tech

Zoom hack: We asked Microsoft, Google, AnyDesk about their encryption models

To talk about video calling app encryption, HT Tech got in touch with Microsoft, Google, Anydesk and spoke to the CEO of cybersecurity firm Lucideus. Here’s what they have to say.

To talk about video calling app encryption, HT Tech got in touch with Microsoft, Google, Anydesk and spoke to the CEO of cybersecurity firm Lucideus. Here’s what they have to say.
To talk about video calling app encryption, HT Tech got in touch with Microsoft, Google, Anydesk and spoke to the CEO of cybersecurity firm Lucideus. Here’s what they have to say. (Pixabay)

From getting hacked by Zoombombers to selling software exploits in the Dark Web, Zoom, the video conferencing app, has probably seen it all over the past few weeks. The software, that's available both on desktop and mobile, has surged in popularity ever since the Covid-19 lockdown began, and is now feeling the heat as schools and organisations have started moving away from the platform due to security concerns.

But with several million of us hunkering down at home to curb the spread of coronavirus, online collaborations with employees or students via video conferences are important to get the work done. And this brings us to the golden question - which video conferencing app should we use?

Now, there are several other video calling apps you can use including Google Duo, Microsoft Skype, Microsoft Teams, AnyDesk etc and you can rank these based on their features. But features are not what we are talking about today, we are talking about their encryption models and how safe are they to use (which is more important than anything right now).

Also read: Govt invites tech companies to build a secure Zoom-alternative, winner to get 1 crore

So, to answer this HT Tech got in touch with Microsoft, Google, Anydesk and spoke to the CEO of cybersecurity firm Lucideus.

But before we tell you what the experts said, here's a brief about what encryption really means. In simple terms, encryption encodes the information sent from one party and decodes it when it reaches the recipient. This prevents the possibility of infiltration, making video calling and messaging secure. However, how well this system can work depends on the level of encryption that firms, in this case the video calling apps, use.

As explained by Saket Modi, co-founder and CEO of Lucideus, there are three encryption standards: 128-bit encryption, 192-bit encryption and the 256-bit encryption, which is also the most difficult level of encryption to crack. Many have been using AES (Advanced Encryption System) with 256-bit for improved security as well. For instance, all your banking applications use 256-bit encryption. However, when it comes to video calling, there are two main kinds of encryption methods - end-to-end encryption and TLS 1.2.

TLS (Transport Layer Security), as the name suggests, ensures secure delivery of data over the internet between two applications. It however, does not secure data on the end systems (your smartphones and your computers).

Also read: Zoom responds to MHA deeming the app 'not safe'

So, what encryption platform is Zoom using?

As mentioned by Zoom in its support page, the TLS 1.2 with AES 256-bit algorithm is only used for the desktop clients right now. However, "for dial-in participants joining by phone, the audio is encrypted until it leaves Zoom's data centre and is transferred to the participant's phone network," says Zoom.

What's worth adding is that while Zoom did mention it uses end-to-end encryption before for all calls, it never actually did. The firm even apologised for it later in a blog post and even faced a class-action lawsuit for overstating privacy standards and not disclosing that its service was not end-to-end encrypted.

What about the alternatives?

When we asked Microsoft about Skype's encryption model, the Redmond-based tech firm said that it "does not store any Skype video or audio calls, and chat messages are stored to enable sync across devices, but can be deleted".

The representative even pointed us towards the Skype support page that duly mentions the use of AES (Advanced Encryption Standard) "which is used by the US Government to protect sensitive information, and Skype has for some time always used the strong 256-bit encryption".

While for instant messages, Microsoft uses TLS to encrypt messages between Skype and other chat services that are based on Microsoft's cloud. However, it uses AES when the messages are sent between two Skype clients.

Also read: Zoom vs Google Meet vs Microsoft Teams: Which video conferencing app to go for

The spokesperson added that Skype has seen a growth over the past one month. "Skype has seen an increase in usage, with 40 million people using it daily, up 70% month over month and, we are seeing a 220% increase in Skype to Skype calling minutes month over month."

AnyDesk, another team collaboration app, confirmed to HT Tech that it uses TLS 1.2 encryption platform. "In addition to that, we use 2048bit RSA (standard cryptographic algorithm) or 256bit Elliptic curve DH asymmetric key exchange and AEAD to verify every single connection. The combination of TLS 1.2 and 2048bit RSA or 256bit Elliptic key exchanges mean that each connection is wrapped in multiple layers of security."

The firm adds that if any modification is detected in the connection signal, the connection drops automatically, which makes it difficult for man-in-the-middle attacks, something Zoom has witnessed thanks to Zoombombers and Zoom raiders.

AnyDesk claims that it has seen an increase of 200-500% in usage in certain regions across the world.

Also read: How to delete your Zoom account

When HT Tech asked the Google Duo team about the encryption platform they use, the team had no comments but pointed us towards one of their support pages. Although the page did say that Duo uses end-to-end encryption for all video and audio calls, it failed to provide details on the standards that are being used.

But, should you use Zoom or not? Lucideus CEO Saket Modi pointed out that although the firm has been transparent about the loopholes lately and has started making the platform more secure, it is still not recommended given its track record.

But in case you are already using Zoom, and still have to use it, the security protocols must be enabled. We have mentioned a few pointers here on how one can make Zoom calling more secure.