Flaw in popular video software Agora could have let eavesdroppers in on private calls
A software flaw could have allowed hackers to spy on private calls through dating and telehealth applications, according to McAfee research published Wednesday.
The flaw, which stems from an encryption error, affected a video-calling software development kit (SDK) developed by Agora.io that is used by dating services such as eHarmony, Plenty of Fish, MeetMe and Skout and medical applications such as Talkspace, Practo and Dr. First’s Backline, according to McAfee. Agora is used by 1.7 billion devices for a whole host of applications used for educational, retail and gaming purposes as well as for other socializing reasons, the company says.
The flaw, known as CVE-2020-25605, is accounted for in an update Agora issued in mid-December, according to McAfee.
An Agora spokesperson said in a statement the company was able to reach out to customers to help them address the issue.
“Thanks to McAfee, we found a vulnerability in our software in 2020, giving us the opportunity to collaborate with McAfee and reach out to our customers to help them make the necessary fixes,” the spokesperson said in an email. “Agora is always looking to better protect our system and customers. Our bug bounty program is part of that commitment. In addition to our work with McAfee, we invite other independent security researchers to report any other bugs or vulnerabilities they discover.”
Talkspace clarified that the company encrypts their software so no one can listen into conversations.
McAfee’s Advanced Threat Research team and Agora said they do not have any evidence that the flaw has been exploited.
If an attacker had found out about the issue, though, they could have seen that sensitive call information used to initiate calls was being sent over plain text, according to McAfee. Attackers could have sniffed network traffic to obtain information about calls of interest and then secretly join the call with no signal to targeted users, researchers found.
Part of the issue was that Agora had not provided a secure way to generate a key needed for calls, the researchers note in a blog on the matter.
“Many calling models used in applications want to give the user the ability to call anyone without prior contact,” the McAfee researchers state. “This is difficult to implement into a video SDK post-release since a built-in mechanism for key sharing was not included. It is also worth noting that, generally, the speed and quality of a video call is harder to maintain while using encryption. These may be a few of the reasons why these application developers have chosen to not use the encryption for the video and audio.”
As people around the globe increasingly rely on digital services to communicate for work, private conversations and medical care throughout the pandemic, the flaw is a jarring reminder that although virtual conversations may appear private, prying eyes could find surreptitious ways to eavesdrop on them.
“While the security community encourages developers to write software code with security in mind, software apps tend to struggle with bugs and vulnerabilities in their early days,” the researchers write. “Consumers should by all means download and enjoy the hottest new apps, but they should also take steps to protect themselves from any undiscovered issues that might threaten them.”
Video-conferencing tools broadly have come under the microscope in the last year amid the shift to an increasingly distributed workforce. Zoom, for instance, came under fire for its privacy and security practices early on in the pandemic last year, and recently reached a settlement with the Federal Trade Commission over allegations it misled consumers about the level of encryption that it ensured during calls. Zoom recently began rolling out end-to-end encryption for consumers after it was criticized for saying it would only offer that level of protection to paid users.
Update, 2/17/21: This article has been updated to include comment from Agora and Talkspace.
