Citizen Lab, a research team from the University of Toronto, was able to see what is happening behind the encryption used by the Zoom application.
In one Publication of the group, it is reported that the platform it is not suitable for sharing secrets, nor for government or business uses. Citizen Lab found that the Zoom app uses its own encryption program as a custom extension to the real-time transfer protocol.
Further, instead of using AES-256 encryption, the researchers found that the app uses a key AES-128 in electronic code book (ECB) mode.
"The encryption and decryption used by Zoom is AES in ECB mode, which is a very bad idea, because this way of encryption preserves the standard data. "Industrial streaming media encryption standards require the use of AES in Segmented Integer Counter Mode or f8-mode, which do not have the same weakness as the ECB," said the Citizen Lab team.
The research team also said they discovered a “serious issue better safetys” in the waiting room function of the application and that he disclosed it to the company. The researchers said they will provide more information at some point, but until then they recommend that users of the app do not use this feature, and use passwords for their meetings.
This vulnerability is especially important as uninvited users can enter a meeting and post annoying content.
In an immediate response to Citizen Lab's warning, Zoom CEO Eric Yuan admitted that the company's encryption was degraded.
"We know we can do better with encryption design. "Due to the unique needs of our platform, our goal is to use best encryption practices to provide maximum security, while covering the wide range of usage cases we support," he said.
"We are working with external experts and will also seek feedback from our community to ensure that our platform is optimized."
Last week, Zoom said it needed 90 days to improve the security of its products, after all from a series of complaints he received.
Citizen Lab also discovered that the app used encryption keys from servers in China to participants outside China.
"A company used primarily by North American customers that sometimes distributes encryption keys through servers in China is a potential error, as Zoom may be legally required to disclose those keys to the Chinese authorities," the report said.
Of course, Yuan said that the company will correct this issue as well.
