Written by Shannon Vavra
An error in a popular video calling software development kit could have allowed hackers to spy on private video and audio calls through services including eHarmony or Talkspace, according to McAfee research published Wednesday.
The flaw, which stems from an encryption error, affected a video-calling software development kit (SDK) developed by Agora.io that is used by dating services such as eHarmony, Plenty of Fish, MeetMe and Skout and medical applications such as Talkspace, Practo and Dr. First’s Backline, according to McAfee. Agora is used by 1.7 billion devices for a whole host of applications used for educational, retail and gaming purposes as well as for other socializing reasons, the company says.
The flaw, known as CVE-2020-25605, is accounted for in an update Agora issued in mid-December, according to McAfee. Agora did not immediately respond to a request for comment.
McAfee’s Advanced Threat Research team does not have any evidence that the flaw has been exploited.
If an attacker had found out about the issue, though, they could have seen that sensitive call information used to initiate calls was being sent over plain text, according to McAfee. Attackers could have sniffed network traffic to obtain information about calls of interest and then secretly join the call with no signal to targeted users, researchers found.
Part of the issue was that Agora had not provided a secure way to generate a key needed for calls, the researchers note in a blog on the matter.
“Many calling models used in applications want to give the user the ability to call anyone without prior contact,” the McAfee researchers state. “This is difficult to implement into a video SDK post-release since a built-in mechanism for key sharing was not included. It is also worth noting that, generally, the speed and quality of a video call is harder to maintain while using encryption. These may be a few of the reasons why these application developers have chosen to not use the encryption for the video and audio.”
As people around the globe increasingly rely on digital services to communicate for work, private conversations and medical care throughout the pandemic, the flaw is a jarring reminder that although virtual conversations may appear private, prying eyes could find surreptitious ways to eavesdrop on them.
“While the security community encourages developers to write software code with security in mind, software apps tend to struggle with bugs and vulnerabilities in their early days,” the researchers write. “Consumers should by all means download and enjoy the hottest new apps, but they should also take steps to protect themselves from any undiscovered issues that might threaten them.”
Video-conferencing tools broadly have come under the microscope in the last year amid the shift to an increasingly distributed workforce. Zoom, for instance, came under fire for its privacy and security practices early on in the pandemic last year, and recently reached a settlement with the Federal Trade Commission over allegations it misled consumers about the level of encryption that it ensured during calls. Zoom recently began rolling out end-to-end encryption for consumers after it was criticized for saying it would only offer that level of protection to paid users.