Popular video chat service Zoom dodged questions about security claims on its website earlier this week.
Security experts, including New Zealand's Daniel Ayers, said Zoom claimed to have end-to-end encryption when it did not - an assertion given urgency by the fact Zoom used for NZ's first virtual cabinet meeting as the lockdown began.
Now, in a statement posted by its chief product officer Oded Gal overnight, Zoom says, "We want to start by apologizing for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption."
And in a separate post, Zoom founder and chief executive Eric Yuan said "we recognize that we have fallen short of the community's – and our own – privacy and security expectations. For that, I am deeply sorry."
Zoom's Nasdaq-listed shares, which have been on a bull-run, were down 10 per cent in year trading following the CEO's comments.
Yuan also said Zoom was initiating a feature freeze and boosting its bug bounty programme - or paying cash to "white hat" hackers who identify security flaws.
Yuan said overnight that Facebook's SDK (software development kit) has now been removed and that as of March 27, Zoom's iOS client was "reconfigured it to prevent it from collecting unnecessary device information from our users."
The moves come after a run of bad publicity about Zoom vulnerabilities, including a "Zero Day" flaw earlier this week that allowed an attacker to gain control of a victim's camera and microphone and another last month that allowed a hacker to steal a Zoom user's Microsoft credentials.
Yuan says steps have also been taken to prevent so-called "Zoombombing" or uninvited participants crashing meetings.
Zoom's reputation for user-friendliness has helped it gain broad popularity during worldwide Covid-19 lockdowns. A person can join a Zoom conference just by clicking on a link emailed to them, even if they don't have the Zoom app installed. But the company is also now being more up-front about the trade-offs this entails.
The company clarifies that if someone is dialing in on a traditional phone line rather than its app, then "Zoom's encryption cannot be applied directly by that phone or device. That said, our goal is to keep data encrypted throughout as much of the transmission process as possible."
Encryption question left hanging
A key point of the Zoom controversy, first raised by well-regarded security journal The Intercept, was that Zoom's security setup gave its staff the ability to de-encrypt video chat session content.
In his new post, Zoom's Gal says "In a meeting where all of the participants are using Zoom clients, and the meeting is not being recorded, we encrypt all video, audio, screen sharing, and chat content at the sending client, and do not decrypt it at any point before it reaches the receiving clients."
He also says, "Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes, nor do we have means to insert our employees or others into meetings without being reflected in the participant list."
But for Ayers, the key issue first raised by The Intercept still stands. Zoom has the ability to access content.
His take: Zoom is saying it does not encrypt, when the ideal security scenario would be a setup - like those used by Facebook with WhatsApp or Apple's FaceTime - where the owner of the service cannot decrypt content.
And, in his view, the comment about a Zoom employee not being able to insert themselves into a meeting gives a misleading impression about security. "This remark by Zoom is misleading. [The] risk is decryption of content, which can be done by Zoom or a hacker if cloud-based keys are used or stolen. Decryption can happen without 'inserting into meeting'."
He adds, "In respect of cabinet's use of Zoom, even if Zoom offered full end-to-end encryption there would still be the issue of software produced largely in China being installed on computers used by cabinet members. We don't know what security level those computers are cleared for, but I doubt that there would ever be a circumstance where that would be appropriate."
In comments to the Herald earlier this week, after the Zero Day flaw revelation, a GCSB spokesman said the agency's advice was to use the video chat serivice for discussion on topics up to the "Restricted" level.
"The Bureau is aware of commentary overnight relating to the security of the Zoom platform and will consider if additional guidance around its use is required," he said.
Although that falls below, the Secret and Top Secret grades, Ayers pointed out the government's security guidelines still call for Restricted information to only be shared over fully-encrypted communications systems.
Yesterday, Prime Minister Jacinda Ardern said Zoom had only been used to discuss information up to the Restricted-grade. If the GCSB issued new advice, cabinet would stop using it.
GCSB issues new Zoom guidelines
In updated comments to the Herald late yesterday, the GCSB spokesman said, "Potential security vulnerabilities are regularly discovered in computer hardware, operating systems and applications. Providers issue security updates and patches for potential vulnerabilities on a regular basis. GCSB strongly advises that security patches are applied quickly and that the latest version of operating systems and applications are used."
He said a security user guide for public servants when using Zoom has now been posted to the National Cyber Security website.
And he added, "Our advice aims to enable organisations to have some flexibility in the tools they are using to enable effective operations in these extraordinary times while managing and mitigating security risks."
The Covid-19 crisis has cast a spotlight on Zoom, a company founded nine years ago by its CEO Eric Yuan, now 50, after he defected from US company Cisco Systems and took about 40 engineers with him.
Yuan wanted to refine a concept he first dreamed up during the 1990s as a college student in China, when he dreaded the 10-hour train trips to see his then-girlfriend, now his wife.
Now Zoom is booming, just 11 months after it made its debut on the stock market. While the Standard & Poor's 500 index has fallen by 25 per cent since its record high on February 19, Zoom's stock has soared around 46 per cent as investors bet on its service becoming a mainstream staple in life after the coronavirus.