom acknowledged calls were vulnerable. In the U.S., police recently arrested a teenager who allegedly targeted a teacher's meetings.

The Intercept reported Zoom's video and audio meetings were not actually being supported by end-to-end encryption, despite claims that were previously made in its own security policies. The BBC reported today multiple meetings this week were hijacked to show footage of child abuse, with Zoom telling the news outlet that it is investigating the incident. Police are also probing the cases.

Zoom executives say the new version of the app is one step towards better protecting the user base, and confirmed that public meeting IDs, used to join calls, have been made less visible.

"From our network to our feature set to our user experience, everything is being put through rigorous scrutiny," said Oded Gal, chief product officer (CPO) of Zoom. "On the back end, AES 256-bit GCM encryption will raise the bar for securing our users' data in transit. On the front end, I'm most excited about the Security icon in the meeting menu bar.

"This takes our security features, existing and new, and puts them front and center for our meeting hosts. With millions of new users, this will make sure they have instant access to important security controls in their meetings." And talking security, CEO Yuan pledged: "This is just the beginning."

In this photo illustration, the website of Zoom Video Communications Inc is seen on April 4, 2020 in Katwijk, Netherlands. Yuriko Nakao/Getty