Starting Saturday, paying customers can opt in or out of a specific data centre region, although they won't be able to change their default region, which for most customers is the United States.
Zoom has data centres in the U.S., Canada, Europe, India, Australia, China, Latin America, and Japan/Hong Kong.
The move comes after the University of Toronto's Citizen Lab earlier this month released a report that found Zoom generated encryption keys on servers in China, even though all the people on a call were located outside of the country.
Although free service users won't have the opt-in or -out options of paying customers, Zoom said it would not route data of any users located outside of China through the country.
Avoiding Unsafe Servers
Allowing customized routing will appeal to some companies that must meet compliance requirements for industries.
"There are certain government and cybersecurity standards that require traffic remain within the U.S.," explained James McQuiggan, security awareness advocate at KnowBe4, a security awareness training provider located in Clearwater, Florida.
"For organisations who do not wish to accept the risk of traffic leaving the U.S., this will mitigate and resolve that risk," he told TechNewsWorld.
Managing a call path lets a meeting planner avoid potentially unsafe servers, said Justin Kezer, managing consultant at nVisium, a Falls Church, Virginia.-based application security provider.
"That limits the risk of someone listening to an active call through a missing application security feature, like a lack of password and access controls, or siphoning the data directly from a vulnerable server".
However, customised routing doesn't address another flaw Citizen Lab found with Zoom, noted Charles Ragland, security engineer at San Francisco-based Digital Shadows, a provider of digital risk protection solutions.
"This does not mitigate the risk posed by the lack of true end-to-end encryption or weak encryption that was discovered by Citizen Lab".
Passwords for Sale
Zoom's popularity skyrocketed with the spread of the COVID-19 virus and resulting increase of home workers. It appears its newfound popularity attracted more attention from hackers.
Information on more than 500,000 Zoom accounts has shown up for sale on the Dark Web and in hacker forums, priced at a penny for each, or less, Bleeping Computer reported Monday.
The data was compiled through credential stuffing attacks. Logins from prior data breaches were tried on Zoom, and the ones that worked were bundled together and sold to other hackers, BC explained.
"Criminals will always seize an opportunity to raise their profile or stay relevant. This would be more of the same," Digital Shadows' Ragland observed.
The sale of the Zoom accounts "raises questions for some solutions on whether or not users should even be allowed to choose their own passwords," Carson said.
Although Zoom has found itself under the security magnifying glass, it hasn't dropped the ball, maintained nVisium's Kezer.
"Zoom is doing an excellent job reacting to the security issues. However, like most companies, proactive security measures and testing would have prevented these issues," he said.
"They are quick to accept the vulnerability and promptly issue a patch -- that is the most we can ask of any company," Kezer continued. "Frankly, I am impressed that they have put all their development efforts towards security. That is a sign of a solid security-minded management team. They are now being proactive."
Despite those security efforts, there are signs of anxiety in the Zoom community.
Twelve percent of the 4,000 professionals who responded to a recent survey had stopped using Zoom, including 100 percent of Tesla professionals. Blind, an anonymous workplace network of professionals based in San Francisco, released the results last week.
More than a third of the professionals surveyed (35.2 percent) said they were worried their information may have been compromised.
One feature Baffle doesn't use is passwords for meeting participants. It uses the "waiting room" feature. Meeting participants remain in a virtual waiting room until the meeting organiser clears them. That way the organizer need not worry about a participant's password being compromised and an unwanted party crashing the meeting.
That feature has its problems, too.
"During our analysis, we also identified a security issue with Zoom's Waiting Room feature," states the Citizen Lab report on Zoom. "Assessing that the issue presented a risk to users, we have initiated a responsible vulnerability disclosure process with Zoom. We are not currently providing public information about the issue to prevent it from being abused. We intend to publish details of the vulnerability once Zoom has had a chance to address the issue."