Bug in a shared SDK may allow attackers to join calls undetected across multiple apps

Bug in a shared SDK may allow attackers to join calls undetected across multiple apps

A small library that provides audio and video call capabilities contain a bug that allows attackers to join audio and video calls without being detected.

The bug – detected by security company McAfee and tracked as CVE-2020-25605 – affects the software development kit (SDK) provided by Agora, a US company specializing in delivering real-time communication tools.

Applications that use this SDK for audio and video streaming capabilities include MeetMe, Skout, Nimo TV, Temi, Dr. First Backline, Hike, Bunch, and Talkspace.

In a report published today, McAfee states that the Agora SDK does not encrypt data shared during the new call process, even if the app has enabled encryption functionality.

Any attacker stationed on the same network as the target user can disconnect traffic in the first stages of the call, extract various call identifiers, and join the call without being detected.

McAfee said the matter came to light last year, in April, during a three-way security study, a personal robot used in retail stores supporting audio and video calling.

Subsequent investigations have found indications that this behavior has affected other applications using the SDK, and the security company said it had informed Agora of its findings.

Steve Povolny, Head of Advanced Threat Research at McAfee, said they informed Agore of their findings and that the company responded by releasing a new SDK in December 2020 that was not at risk for CVE-2020-25605.

“While we do not know which of these applications used the new SDK, we can confirm that the Agora has released the SDK and followed its developers to urge them to use what is being developed,” Povolny said.

Bug in a shared SDK may allow attackers to join calls undetected across multiple apps

An Agora spokesman did not return a request for comment.

Agora-based apps have tens of millions of downloads in the Google Play Store alone; however, McAfee said they found no evidence that the insect had been disturbed in the wild to examine the conversations.

Vulnerability Details

  • CVE: CVE-2020-25605
  • CVSSv3 Rating: 7.5/6.7
  • CVSS String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
  • CVE Description: Cleartext transmission of sensitive information in Agora Video SDK prior to 3.1 allows a remote attacker to obtain access to audio and video of any ongoing Agora video call through observation of cleartext network traffic.

Leave a Reply

Your email address will not be published.