Early 2019, a bug in group FaceTime calls would have allowed attackers to activate the microphone, and even the camera, of the iPhone they were calling and listen in before the recipient did anything. The implications were so severe that Apple invoked a nuclear option, cut off access fully to the group calling function until the company can issue a fix. The vulnerability – and the fact that it required no tapping or clicking from the victim – captivated Natalie Silvanovich.
“The idea that you can find a bug where the impact is, you can get a call answered without any interaction, it’s surprising,” says Silvanovich, researcher at Google’s Project Zero Bug Hunt Team. “I broke down a bit and tried to find these vulnerabilities in other applications. And I ended up finding quite a few.”
Silvanovich spent years studying “non-interaction” vulnerabilities, pirates who don’t need their targets to click on a malicious link, download an attachment, enter a password in the wrong place, or participate in any way. These attacks have grown in importance as targeted mobile surveillance explodes all over the world.
At the Black Hat Security Conference in Las Vegas on Thursday, Silvanovich presents his findings on remote eavesdropping bugs in ubiquitous communications apps like Signal, Google Duo, and Facebook Messenger, as well as the popular international platforms JioChat and Viettel Mocha. All the bugs have been fixed, and Silvanovich says the developers were extremely responsive in fixing the vulnerabilities within days or weeks of his disclosures. But the large number of findings in consumer services underscore just how common these flaws can be and the need for developers to take them seriously.
“When I heard about this group FaceTime bug, I thought it was a one-time bug that wouldn’t recur, but it turned out to be wrong,” says Silvanovich. “This is something we didn’t know before, but it’s important now that people who build communications applications know it. You promise your users that you aren’t suddenly going to start streaming audio or video from them all the time, and it’s your burden to make sure your app lives up to that. .
The vulnerabilities discovered by Silvanovich offered an assortment of eavesdropping options. the Facebook Messenger bug could have allowed an attacker to listen to audio from a target’s device. the Viettel Moka and JioChat both bugs potentially gave advanced access to audio and video. the Signal audio defect exposed only. And the Google Duo vulnerability gave access to the video, but only for a few seconds. During this time, an attacker could still save some images or take screenshots.
The applications reviewed by Silvanovich all build much of their audio and video calling infrastructure on real-time communication tools from the open source WebRTC project. Some of the non-interacting call vulnerabilities come from developers who apparently misunderstood the functionality of WebRTC or implemented them poorly. But Silvanovich says other flaws came from department-specific design decisions about when and how it sets up calls.
When someone calls you on an Internet-based communications application, the system can start setting up the connection between your devices immediately, a process called “establishing”, so that the call can start instantly when you press Accept. Another option is for the app to wait a bit, wait to see if you accept the call, and then take a few seconds to establish the communication channel once it knows your preference.