McAfee’s Advanced Threat Research Team, published a report/research, according to which, attackers or hackers would have been able to snoop or spy on active private audio and video calls utilizing a critical vulnerability found in the popular SDK (Software Development Kit) of video calling platforms.
The report explains that the vulnerability was found in SDK of Agora.io, and is utilized by a number of healthcare applications like Practo, Dr. First’s Backline, and Talkspace, social media applications like Plenty of Fish, MeetMe, Skout, and eHarmony, and also in the Android application which is connected with personal robot “Temi”.
Agora is a California-based platform for voice, video, and interactive live streaming which permits developers to incorporate voice chats, video chats, real-time messaging, interactive live streaming, and real-time recording. The SDKs are accounted to be incorporated in more than 1.7 billion devices all around the globe, in the form of desktop, web, and Android applications.
The Agora.io organization was informed about the vulnerability by McAfee on 20 April 2020, following which the organization published/released an updated or new SDK to overcome the possible threats and risks presented by the vulnerability, on 17 December 2020.
Improper or incomplete encryption was the cause that resulted in the security vulnerability. This security vulnerability when utilized by the attackers/hackers would have permitted them to interfere in the ongoing communication by performing Man-in-the-Middle attacks. Researchers stated that “Agora’s SDK implementation did not allow applications to securely configure the setup of video/audio encryption, thereby leaving a potential for hackers to snoop on them.”
Precisely, the service or function which is responsible for associating any end-user to request passed parameters in plain text, for instance, authentication token parameters and App ID, which resulted in permitting the attacker to exploit this flaw and spy on the network traffic and collect ongoing call details. The attackers/hackers then could initiate their own Agora video application to connect to the calls, without the knowledge of the host. The vulnerability highlights the requirement to make applications even more secure to ensure privacy for users.
Even though there were no pieces of evidence found that the vulnerability has ever been exploited in the wild, still it has been extremely suggested to update the Agora SDK to its latest version to mitigate or overcome the issue.
Researchers concluded by explaining that, “Privacy is always a top concern for consumers, but also remains an enticing threat vector for attackers. If we look at the two biggest apps we investigated (MeetMe and Skout), both are rated for mature audiences (17+) to “meet new people” and both advertise over 100 million users. MeetMe also mentions “flirting” on the Google Play store and its website has testimonies about people meeting the “love of their life”. Although they are not explicitly advertised as dating apps, it would be reasonable to draw the conclusion that it is at least one of their functions. In the world of online dating, a breach of security or the ability to spy on calls could lead to blackmail or harassment by an attacker. Other Agora developer applications with smaller customer bases, such as the temi robot, are used in numerous industries such as hospitals, where the ability to spy on conversations could lead to the leak of sensitive medical information.”