Citizen Lab, a research group from the University of Toronto, was able to see what goes on behind the encryption used by Zoom application.
In one Publication of the group, it is stated that the platform is not suitable for the exchange of secrets, nor for governmental or business uses. Citizen Lab found that Zoom uses its own encryption program as a custom extension to the real-time transfer protocol.
Furthermore, instead of using AES-256 encryption, the researchers found that the application uses an AES-128 key in electronic code book (ECB) mode.
“The encryption and decryption that Zoom uses is AES in ECB mode, which is a very bad idea because this encryption method maintains standards data. Industry standards for streaming media encryption require AES to be used in Segmented Integer Counter Mode or f8-mode, which do not have the same weakness as ECB mode," the Citizen Lab team reports.
Η ερευνητική ομάδα δήλωσε επίσης ότι ανακάλυψε και ένα “σοβαρό ζήτημα ασφάλειας” στη λειτουργία waiting room της εφαρμογής και ότι το αποκάλυψε στην εταιρεία. Οι ερευνητές ανέφεραν ότι θα δώσουν παραπάνω πληροφορίες κάποια στιγμή, αλλά μέχρι τότε προτείνουν στους χρήστες της εφαρμογής να μην χρησιμοποιούν την συγκεκριμένη λειτουργία, και να χρησιμοποιούν codeς πρόσβασης για τις συναντήσεις τους.
This vulnerability is especially important as uninvited users can enter a meeting and post annoying content.
With a direct response to the prenotice of Citizen Lab, Zoom CEO Eric Yuan admitted that the company's encryption was shoddy.
"We know we can do better with encryption design. "Due to the unique needs of our platform, our goal is to use best encryption practices to provide maximum security, while covering the wide range of usage cases we support," he said.
"We are working with external experts and will also seek feedback from our community to ensure that our platform is optimized."
Last week, Zoom said it needed 90 days to improve the security of its products, after all from a series of complaints he received.
Citizen Lab also found that the application used server-side encryption keys in China to participants outside of China.
"A company used primarily by North American customers that sometimes distributes encryption keys through servers in China is a potential error, as Zoom may be legally required to disclose those keys to the Chinese authorities," the report said.
Of course, Yuan said that the company will correct this issue as well.