sb-as logo
Story image

Zoom buys encryption startup in its first-ever acquisition

Zoom has today announced its first-ever acquisition - absorbing Keybase, an end-to-end encryption and secure messaging platform.

The video conferencing company’s inaugural acquisition indicates its intention to correct its record on privacy and security, which has drawn sharp criticism in the months where its service has seen unprecedented growth during the COVID-19 pandemic.

Terms of the deal were not disclosed.

In a blog post written by Zoom CEO Eric Yuan, the company says it intends to leverage Keybase’s deep encryption and security expertise to help Zoom build its own end-to-end encryption.

“This acquisition marks a key step for Zoom as we attempt to accomplish the creation of a truly private video communications platform that can scale to hundreds of millions of participants, while also having the flexibility to support Zoom’s wide variety of uses,” says Yuan. 

“Our goal is to provide the most privacy possible for every use case, while also balancing the needs of our users and our commitment to preventing harmful behaviour on our platform.

“Keybase’s experienced team will be a critical part of this mission.”

The acquisition represents the latest move by Zoom in its 90-day plan it announced at the beginning of April to improve its security flaws.

In late April, the company announced Zoom 5.0, which provided ‘robust’ enhancements to its security and privacy protocols, including industry-standard AES-GCM encryption with 256-bit keys.

Zoom says the acquisition announced today will take privacy further – in the ‘near future’, Zoom will offer an end-to-end encrypted meeting mode to all paid accounts. 

“Logged-in users will generate public cryptographic identities that are stored in a repository on Zoom’s network and can be used to establish trust relationships between meeting attendees,” says Yuan.

“An ephemeral per-meeting symmetric key will be generated by the meeting host. This key will be distributed between clients, enveloped with the asymmetric keypairs and rotated when there are significant changes to the list of attendees,” he says.

“The cryptographic secrets will be under the control of the host, and the host’s client software will decide what devices are allowed to receive meeting keys, and thereby join the meeting.”

However, end-to-end encrypted meetings will not support phone bridges, cloud recording, or non-Zoom conference room systems. 

Zoom says it will not monitor meeting contents, but its safety team will continue to look for evidence of abusive users.

It also pledges not to build a mechanism to decrypt live meetings for lawful intercept purposes. 

Yuan says Zoom does not have a means to insert its employees or others into meetings without being reflected in the participant list, and will not build any cryptographic backdoors to allow for the secret monitoring of meetings.

Story image
Vectra expands NDR capabilities across all network environments
Vectra’s network threat detection and response (NDR) solution is designed to use cloud identities that track and link attacker activities and progression across all networks.More
Story image
Claroty finds four vulnerabilities in Schneider Electric OT device
Unmitigated vulnerabilities could give an attacker access to the device, enabling the attacker to break encryption, modify code, and run certain commands.More
Story image
Claroty and CrowdStrike form partnership to protect industrial control system environements
The integration will deliver visibility into industrial control system (ICS) networks and endpoints, with a one-stop-shop for information technology (IT) and OT asset information directly within The Claroty Platform.More
Story image
Trend Micro launches cloud native security solution for modern applications and APIs
“Application security is an invaluable part of the Cloud One platform, integrating technology to provide superior protection for customers deploying applications wherever it makes the most sense for them."More
Story image
Organisations continue to get hit hard by cyber attacks
Trend Micro published survey findings revealing 23% of global organisations suffered seven or more attacks infiltrating their networks or systems over the past 12 months.More
Story image
Video: 10 Minute IT Jams - Vectra AI exec discusses cybersecurity for Office 365
In Techday's second IT Jam with Vectra AI, we speak again with its head of security engineering Chris Fisher, who discusses the organisational impact of security breaches within Microsoft O365, why these attacks are on the rise, and what steps organisations should take to protect employees from attacks.More