In one Publication of the group, it is stated that the platform is not suitable for the exchange of secrets, nor for governmental or business uses. THE Citizen Lab found that the application Zoom uses its own encryption program as a custom extension to the real-time transfer protocol.
Furthermore, instead of using AES-256 encryption, the researchers found that the application uses an AES-128 key in electronic code book (ECB) mode.
“The encryption and decryption used by Zoom is AES in ECB mode, which is a very bad idea, because this way of encryption preserves the standard data. "Industrial streaming media encryption standards require the use of AES in Segmented Integer Counter Mode or f8-mode, which do not have the same vulnerability as the ECB," the team said. Citizen Lab.
The research team also stated that they discovered a "serious security issue" in the waiting room of the application and that they revealed it to the company. The researchers said that they would provide more information at some point, but until then they suggest users of the application not to use this feature, and to use passwords for their meetings.
This vulnerability is especially important as uninvited users can enter a meeting and post annoying content.
"We know we can do better with encryption design. "Due to the unique needs of our platform, our goal is to use best encryption practices to provide maximum security, while covering the wide range of usage cases we support," he said.
"We are working with external experts and will also seek feedback from our community to ensure that our platform is optimized."
Η Citizen Lab also found that the application used server-side encryption keys in China to participants outside of China.
"A company used mainly by North American clients that sometimes distributes server encryption keys in China is a potential mistake, as the Zoom "It may be legally obliged to disclose these keys to the Chinese authorities," the report said.
Of course, Yuan said that the company will correct this issue as well.