At the beginning of 2019, Eavesdropping vulnerabilities in FaceTime group calls would allow an attacker to activate the microphone or even the camera of the iPhone they are calling, and then eavesdrop before the recipient does anything. The impact was so severe that Apple invoked the nuclear option, Cut off access Fully use the group call function until the company can Post fixThis loophole — and the fact that it does not require the victim to click or click at all — attracted Natalie Silvanovich.
“You can find the wrong idea that the effect is that you can answer the phone without any interaction-this is surprising,” said the researcher Silvanovich. Google’s zero-vulnerability project team“I was a little sad, trying to find these vulnerabilities in other applications. I eventually found a lot.”
Silvanovic spent years researching “No interaction” vulnerability, Crack No target needed Click on malicious links, download attachments, enter a password in the wrong place, or participate in any way.These attacks are becoming more and more important because Targeted mobile monitoring Exploded all over the world.
At the Black Hat Security Conference in Las Vegas on Thursday, Silvanovich demonstrated her information on ubiquitous communication applications such as Signal, Google Duo, and Facebook Messenger, as well as remote eavesdropping vulnerabilities in popular international platforms JioChat and Viettel Mocha. Find. All the vulnerabilities have been patched, and Silvanovic said that in the days or weeks she disclosed, the developer’s response to fixing the vulnerabilities was very positive. But the sheer number found in mainstream services highlights the prevalence of these flaws and the need for developers to take them seriously.
“When I heard about the FaceTime group error, I thought it was a unique error that would never happen again, but it turned out not to be the case,” Silvanovic said. “This is something we didn’t know before, but now it’s important for people who develop communication applications to realize this. You promise your users that you won’t suddenly start streaming their audio or video at any time. Make sure you The application that meets this point is your burden.”
The vulnerability discovered by Silvanovich provides multiple eavesdropping options.This Facebook Messenger The vulnerability could allow an attacker to listen to the audio of the target device.This Vietnamese Mocha and Know almost Errors may provide advanced access to audio and video.This Signal The defect only exposes the audio.and Google Duo The vulnerability allows video access, but only for a few seconds. During this period, the attacker can still record a few frames or take screenshots.
The applications that Silvanovich observed all built most of the audio and video call infrastructure on real-time communication tools from the open source project WebRTC. Some non-interactive call vulnerabilities originate from developers who seem to misunderstand WebRTC features or improperly implement them. But Silvanovich said that other flaws come from design decisions specific to each service, which are related to when and how to set up a call.
When someone calls you on an internet-based communication application, the system can immediately begin to establish a connection between your devices. This process is called “establishment”, so when you click accept, the call can begin immediately. Another option is to let the app wait for a while, wait to see if you answer the call, and then spend a few seconds to establish a communication channel after knowing your preferences.