Weaknesses in a host of popular messaging apps allow crooks to snoop on users without permission. It's more bad news for privacy in what appears to be a direct intrusion into people’s lives.
Significant security loopholes have been found in Signal, Facebook Messenger, Google Duo, and other communications platforms. It represents a wider deepening of the current crises hitting major tech players.
While new platforms battle to secure new users amid WhatsApp's privacy problems, it shows that trust is a very fickle thing in the tech game, as reports of flaws in security can demolish confidence overnight.
- Samsung Galaxy Note: a fond farewell
- Google Chrome puts focus on online security in wake of WhatsApp row
In January 2019, a significant weakness was identified in Group FaceTime, which enabled an attacker to call a victim and, subsequently, connect that call without the permission of the target: users’ environments, including anything in reach of the device’s mic, could then be listened to without the knowledge of the victim.
Security is top of the digital agenda currently: T3 has reported on the WhatsApp privacy conundrum that has led to users decamping, upping sticks, and heading to rivals. It now appears that this type of call attack was not limited to FaceTime; similarly, it could be put to malicious use on other major platforms.
It's one of a volley of attacks that hit everyday devices; we've even covered a brazen WhatsApp phishing hack that looked to nab your activation PIN, masquerading as a technical support message.
Natalie Silvanovich, who discovered the exploits, delves into the extreme technical minutiae of the hacks on the Google Project Zero blog (opens in new tab). T3 has summarized the discoveries below, and what that means for these apps. Everything has now been patched, resolving the security issues, but it does blow a major hole in the apps' claims that they offer the next best thing in bulletproof services for your messages.
As of this moment, Telegram, and Viber are supposedly unaffected, and never were when the exploits were discovered; in the meantime, though, T3 has picked through the jargon to tell you exactly what apps were affected, and what the exploits could've meant for your privacy.
Of course, Facebook Messenger, is a platform that plays a big role in our digital presence, and is integral to many people's day-to-day online comms. The security flaw that affected it could deliver a bug known as an SdpUpdate; its a complex mechanism that can force a call to connect to the callee’s Android handset, bypassing its permissions, and exploitable across the entire target’s contact list.
When the message is delivered to the ringing callee device, it hijacks it to start it transmitting audio; in effect, the victim is unknowingly broadcasting their conversations. Silvanovich discovered the issue on version 222.214.171.124.119 of Facebook Messenger, which has now been fixed.
Once again, Signal had weaknesses that exposed it to a number of different attack vectors, but mainly warping the way a call connects.
In normal use, Signal operates in two scenarios: when a callee accepts an incoming call when the users click ‘accept’, and in reverse where the caller handset receives an incoming ‘connect’ notification, signifying that the caller has accepted the respective call.
But nefarious cyber-criminals could've used a modified client to override the signalling process, and send a ‘connect’ message to a callee’s device. This, again, forces it to accept and transmit audio without the permission of the callee. This, too, has since been patched.
The Google Duo bug compromised users by causing callees to leak video packets from unanswered calls. Fixed in December 2020, the original exploit tinkered with the way that Duo accepts an incoming call.
Even though the callee has not answered the call, the script would allow a Google Duo caller to receive a small amount of video from the callee. This goes beyond audio and could see crooks snooping on video.
JioChat and Mocha
Several other security flaws were identified in the JioChat and Mocha messengers in July 2020: such vulnerabilities that allowed audio to be sent without permission on JioChat; furthermore, Mocha was exposed to a weakness that enabled both audio and video to be shared without permission. A two-pronged leakage of your most personal data.
The former was patched in July 2020 and the latter in August 2020, but it's unknown how many users could've been affected without the vulnerabilities being made public.
Silvanovich speaks to the common thread running through the hacks on the blog, saying: "When I looked at real applications, they enabled transmission in many different ways. Most of these led to vulnerabilities that allowed calls to be connected without interaction from the callee."
These findings were and are a worrying affront to digital safety across a number of popular platforms; however, vigilance and keeping your apps updated should keep you on top of any concerns, but by no means fully safeguard you to new avenues of attack.