Bug in shared SDK can let attackers join calls undetected across multiple apps

Apps that use the SDK include MeetMe, Skout, Nimo TV, temi, and Talkspace.

A small library that provides audio and video calling capabilities contains a bug that can allow attackers to join audio and video calls without being detected.

The bug —discovered by security firm McAfee, and tracked as CVE-2020-25605— impacts the software development kit (SDK) provided by Agora, a US company specialized in providing real-time communication tools.

Apps that use this SDK for audio and video calling capabilities include the likes of MeetMe, Skout, Nimo TV, temi, Dr. First Backline, Hike, Bunch, and Talkspace.

In a report published today, McAfee says it found apps sending call operational data unencrypted over the air. Any attacker sitting on the same network as a targeted user could intercept the traffic in the initial phases of a call, extract call identifiers, and then join the call without being detected.

agora-sdk-bug.png

Image: McAfee

McAfee said it discovered this issue last year, in April, during a security audit for temi, a personal robot used in retail stores, which also supports audio and video calling.

A subsequent investigation also found clues that this behavior also impacted other apps using the SDK.

Steve Povolny, Head of Advanced Threat Research at McAfee, told ZDNet in an email last week that they notified Agora of their findings and that the company responded by releasing a new SDK in December 2020 that was not vulnerable to CVE-2020-25605.

"While we don't know which of these apps have implemented the new SDK, we can confirm that Agora has released the SDK and has followed up with its developers to urge them to implement the update," Povolny told ZDNet.

"Collaborating with McAfee allowed us to proactively release a new SDK that mitigated the vulnerability in December 2020," an Agora spokesperson told ZDNet via email. "Neither the Agora team nor McAfee has found evidence of the vulnerability being exploited in the wild."

Article updated on February 18 with comment from Agora.