UPDATED 08:00 EDT / FEBRUARY 17 2021

SECURITY

Popular SDK used by social media sites allows attackers to spy on audio and video calls

A newly disclosed vulnerability in a software development kit used by a variety of applications and sites allows an attacker to spy on ongoing audio and video calls.

Detailed early Wednesday by security researchers at McAfee LLC’s Advanced Threat Research team, the vulnerability relates to the Agora Inc. Video SDK. The Agora SDK is designed to deliver a “real-time engagement platform for meaningful human connections.”

It’s said to power 40 billion minutes of “human connections” a month. The SDK is used by sites and apps from companies such as eHarmony Inc., Plentyoffish Media LLC, The Meet Group Inc. and Skout, as well as healthcare apps such as Talkspace, Practo Technologies Ptv Ltd. and Dr.First.com Inc.

The vulnerability, officially named CVE-2020-25605, relates to sensitive information sent unencrypted over the Agora Video SDK network. It was first reported to Agora in April 2020, but the company did not update its SDK to address the vulnerability until Dec. 17.

At the core of the issue is the data facilitated by the SDK being sent without any encryption or in the words of the researchers “sensitive call information being sent in plaintext, without a method for developers to extend encryption to the sensitive call information.”

Strangely, Agora offers the ability to encrypt traffic but it was found to not be widely used. “While it is impossible to be certain, one reason might be because the Agora encryption options require a pre-shared key, which can be seen in its example applications posted on GitHub,” the researchers said. “The Agora SDK itself did not provide any secure way to generate or communicate the pre-shared key needed for the phone call and therefore this was left up to the developers.”

Many calling models, the researchers added, are used in applications that enable the user to call anyone without prior contact. “This is difficult to implement into a video SDK post-release since a built-in mechanism for key sharing was not included,” they said. “It is also worth noting that, generally, the speed and quality of a video call is harder to maintain while using encryption.”

The McAfee researchers have no evidence that the vulnerability has been exploited in the wild, but they noted that the situation highlights the importance of encrypted data.

“While the need to protect truly sensitive information such as financial data, health records and other personally identifiable information has long been standardized, consumers are increasingly expecting privacy and encryption for all web traffic and applications,” the researchers concluded. “Furthermore, when encryption is an option provided by a vendor, it must be easy for developers to implement, adequately protect all session information including setup and teardown, and still meet the developers’ many use cases.”

Image: Agora

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU