Meh, if you want to be paranoid about that sort of thing. You do you.
But anyways, according to the software notes the monitoring session data is all encrypted:
Quote:
How secure is Dormi?
All communication (control, audio and video) is encrypted since version 3.0. Session encryption keys are derived from a master key exchanged during the pairing process, unique to each group of paired devices. No other device can decrypt transmitted data.
What encryption algorithms are used?
RSA with 4096 bit* keys is used for the pairing process, during which a secret symmetric master group key is exchanged. The RSA key pair is newly generated by the device after each pairing.
*It takes a few seconds for the RSA key pair to be generated. If the pairing process is started immediately after app installation, before key generation is completed, a 2048 bit key is used instead.
Chacha20 with 256 bit key along with Poly1305 for message authentication is used to secure control channel messages (now standardized as RFC7539). Audio and video data adheres to RFC3711 (Secure-RTP), but we have replaced "AES in Counter Mode" with Chacha20 and Poly1305 as well. These are preferred algorithms used by Google in Chrome on Android for its security and performance on mobile devices.
The master group secret key is salted anew every time a monitoring session is started, resulting in an ever-changing symmetric session key.
What's an "anti-tamper code"?
This code aims to prevent the so called "man in the middle" attack during the pairing process. Accept pairing requests only after validating the code is the same on both devices (the one requesting to join a group as well as the one receiving the request). It ensures the group encryption key is not accidently shared with a malicious party or an attacker.
In more technical terms: the anti-tamper code provides the functionality of the certification authority (CA) in the pairing process (PKI scheme), verifying the communicating parties' public keys.
|