Here we see in the example code the App ID being used to create a new “RtcEngine” object. Examining the GitHub example projects and the following associated documentation, we can learn exactly what is needed and how a normal user is connected to a video call.įigure 3: Sample project initializeEngine function Since Agora provides sample projects and allows for free developer accounts, the best way to understand what potential attack vectors exists is to use these tools. 60% of the time, encrypting works every time.” Furthermore, in the context of the video SDK, the question evolved into whether an attacker could interact with this video and audio traffic. Simulating the mindset of an attacker, we began to investigate what this App ID or key could be used for. Since we encountered Agora through use of the video SDK, we decided to focus on only this SDK for the rest of this research. We had found a key which is hardcoded into an Android application that “anyone can use on any Agora SDK” and is “prudent to safeguard”.Īgora provides several different SDKs with different functionality. The last two sentences of this documentation really grabbed our attention. Using the logging comments from the above code we can look at the documentation to understand what an App ID is and what it is used for.įigure 2: Agora documentation about App ID This is amazing for developers, but also very useful to security researchers and hackers. Its GitHub repositories also provide detailed sample projects on how to use the product. In a broader context, Agora is used for a variety of applications including social, retail, gaming and education, among others.Īgora allows anyone to create an account and download its SDKs for testing from its website, which also provides extensive documentation. What is Agora?Īccording to the website – “Agora provides the SDKs and building blocks to enable a wide range of real-time engagement possibilities” In the context of our initial robot project, it simply provides the technology required to make audio and video calls. This raised the question: What is this key and what is it used for? Thanks to the detailed logging provided by the developers, we had a place to start. During this analysis, a hardcoded key was discovered in the app.įigure 1: Application ID hardcoded in temi phone ap To boldly go where no one has gone beforeĪs part of our analysis of the temi ecosystem, the team reviewed the Android application that pairs with the temi robot. These core concepts are what led us to the findings discussed in this blog. Furthermore, when encryption is an option provided by a vendor, it must be easy for developers to implement, adequately protect all session information including setup and teardown, and still meet the developers’ many use cases. While the need to protect truly sensitive information such as financial data, health records, and other personally identifiable information (PII) has long been standardized, consumers are increasingly expecting privacy and encryption for all web traffic and applications. For example, all modern browsers have begun to migrate to newer standards (HTTP/2) which enforce encryption by default, a complete change from just a few years ago where a significant amount of browsing traffic was sent in clear text and could be viewed by any interested party. We reported this research to Agora.io on Apand the company, as of December 17th, 2020 released a new SDK, version 3.2.1, which mitigated the vulnerability and eliminated the corresponding threat to users.Įncryption has increasingly become the new standard for communication often even in cases where data privacy is not explicitly sensitive. At the time of writing, McAfee is unaware of any instances of this vulnerability being exploited in the wild. This flaw, CVE-2020-25605, may have allowed an attacker to spy on ongoing private video and audio calls. In early 2020, our research into the Agora Video SDK led to the discovery of sensitive information sent unencrypted over the network. Several of the most popular mobile applications utilizing the vulnerable SDK included social apps such as eHarmony, Plenty of Fish, MeetMe and Skout, and healthcare apps such as Talkspace, Practo and Dr. Agora’s SDKs are used for voice and video communication in applications across multiple platforms. A byproduct of our robotic research was a deeper dive into a video calling software development kit (SDK) created by Agora.io. We recently investigated and published several findings on a personal robot called “temi”, which can be read about in detail here. The McAfee Advanced Threat Research (ATR) team is committed to uncovering security issues in both software and hardware to help developers provide safer products for businesses and consumers. ARCHIVED STORY Don’t Call Us We’ll Call You: McAfee ATR Finds Vulnerability in Agora Video SDK
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |