HomeTech PlusTECH & OTHER NEWSBug in shared SDK can let attackers join calls undetected across multiple...

Bug in shared SDK can let attackers join calls undetected across multiple apps

A small library that provides audio and video calling capabilities contains a bug that can allow attackers to join audio and video calls without being detected.

The bug —discovered by security firm McAfee, and tracked as CVE-2020-25605— impacts the software development kit (SDK) provided by Agora, a US company specialized in providing real-time communication tools.

Apps that use this SDK for audio and video calling capabilities include the likes of MeetMe, Skout, Nimo TV, temi, Dr. First Backline, Hike, Bunch, and Talkspace.

In a report published today, McAfee says that the Agora SDK does not encrypt details shared during the process of setting up a new call, even if the app has the encryption feature enabled.

Any attacker sitting on the same network as a targeted user can intercept the traffic in the initial phases of a call, extract various call identifiers, and then join the call without being detected.

agora-sdk-bug.png
Image: McAfee

McAfee said it discovered this issue last year, in April, during a security audit for temi, a personal robot used in retail stores, which also supports audio and video calling.

A subsequent investigation also found clues that this behavior also impacted other apps using the SDK, and the security firm said it notified Agora of its findings.

Steve Povolny, Head of Advanced Threat Research at McAfee, told ZDNet in an email last week that they notified Agore of their findings and that the company responded by releasing a new SDK in December 2020 that was not vulnerable to CVE-2020-25605.

“While we don’t know which of these apps have implemented the new SDK, we can confirm that Agora has released the SDK and has followed up with its developers to urge them to implement the update,” Povolny told ZDNet.

An Agora spokesperson did not return a request for comment.

Agora-based apps have tens of millions of downloads on the Play Store alone; however, McAfee said they found no evidence that the bug was abused in the wild to spy on conversations.

By ZDNet Source Link

Technology For You
Technology For Youhttps://www.technologyforyou.org
Technology For You - One of the Leading Online TECHNOLOGY NEWS Media providing the Latest & Real-time news on Technology, Cyber Security, Smartphones/Gadgets, Apps, Startups, Careers, Tech Skills, Web Updates, Tech Industry News, Product Reviews and TechKnowledge...etc. Technology For You has always brought technology to the doorstep of the Industry through its exclusive content, updates, and expertise from industry leaders through its Online Tech News Website. Technology For You Provides Advertisers with a strong Digital Platform to reach lakhs of people in India as well as abroad.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

spot_img

CYBER SECURITY NEWS

TECH NEWS

TOP NEWS