[ad_1]
Early 2019, a bug in group FaceTime calls would have allowed attackers to activate the microphone, and even the camera, of the iPhone they were calling and listen in before the recipient did anything. The implications were so severe that Apple invoked a nuclear option, cutting off access to the group calling feature altogether until the company could release a fix. The vulnerability – and the fact that it required no tapping or clicking from the victim – captivated Natalie Silvanovich.
“The idea that you can find a bug where the impact is, you can get a call answered without any interaction, it’s surprising,” says Silvanovich, researcher in the team at Google’s Project Zero bug hunt. “I broke down a bit and tried to find these vulnerabilities in other applications. And I ended up finding a number of them. “
Silvanovich has spent years studying “no-interaction” vulnerabilities, hacks that do not force targets to click a malicious link, download an attachment, type a password in the wrong place, or participate in some way. way either. These attacks have grown in importance as targeted mobile surveillance explodes around the world.
At the Black Hat Security Conference in Las Vegas on Thursday, Silvanovich presents his findings on remote eavesdropping bugs in ubiquitous communications apps like Signal, Google Duo, and Facebook Messenger, as well as the popular international platforms JioChat and Viettel Mocha. All the bugs have been fixed, and Silvanovich says the developers were extremely responsive in fixing the vulnerabilities within days or weeks of his disclosures. But the large number of findings in consumer services underscore just how common these flaws can be and the need for developers to take them seriously.
“When I heard about this group FaceTime bug, I thought it was a one-time bug that wouldn’t happen again, but it turned out to be wrong,” says Silvanovich. “This is something we didn’t know before, but it’s important now that people who build communications applications know. You promise your users that you aren’t suddenly going to start streaming audio or video from them all the time, and it’s your burden to make sure your app lives up to that. .
The vulnerabilities discovered by Silvanovich offered an assortment of eavesdropping options. The Facebook Messenger bug could have allowed an attacker to listen to audio from a target’s device. The Viettel Mocha and JioChat bugs both potentially gave advanced access to audio and video. The Signal flaw only exposed audio. And the Google Duo vulnerability gave access to the video, but only for a few seconds. During this time, an attacker could still save some images or take screenshots.
The applications reviewed by Silvanovich all build much of their audio and video calling infrastructure on real-time communication tools from the open source WebRTC project. Some of the non-interacting call vulnerabilities come from developers who apparently misunderstood WebRTC’s features or implemented them poorly. But Silvanovich says other flaws came from department-specific design decisions about when and how it sets up calls.
When someone calls you on an Internet-based communications application, the system can start setting up the connection between your devices immediately, a process called “making”, so that the call can start instantly when you press Accept. Another option is for the app to wait a bit, wait to see if you accept the call, and then take a few seconds to establish the communication channel once it knows your preference.
[ad_2]
Source link