Zoom: Not suitable for use (AES-128 in ECB mode)

Citizen Lab, a research team from the University of Toronto, was able to see what is happening behind the encryption used by the Zoom application.

In one Publication of the group, it is stated that the platform is not suitable for the exchange of secrets, nor for governmental or business uses. Citizen Lab found that Zoom uses its own encryption program as a custom extension to the real-time transfer protocol.


Further, instead of using AES-256 encryption, the found that the application uses an AES-128 key in electronic code book (ECB) mode.

"The encryption and decryption used by Zoom is AES in ECB mode, which is a very bad idea, because this way of encryption preserves the standard data. "Industrial streaming media encryption standards require the use of AES in Segmented Integer Counter Mode or f8-mode, which do not have the same weakness as the ECB," said the Citizen Lab team.

The research team also said they discovered a “serious issue s” in the waiting room function of the application and that he disclosed it to the company. The researchers said they will give more κάποια στιγμή, αλλά μέχρι τότε προτείνουν στους χρήστες της εφαρμογής να μην χρησιμοποιούν την συγκεκριμένη λειτουργία, και να χρησιμοποιούν κωδικούς πρόσβασης για τις συναντήσεις τους.

This vulnerability is especially important as uninvited users can enter a meeting and post annoying content.

With a direct response to the pre of Citizen Lab, Zoom CEO Eric Yuan admitted that the company's encryption was shoddy.

"We know we can do better with encryption design. "Due to the unique needs of our platform, our goal is to use best encryption practices to provide maximum security, while covering the wide range of usage cases we support," he said.

"We are working with external experts and will also seek feedback from our community to ensure that our platform is optimized."

Last week, Zoom said it needed 90 days to improve the security of its products, after all from a series of complaints he received.

Η Citizen Lab ανακάλυψε επίσης ότι η εφαρμογή χρησιμοποιούσε κλειδιά κρυπτογράφησης από διακομιστές στην σε συμμετέχοντες China.

“Μια εταιρεία που χρησιμοποιείται κυρίως από πελάτες της Βόρειας Αμερικής που μερικές φορές διανέμει κλειδιά κρυπτογράφησης μέσω διακομιστών στην Κίνα είναι ένα πιθανό , καθώς η Zoom μπορεί να υποχρεωθεί νομικά να αποκαλύψει αυτά τα κλειδιά στις αρχές της Κίνας”, αναφέρει η έκθεση.

Of course, Yuan said that the company will correct this issue as well.

iGuRu.gr The Best Technology Site in Greecefgns

Subscribe to Blog by Email

Subscribe to this blog and receive of new posts by email.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).