sb-eu logo
Story image

Zoom buys encryption startup in its first-ever acquisition

Zoom has today announced its first-ever acquisition - absorbing Keybase, an end-to-end encryption and secure messaging platform.

The video conferencing company’s inaugural acquisition indicates its intention to correct its record on privacy and security, which has drawn sharp criticism in the months where its service has seen unprecedented growth during the COVID-19 pandemic.

Terms of the deal were not disclosed.

In a blog post written by Zoom CEO Eric Yuan, the company says it intends to leverage Keybase’s deep encryption and security expertise to help Zoom build its own end-to-end encryption.

“This acquisition marks a key step for Zoom as we attempt to accomplish the creation of a truly private video communications platform that can scale to hundreds of millions of participants, while also having the flexibility to support Zoom’s wide variety of uses,” says Yuan. 

“Our goal is to provide the most privacy possible for every use case, while also balancing the needs of our users and our commitment to preventing harmful behaviour on our platform.

“Keybase’s experienced team will be a critical part of this mission.”

The acquisition represents the latest move by Zoom in its 90-day plan it announced at the beginning of April to improve its security flaws.

In late April, the company announced Zoom 5.0, which provided ‘robust’ enhancements to its security and privacy protocols, including industry-standard AES-GCM encryption with 256-bit keys.

Zoom says the acquisition announced today will take privacy further – in the ‘near future’, Zoom will offer an end-to-end encrypted meeting mode to all paid accounts. 

“Logged-in users will generate public cryptographic identities that are stored in a repository on Zoom’s network and can be used to establish trust relationships between meeting attendees,” says Yuan.

“An ephemeral per-meeting symmetric key will be generated by the meeting host. This key will be distributed between clients, enveloped with the asymmetric keypairs and rotated when there are significant changes to the list of attendees,” he says.

“The cryptographic secrets will be under the control of the host, and the host’s client software will decide what devices are allowed to receive meeting keys, and thereby join the meeting.”

However, end-to-end encrypted meetings will not support phone bridges, cloud recording, or non-Zoom conference room systems. 

Zoom says it will not monitor meeting contents, but its safety team will continue to look for evidence of abusive users.

It also pledges not to build a mechanism to decrypt live meetings for lawful intercept purposes. 

Yuan says Zoom does not have a means to insert its employees or others into meetings without being reflected in the participant list, and will not build any cryptographic backdoors to allow for the secret monitoring of meetings.

Story image
Claroty finds four vulnerabilities in Schneider Electric OT device
Unmitigated vulnerabilities could give an attacker access to the device, enabling the attacker to break encryption, modify code, and run certain commands.More
Story image
Video: 10 Minute IT Jams - SonicWall VP on the benefits of Boundless Cybersecurity
Today's interviewee will discuss the ins and outs of the company's Boundless Cybersecurity solution and how it can help APAC organisations adjust to the new normal, as well as explaining the 'cybersecurity business gap'.More
Story image
How a vantage point sees threats before they impact
When the focus has been on adversaries that develop increasingly complex and sophisticated attacks, tried and true techniques such as compromised credentials continue to be amongst the most potent weapons.More
Story image
Video: 10 Minute IT Jams - Vectra AI exec discusses cybersecurity for Office 365
In Techday's second IT Jam with Vectra AI, we speak again with its head of security engineering Chris Fisher, who discusses the organisational impact of security breaches within Microsoft O365, why these attacks are on the rise, and what steps organisations should take to protect employees from attacks.More
Story image
ThreatQuotient & Infoblox integrate threat intelligence capabilities
“Together, our integration eases the consumption of threat intelligence from various internal and external sources to ensure that intelligence is accurate, relevant and timely to an organisation’s business.”More
Story image
UK university targeted by one million malicious email attacks
The messages included spam, malware and phishing attacks.More