[ad_1]
In early 2019, the bugs in the group’s FaceTime calls called the attackers calling the microphone as well as the camera and listening to the iPhone receiver before the receiver did anything. The consequences were so serious that Apple called it a nuclear option, cutting off access until the company is fully operational to call the group give a repair. Natalie Silvanovich was fascinated by the weakness — and the fact that the victim did not have to hit or click.
“The idea that you can find an error that has an impact, you can answer the call without any interaction, it’s amazing,” says Silvanovich. Google’s Project Zero bug search team. “I shed a little tear and tried to find those vulnerabilities in other apps. In the end, I found quite a few.”
Silvanovich has been studying for years Weaknesses of “no interaction”, that hacks they do not demand goals to click a malicious link, download an attachment, enter the wrong password, or participate in any way. These attacks have become increasingly important focused on mobile surveillance it explodes all over the world.
At a Black Hat security conference in Las Vegas on Thursday, Silvanovich presented his findings on remote hearing errors in ubiquitous communication applications such as Signal, Google Duo and Facebook Messenger, as well as on popular international platforms JioChat and Viettel Mocha. All bugs have been fixed, and Silvanovich says the developers were very sensitive about fixing vulnerabilities for a few days or weeks. The large number of findings from major services underscores how common these errors can be and should be taken seriously by developers.
“When I found out about this mistake on the FaceTime team, I thought it was a special mistake that would never happen again, but it didn’t happen,” says Silvanovich. “It’s something we didn’t know before, but it’s important now that those who make communication apps are aware. You promise users that you won’t suddenly start streaming their audio or video, and your job is to make sure your app meets that.”
The weaknesses found by Silvanovich offered many opportunities to listen. The Facebook Messenger errors could allow an attacker to hear audio from a target’s device. The Viettel Mocha and JioChat the bugs provided advanced access to audio and video. The The signal only audio that reveals errors. And Google Duo vulnerability provided access to the video, but only for a few seconds. At that time an attacker could record a few frames or take screenshots.
All of Silvanovich’s applications explored how many audio and video calling infrastructures were built on real-time communication tools through the open source WebRTC project. Some of the weaknesses of non-interactive calling were apparently due to developers misunderstanding or misimplying WebRTC features. Silvanovich says other flaws come from the design decisions that go into each service when and how it sets up calls.
When someone calls you to an Internet communication application, the system can immediately begin setting up the connection between the devices, a process called “establishment,” so the call can start immediately when you press OK. Another option is to go back to the app for a while, wait to see if you accept the call, and then spend a few seconds setting up the communication channel after you know your wish.
[ad_2]
Source link
