Google Project Zero security researcher Natalie Silvanovich found multiple flaws in popular video conferencing apps such as Signal and FB Messenger, that allowed to force a target device to transmit audio of the surrounding environment to an attacker device.
The bugs are similar to a logic flaw discovered in January 2019 in Group FaceTime that allowed to hear a person’s audio before he answers,
The logic flaws affect Signal, Google Duo, Facebook Messenger, JioChat, and Mocha messaging apps, the good news is that they have been already fixed by the development teams.
“The ability to force a target device to transmit audio to an attacker device without gaining code execution was an unusual and possibly unprecedented impact of a vulnerability. Moreover, the vulnerability was a logic bug in the FaceTime calling state machine that could be exercised using only the user interface of the device.” reads the post published by Silvanovich. “While this bug was soon fixed, the fact that such a serious and easy to reach vulnerability had occurred due to a logic bug in a calling state machine — an attack scenario I had never seen considered on any platform — made me wonder whether other state machines had similar vulnerabilities as well. “
Most of video conferencing applications use WebRTC, while peers could establish WebRTC connections by exchanging call set-up information in Session Description Protocol (SDP), this process is called signalling.
In a typical WebRTC connection, the caller starts off by sending an SDP offer to the received, which in turn responds with an SDP answer.
The messages contain most information that is needed to transmit and receive media, including codec support, encryption keys and much more.
“Theoretically, ensuring callee consent before audio or video transmission should be a fairly simple matter of waiting until the user accepts the call before adding any tracks to the peer connection. However, when I looked at real applications they enabled transmission in many different ways. Most of these led to vulnerabilities that allowed calls to be connected without interaction from the callee.” continues the post.
The logical flaws also potentially allowed the caller to force a callee device to transmit audio or video data.
Silvanovich discovered that data is shared even if the receiver has not interacted with the application to answer the call.
“The majority of the bugs did not appear to be due to developer misunderstanding of WebRTC features. Instead, they were due to errors in how the state machines are implemented. That said, a lack of awareness of these types of issues was likely a factor. It is rare to find WebRTC documentation or tutorials that explicitly discuss the need for user consent when streaming audio or video from a user’s device.” concludes the expert.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, mobile apps)