Vulnerabilities found in multiple video conferencing mobile applications allowed attackers to listen to users’ surroundings without permission before the person on the other end picked up the calls.
The logic bugs were found by Google Project Zero security researcher Natalie Silvanovich in the Signal, Google Duo, Facebook Messenger, JioChat, and Mocha messaging apps and are now all fixed.
However, before being patched, they made it possible to force targeted devices to transmit audio to the attackers’ devices without the need of gaining code execution.
“I investigated the signalling state machines of seven video conferencing applications and found five vulnerabilities that could allow a caller device to force a callee device to transmit audio or video data,” Silvanovich explained.
“Theoretically, ensuring callee consent before audio or video transmission should be a fairly simple matter of waiting until the user accepts the call before adding any tracks to the peer connection.
“However, when I looked at real applications they enabled transmission in many different ways. Most of these led to vulnerabilities that allowed calls to be connected without interaction from the callee.”
I found logic bugs that allow audio or video to be transmitted without user consent in five mobile applications including Signal, Duo and Facebook Messenger https://t.co/PlB0PzLzjJ
— Natalie Silvanovich (@natashenka) January 19, 2021
As Silvanovich revealed, a Signal bug patched in September 2019 made it possible to connect the audio call by sending the connect message from the caller devices to the callee one instead of the other way around, without user interaction.
The Google Duo bug, a race condition that allowed callees to leak video packets from unanswered calls to the caller, was fixed in December 2020, while the Facebook Messenger flaw (previously covered by BleepingComputer here) which allowed audio calls to connect before the call was answered was addressed in November 2020.
Two similar vulnerabilities were discovered in the JioChat and Mocha messengers in July 2020, bugs that allowed sending JioChat audio (fixed in July 2020) and to send Mocha audio and video (fixed in August 2020) after exploitation, without user consent.
Silvanovich also looked for similar bugs in other video conferencing apps, including Telegram and Viber, but didn’t find any such issues.
“The majority of calling state machines I investigated had logic vulnerabilities that allowed audio or video content to be transmitted from the callee to the caller without the callee’s consent,” Silvanovich added.
“It is also concerning to note that I did not look at any group calling features of these applications, and all the vulnerabilities reported were found in peer-to-peer calls. This is an area for future work that could reveal additional problems.”
Silvanovich also found a critical vulnerability in the WhatsApp mobile messaging app that could have been activated simply by a user answering a call to crash or fully compromise the app.