Google’s Project Zero researcher, Natalie Silvanovich, has been working on discovering shortcomings across video chat and instant messaging apps for a while now. Her most recent find is a signaling issue that affects many applications including Signal, JioChat, Mocha, Google Duo, and Facebook Messenger.
Most of the video chat and IM applications communicate using a WebRTC system. The process of sending and receiving data is called signaling. The system, when communicating between two peers, should get the callee’s (the person on the other end) consent. However, Silvanovich found out that the systems employed by most applications did the exact opposite.
This flaw allows the system to connect calls and receive data without interaction from the callee. It also potentially permits the caller to force a callee device to transmit audio or video data.
The root cause of this issue is logic bugs in the signaling state machines. According to Silvanovich, these are a concerning and under-investigated side of video conferencing applications.
Fortunately, the developers were able to fix this issue in no time. Other messaging apps like Telegram and Viber were found to have none of the above flaws.
The majority of calling state machines I investigated had logic vulnerabilities that allowed audio or video content to be transmitted from the callee to the caller without the callee’s consent. This is clearly an area that is often overlooked when securing WebRTC applications. The majority of the bugs did not appear to be due to developer misunderstanding of WebRTC features. Instead, they were due to errors in how the state machines are implemented. That said, a lack of awareness of these types of issues was likely a factor. It is also concerning to note that I did not look at any group calling features of these applications, and all the vulnerabilities reported were found in peer-to-peer calls. This is an area for future work that could reveal additional problems.
In January 2019, a similar vulnerability was reported in Apple’s FaceTime group chats. It allowed users to initiate a FaceTime video call and eavesdrop on targets by adding their own number as a third person in a group chat. The issue was deemed so severe that Apple removed the FaceTime group chats feature altogether before the issue was resolved.