Google Research Pinpoints Security Soft Spot in Multiple Chat Platforms

Mystery of spying using popular chat apps uncovered by Google Project Zero researcher.

Google Project Zero researcher Natalie Silvanovich outlined what she believes is a common theme when it comes to serious vulnerabilities impacting leading chat platforms. The research, published Tuesday, identifies a common denominator within chat platforms, called “calling state machine”, which acts as a type of dial tone for messenger applications.

Supply-Chain Security: A 10-Point Audit

Click to Register – New Browser Tab Opens

Silvanovich warns that this common “calling state machine” mechanism used by Signal, Google Duo, Facebook Messenger, JioChat and Mocha is ripe for abuse today and has been the common thread in a litany of past critical bugs.

For example, past bugs in the messaging apps Signal, Google Duo and Facebook Messenger, which had allowed threat actors to spy on users through unauthorized transmission of audio or video, were tied to configuration errors in the “calling state machine”. Those settings, Silvanovich said, are key to setting up simple app consent between user connections.

State Machine: Ripe for Exploit

In all, Silvanovich identified five logic vulnerabilities in the signalling state machines of seven video conferencing applications that “could allow a caller device to force a callee device to transmit audio or video data.”

While all of the vulnerabilities she identified have already been fixed, the prevalence of the errors in how state machines are implemented in these types of apps–as well as a lack of awareness of this type of bug–means that they will continue to pose a threat, Silvanovich said.

“Signalling state machines are a concerning and under-investigated attack surface of video-conferencing applications, and it is likely that more problems will be found with further research,” she wrote.

Silvanovich examined the use of WebRTC to implement videoconferencing in seven popular chat apps. In addition to those previously mentioned, she also found logic bugs in JioChat and Mocha, she said.

The vulnerabilities specific to each app already have been publicized and patched. The Signal bug, which could cause an incoming call to be answered even if the callee does not pick it up, was patched in September 2019.

The JioChat and Mocha bugs were both patched in July 2020. Both could cause the device of someone receiving a call to send audio without user interaction.

The Google Duo bug, which could cause someone making a call to leak video packets, was fixed in September 2020, while the Facebook Messenger bug, which could cause someone’s audio call to connect before he or she had answered the call, was patched about two months later.

Insecure Web Real-Time Communications

“The majority of calling state machines I investigated had logic vulnerabilities that allowed audio or video content to be transmitted from the callee to the caller without the callee’s consent,” Silvanovich wrote. “This is clearly an area that is often overlooked when securing WebRTC applications.”

Web Real-Time Communications (WebRTC) is used in the majority of video-conferencing applications to create connections by exchanging call set-up information in Session Description Protocol (SDP) between peers, a process that is called signalling. This process is implemented by another protocol, such as WebSockets for web apps or secure messaging for messaging apps, she explained.

Each of these connections must be set up in a way that there is clear consent on both sides of the message to ensure the interaction is only exchanged between the two parties. However, applications that use WebRTC usually have to maintain their own state machine to manage the user state of the application, Silvanovich said.

Human Component: ‘Developer Misunderstanding’

“How the user state maps to the WebRTC state is a design choice made by the WebRTC integrator, which has both security and performance consequences,” she wrote.

The bugs that she investigated, then, were not the result of “developer misunderstanding of WebRTC features,” Silvanovich said. They were state-machine implementation errors, plain and simple, she said.

“That said, a lack of awareness of these types of issues was likely a factor,” she wrote. “It is rare to find WebRTC documentation or tutorials that explicitly discuss the need for user consent when streaming audio or video from a user’s device.”

Two messaging apps that Silvanovich examined that did not appear to have any problems with state machines and thus likely do not allow for third-party interception of audio or video were Telegram and Viber, she said.

Telegram seemed to be bug-free “largely because the application does not exchange the offer, answer or candidates until the callee has answered the call,” Silvanovich wrote. However, challenges in reverse-engineering Viber made her analysis “less rigorous” than her examination of the other messaging apps, she acknowledged.

Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a limited-engagement and LIVE Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: Register Now and reserve a spot for this exclusive Threatpost Supply-Chain Security webinar – Jan. 20, 2 p.m.

Suggested articles