In a report released by researchers at McAfee, a new bug tracked as CVE-2020-25605 can allow attackers to join audio and video calls without being detected. The bug impacts the Software Development Kit (SDK) provided by Agora. Agora is a US-based company that specializes in providing real-time communication. Some of the applications that use the Agora SDK include MeetMe, Skout, Nimo TV, temi, Dr. First Backline, Hike, Bunch, and Talkspace. Any attacker that has access to the same local area network as the targeted victims can join the calls without being detected, steal call identifiers, and intercept initial call traffic. This is because Agora SDK does not encrypt details shared during the process of setting up a new call even if the encryption feature is enabled.
The vulnerability was initially found by McAfee in April 2020 when they were conducting a security audit for temi. After investigating, researchers found that other applications were also infected by the bug and they notified Agora. McAfee waited to publicly release details of the vulnerability until Agora had released a new SDK in December 2020 that is not vulnerable to the same bug, and software developers who use Agora had been notified that they needed to update to the new version of the SDK. It is unclear which applications have implemented the new SDK. Anyone using any of these applications for communications should ensure that the new SDK has been implemented by the company before continuing the use of the application. Since the attacker has to have access to the victims’ network, an initial infection using a different vector, such as a malicious email attachment that installs a backdoor, would likely have to be carried out before the attacker could exploit this bug. To prevent infection on a network, companies should have monitoring in place such as Binary Defense Managed Detection and Response to identify when attackers are trying to infiltrate a network and work to stop intrusions before they have the chance to escalate to major incidents.
More can be read here: https://www.zdnet.com/article/bug-in-shared-sdk-can-let-attackers-join-calls-undetected-across-multiple-apps/