Zoom vs. Google Meet - From an Ethical Hacker's Perspective, Which is More Secure? (It's Google)
Before jumping into this, for security reasons detailed below (and because nobody likes click-bait), I'm just going to tell you immediately to use Google Meet as of today. Read my blog below for all the details I could compile from the web today. It's complicated, but to summarize, Zoom has a sketchy past, and while they've certainly made several improvements, Google Meet was built initially to meet strict business needs and regulations through as an offering through GSuite. The only redeeming factor I can find for Zoom currently is that you can host larger meetings. It is not the most secure option, and, out of the two, for the reasons given in my blog below, I have to recommend the use of Google Meet over Zoom. Thanks for clicking, and I hope you enjoy the read.
It's late 2020. Video conference solutions such as Zoom and Google Meet have universally replaced the "meeting room," and even entire physical work-spaces, which are now deemed too dangerous given the high possibility of transmitting a potentially deadly virus sweeping the globe. Right now, the last thing we need is another article rambling about "these trying times," so I'm just going to jump into the facts. Which is more secure, and which should you use? While I'm going to look at this question from a business-solution perspective, there is still a lot to consider for the average user, even if you are using this app to simply talk with friends or family.
The Past
I'm going to dig deep into the past of Zoom, because it's fascinating and crucial to understanding why choosing the right solution is so important. Also, I believe first impressions are important. If you're more interested in the state of things today and just want to read about a secure solution, jump to "The Present" (spoiler: choose Google Meet).
We need to start back in March/April. As the pandemic caught us off-guard, we were quickly forced to work online and over-the-phone. Zoom was a popular solution at the time, offering a free alternative to more complicated business-aimed solutions such as Google Meets. Naturally, Zoom quickly became the popular solution, because it was free and easy to use. It's explosion as a universal solution also, however, unveiled many flaws. Zoom was not prepared, and understandably; nobody was prepared.
The first issue was with the installer itself. Zoom's installer was extremely sketchy, and hackers easily leveraged the system-level access it provided to open backdoors into users computers. These installers would install Zoom as normal, but also open up an arbitrary port that gave hackers persistent, silent, and administrative access to users' computers. They could see anything, and hear everything.
Additionally, at the time, Zoom marketed end-to-end encryption, but did not actually provide it. Please note, this is still not the case today, but I'll get into that later. End-to-end encryption (E2EE) essentially ensures that absolutely nobody can access the information (whether that be calls or text) except for the intended recipients. This is performed through the use of complex math and private keys that are only available to the users. Ideally, even Zoom, or the government could not access these keys, and these keys are the only pieces of information capable of decrypting the message; in other words, end-to-end encryption is un-crackable and completely secure. However, back in March/April, Zoom was actually using transport encryption that utilized its servers as middlemen, meaning this was not end-to-end encryption at all. This false claim of E2EE left a bad taste in the mouth of many.
To make matters worse, Zoom was routing users' data all over the place. Data was found to be routed through Facebook, even if the users had no Facebook accounts. Zoom even apologized for somehow routing traffic through China, where there are massive restrictions and close inspections on traffic. There was even chaos on the application level, the infamous "Zoombombing" that allowed people to easily enter rooms uninvited and wreak havoc during important meetings. Any user could simply guess room IDs, which were simple 9-11 character long strings that legitimate users would send to others as "private" invites; an insecure password of sorts. Well, with hundreds of millions of users, that 9-11 character long keyspace was quickly becoming exhausted, and you could type in almost any string to join a room. Zoom admitted quite bluntly that they were not prepared for nearly the entire world to begin teleconferencing at once, and personally, I don't want to bash them, but some of these security flaws are unforgivable, and they should have shut down the service for a complete security restructure after their numbers shot through the roof, rather than issuing patches and apologies. But again, to be fair, hindsight is always 20/20.
By this point, most companies and organizations were banning the use of Zoom for its possibility of leaking sensitive information, but it was still widespread at universities, schools, and for families/friends trying to contact each other. After all, who would want to pay when there was a free solution that did the trick?
I recommend this article for learning more about Zoom's past, and this article for Zoom's ongoing security issues which is being updated weekly.
The Present
Let's compare Zoom and Google Meet as they are today. Thankfully, Google made their business-level solution (Google Meet, formerly Hangouts) completely free to anyone with a Google email account. Google, being a much more experienced and trusted provider, sought to fill the demand that Zoom was failing to meet. I have to give kudos to Google; without that offering, many people and huge amounts of private information could have been compromised. They could have easily kept this a paid solution.
However, as you will see below, Zoom has definitely stepped up its security, as expected. The biggest issue seems to be the fact that, for full functionality, you will need to install a client/app, and that very client seems to be the source for many security issues. Google Meet, on the other hand, provides everything through the browser. There's no need for patches, and there's no need for installation, but they provide that option regardless. This is a huge reason why I recommend Google Meet.
To make this as easy as possible for you, I'm going to list the current security features for both and you can make the choice. However, in regards to choosing a free solution, my choice as a security professional is going to be Google Meet. Remember, if you're just looking to talk with friends or family, and not discuss anything too private, Zoom is a fine solution, especially today; but, there are still issues. Just remember that Google Meet is also free, and you likely already have a Gmail account. Google Meet was built from the very start as a paid model with business needs in mind as a part of G Suite. Google has an incredible track record and should be the trusted solution when compared to Zoom. Why would you not use Google Meet?
Take a look at the security details below, and make the decision yourself. Thanks for taking the time to read, and I hope this was helpful.
Google Meet:
Multiple 2-step Verification Options
Browser-based (while the option exists, there is no need for installation of a client, no need for constant installation of patches, reducing attack surface)
Adheres to IETF standards for DTLS and SRTP
Encryption details:
-256-bit TLS
-SOC 1
-ISO/IEC 27001/17/18
-HITRUST
-FedRAMP
-GDPR Compliant
-HIPAA
-COPPA
-FERPA
According to Google: "For every person and for every meeting, Meet generates a unique encryption key, which only lives as long as the meeting, is never stored to disk, and is transmitted in an encrypted and secured RPC (remote procedure call) during the meeting setup."
Zoom:
Two-factor Authentication Option
Limited browser-based functionality, will require a client download/install for full functionality, as well as updates/patches
Encryption details:
-256-bit TLS
-SOC 2
-FedRAMP (Moderate)
-GDPR Compliant
-HIPAA
-PIPEDA
-PHIPA
According to Zoom: "Zoom’s solution and security architecture provides encryption and meeting access controls so data in transit cannot be intercepted."