Serafim
Advanced
- Joined
- 28.09.20
- Messages
- 135
- Reaction score
- 1,205
- Points
- 93
Bugs in Signal, Google Duo, and Facebook Messenger allowed the called party's device to transmit audio before it answered the call.
Vulnerabilities in a variety of mobile applications for video communication allowed attackers to listen to the surrounding sounds without the user's permission even before he picks up the phone.
Logical vulnerabilities in Signal, Google Duo, Facebook Messenger, JioChat, and Mocha were discovered by Natalie Silvanovich, a researcher at Google Project Zero, and have now been fixed. However, before the fix, they allowed attackers to force the attacked devices to transmit audio to the devices they controlled without having to execute the code.
"I examined the state machine transmitters of seven video conferencing applications and discovered five vulnerabilities that allow the calling device to force the called device to transmit audio or video data. Theoretically, it is quite simple to ensure the consent of the called subscriber to transmit audio or video-before adding any tracks to a peer-to-peer connection, you need to wait for the subscriber to accept the call. However, after studying the real applications, I saw that they allowed data transfer in different ways. Most of them have led to the emergence of vulnerabilities that allow you to connect calls without interacting with the called person, " explained Silvanovich.
As the researcher found out, a vulnerability in Signal fixed in September 2019 allowed connecting audio calls by sending a message by the calling device to the called device without the participation of the subscriber, although it should be the other way around (to allow a call, the called device must send a message to the caller).
The Google Duo race condition vulnerability allowed the called device to send data packets to the calling device before the caller answered the call. The issue was fixed in December 2020.
A vulnerability in Facebook Messenger that allowed audio calls to be connected before the caller picked up the phone was fixed in November 2020.
Two similar vulnerabilities were also discovered in JioChat and Mocha in July 2020. Bugs allowed sending audio to JioChat (fixed in July 2020) and audio/video to Mocha (fixed in August 2020) without the user's knowledge.
Silvanovich checked other messengers (including Telegram and Viber) for the presence of the vulnerabilities described above, but found nothing.
A state machine or finite automaton is a mathematical abstraction, a model of a discrete device that has one input, one output, and at each moment of time is in one state out of a set of possible states.
Vulnerabilities in a variety of mobile applications for video communication allowed attackers to listen to the surrounding sounds without the user's permission even before he picks up the phone.
Logical vulnerabilities in Signal, Google Duo, Facebook Messenger, JioChat, and Mocha were discovered by Natalie Silvanovich, a researcher at Google Project Zero, and have now been fixed. However, before the fix, they allowed attackers to force the attacked devices to transmit audio to the devices they controlled without having to execute the code.
"I examined the state machine transmitters of seven video conferencing applications and discovered five vulnerabilities that allow the calling device to force the called device to transmit audio or video data. Theoretically, it is quite simple to ensure the consent of the called subscriber to transmit audio or video-before adding any tracks to a peer-to-peer connection, you need to wait for the subscriber to accept the call. However, after studying the real applications, I saw that they allowed data transfer in different ways. Most of them have led to the emergence of vulnerabilities that allow you to connect calls without interacting with the called person, " explained Silvanovich.
As the researcher found out, a vulnerability in Signal fixed in September 2019 allowed connecting audio calls by sending a message by the calling device to the called device without the participation of the subscriber, although it should be the other way around (to allow a call, the called device must send a message to the caller).
The Google Duo race condition vulnerability allowed the called device to send data packets to the calling device before the caller answered the call. The issue was fixed in December 2020.
A vulnerability in Facebook Messenger that allowed audio calls to be connected before the caller picked up the phone was fixed in November 2020.
Two similar vulnerabilities were also discovered in JioChat and Mocha in July 2020. Bugs allowed sending audio to JioChat (fixed in July 2020) and audio/video to Mocha (fixed in August 2020) without the user's knowledge.
Silvanovich checked other messengers (including Telegram and Viber) for the presence of the vulnerabilities described above, but found nothing.
A state machine or finite automaton is a mathematical abstraction, a model of a discrete device that has one input, one output, and at each moment of time is in one state out of a set of possible states.