Bugs in several messaging/video chat mobile apps allowed attackers to spy on targeted users’s surroundings. The vulnerabilities – in Signal, Google Duo, Facebook Messenger, JioChat, and Mocha – could be triggered by simply placing a call to the target’s device – no other action was needed.
Searching for bugs in video chat apps
In early 2019, Apple fixed a major logic bug (CVE-2019-6223) in its Group FaceTime feature. The bug, discovered by a Tucson high-schooler, would allow the initiator of a Group FaceTime call to listen to what was happening in the target device’s surroundings even if the target doesn’t pick up the call.
“While this bug was soon fixed, the fact that such a serious and easy to reach vulnerability had occurred due to a logic bug in a calling state machine – an attack scenario I had never seen considered on any platform – made me wonder whether other state machines had similar vulnerabilities as well,” said Google Project Zero researcher Natalie Silvanovich.
Consequently, she decided to check whether other popular messaging platforms with video conferencing capabilities sported similar vulnerabilities, and she found some in Signal Messenger, Google Duo, Facebook Messenger, JioChat, and Mocha.
“There were a few other applications I looked at and did not find problems with their state machines,” Silvanovich shared.
“I looked at Telegram in August 2020, right after video conferencing was added to the application. I did not find any problems, largely because the application does not exchange the offer, answer or candidates until the callee has answered the call. I looked at Viber in November 2020, and did not find any problems with their state machine, though challenges reverse engineering the application made this analysis less rigorous than the other applications I looked at.”
Similar bugs might still be uncovered
The root of these vulnerabilities differed, but all allowed the caller to hear the callee’s surroundings (or even see them).
Silvanovich also noted that these vulnerabilities were found in peer-to-peer calls, and that an investigation in the group calling features of these applications might reveal others.
“It is not clear why this is such a common problem, but a lack of awareness of these types of bugs as well as unnecessary complexity in signalling state machines is likely a factor,” she added.
All the vulnerabilities have been responsibly reported to the app makers and have since been fixed.