Further, vulnerabilities were also discovered in Signal - an app that champions itself as privacy-centric. But it is quite clear that even Zoom wasn’t prepared to address the challenge at hand. However, Zoom managed to address these concerns in time Opens a new window. Last year, video conferencing service Zoom also came under global scrutiny over its data routing, encryption, and other security credentials. Fortunately, McAfee has so far found no evidence of exploitation of CVE-2020-25605 in the wild.
AGORA VIDEO CALL APP UPDATE
The vulnerability was finally closed by Agora through a software update it rolled out in December.
The McAfee Advanced Threat Research team discovered the critical vulnerability in early 2020 after extending their vulnerability research to the Agora SDK. With their collaboration, we were able to alert our customers and help them make necessary fixes. Thanks to McAfee for identifying a vulnerability in our SDK and partnering with us to test our December patch. These may be a few of the reasons why these application developers have chosen to not use the encryption for the video and audio,” he added.
It is also worth noting that, generally, the speed and quality of a video call is harder to maintain while using encryption. This is difficult to implement into a video SDK post-release since a built-in mechanism for key sharing was not included. “Many calling models used in applications want to give the user the ability to call anyone without prior contact. Security Researcher at McAfee, in a blog post Opens a new window. “The Agora SDK itself did not provide any secure way to generate or communicate the pre-shared key needed for the phone call, and therefore this was left up to the developers, wrote Douglas McKee Opens a new window, Principal Engineer & Sr. See Also: 6 Data Protection Rules To Remember While Video ConferencingĪccording to McAfee, encryption didn’t work in Agora because the encryption options required a pre-shared key, whose implementation was left to the developers. Agora’s SDK also powers dating services eHarmony, Plenty of Fish, and Skout and healthcare apps such as Talkspace, Practo, and Dr. Agora works with MeetMe to integrate its live video streaming features with the popular dating app and online therapy platform Talkspace to facilitate Opens a new window online mental health therapy sessions.īoth MeetMe and Talkspace registered enormous growth since the pandemic hit. The fact that Agora relayed data associated with audio and video calls in an unencrypted form posed a significant risk to the security and privacy of users’ personal information. a.k.a, they could spy on users’ private video calls,” McAfee explained.
In a man-in-the-middle attack, an attacker “secretly intercepts and possibly alters the communications between two unsuspecting users. This essentially meant that attackers sitting on the same network could launch man-in-the-middle attacks by intercepting unencrypted data and using it to join an ongoing call. The error made the applications relay unencrypted video and audio data even if encryption was turned on in apps using Agora SDK. The vulnerability, assigned CVE-2021-25605, arose due to an error in the encryption mechanism of the SDK. The vulnerability allowed attackers to snoop on live audio and video calls by exploiting a lack of encryption of call data in the software development kit.Īccording to researchers at the Advanced Threat Research (ATR) team at McAfee, Agora’s video software development kit (SDK) featured a severe vulnerability that enabled an attacker to spy on ongoing video and audio calls without being detected. Silicon Valley-based cybersecurity company McAfee recently discovered a critical security vulnerability in video broadcasting service Agora.
0 kommentar(er)
