In January 2019, a critical flaw was reported in Apple’s FaceTime group chat feature that made it possible for users to initiate a FaceTime video call and listen to targets by adding their own number as a third party in a chat. of group even before the person at the other end accepted the incoming call.
The vulnerability was considered so severe that the iPhone maker removed the FaceTime group chat feature completely before resolving the issue in a later iOS update.
Since then, a number of similar shortcomings have been discovered in various video chat applications such as Signal, JioChat, Mocha, Google Duo and Facebook Messenger, all thanks to the work of Google Project Zero researcher Natalie Silvanovich.
“While [the Group FaceTime] the bug was fixed soon, the fact that such a serious and easily accessible vulnerability had occurred due to a logical error in a call state machine (an attack scenario I had never seen raised on no platform), made me wonder if other state machines had similar vulnerabilities as well, ”Silvanovich wrote in a deep Tuesday dive of his one-year research.
How does signage work in WebRTC?
Although most current messaging applications rely on WebRTC for communication, the connections themselves are created by exchanging call configuration information using the peer session description protocol (SDP). it is called signaling, which usually works by sending an SDP offer from the end of the caller, to which the recipient responds with an SDP response.
In other words, when a user initiates a WebRTC call to another user, a session description is created called an “offer” that contains all the information needed to set up a connection: the type of media being sent, the its format, the transfer protocol used, and the IP address and endpoint port, among others. The recipient then responds with a “response” that includes a description of their endpoint.
The whole process is a state machine, which indicates “where the signaling process of the offer exchange and response to the current connection is located.”
Also included as an option in the exchange of offers / answers is the ability of the two colleagues to exchange SDP candidates with each other to negotiate the real connection between them. Details the methods that can be used to communicate, regardless of network topology: a WebRTC framework called Establishing Interactive Connectivity (ICE).
Once the two peers match up on a mutually compatible candidate, each SDP uses the candidate’s SDP to build and open a connection, through which the media begins to flow.
In this way, both devices share the information needed to exchange audio or video through the peer-to-peer connection. But before this relay can occur, the captured media data must be attached to the connection using a function called tracks.
Although the consent of the recipient is expected to be secured prior to audio or video transmission and no data is shared until the receiver has interacted with the application to answer the call (i.e. before of adding any clue to the connection), Silvanovich observed opposite behavior.
Several messaging applications affected
Application flaws not only allowed calls to be connected without interaction from the recipient, but also allowed the caller to force a recipient device to transmit audio or video data.
The common root cause? Logic errors in state-of-the-art signaling machines, which Silvanovich said “are a worrying and little-researched attack surface in video conferencing applications.”
- Signal (fixed in September 2019): An audio call defect in the Signal Android app made it possible for the caller to hear the recipient’s environment due to the fact that the app did not check whether the device that received the recipient’s connection message was the caller. device.
- JioChat (set for July 2020) i Mocha (resolved in August 2020): Add candidates to offers created by the Android Reliance JioChat and Viettel Mocha apps that allowed a caller to force the target device to send audio (and video) without the consent of the user. The flaws stemmed from the fact that the peer-to-peer connection had been established even before the recipient answered the call, thus increasing the “WebRTC remote attack surface.”
- Facebook Messenger (resolved in November 2020): A vulnerability that could grant an attacker who has logged into the app to simultaneously initiate a call and send a specially crafted message to a logged in target in both the app and a another Messenger client, such as as a web browser, and start receiving audio from the target device.
- Google Duo (resolved in December 2020): Running condition between video deactivation and connection settings that, in some situations, could cause the recipient to filter unanswered video call packets.
Other messaging applications such as Telegram and Viber were found to have none of the above flaws, although Silvanovich noted that significant reverse engineering challenges in analyzing Viber made the research “less rigorous” than the others.
“Most state-of-the-art calling machines I investigated had logical vulnerabilities that allowed audio or video content to be transmitted from the recipient to the caller without the recipient’s consent,” Silvanovich concluded. “This is clearly an area that is often overlooked when protecting WebRTC applications.”
“Most of the bugs did not appear to be due to a misunderstanding by the developer about the functions of WebRTC. Instead, they were called bugs in the way state machines are implemented. That said, the lack of awareness of this type of problems was probably a factor, “he added.
“It is also worrying to note that I did not examine any group calling features of these applications and all reported vulnerabilities were found in peer-to-peer calls. This is an area for future work that could reveal additional issues.” .