Bugs in Signal, Facebook, Google chat apps let attackers spy on users:
Vulnerabilities found in multiple video conferencing mobile applications allowed attackers to listen to users' surroundings without permission before the person on the other end picked up the calls.
The logic bugs were found by Google Project Zero security researcher Natalie Silvanovich in the Signal, Google Duo, Facebook Messenger, JioChat, and Mocha messaging apps and are now all fixed.
However, before being patched, they made it possible to force targeted devices to transmit audio to the attackers' devices without the need of gaining code execution.
"I investigated the signalling state machines of seven video conferencing applications and found five vulnerabilities that could allow a caller device to force a callee device to transmit audio or video data," Silvanovich explained.
[...] "The majority of calling state machines I investigated had logic vulnerabilities that allowed audio or video content to be transmitted from the callee to the caller without the callee’s consent," Silvanovich added.
(Score: 5, Touché) by JoeMerchant on Friday January 22 2021, @08:44PM (4 children)
It's a feature! Thanks NSA.
🌻🌻 [google.com]
(Score: 2) by RedGreen on Friday January 22 2021, @09:30PM
And as Meat Loaf sang it, " You took the words right of my mouth".
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 2) by legont on Saturday January 23 2021, @02:48AM (2 children)
Yep. Use Telegram.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 0) by Anonymous Coward on Saturday January 23 2021, @05:29AM (1 child)
But overall, Signal [wikipedia.org] is considered more secure than Telegram [wikipedia.org].
(Score: 0) by Anonymous Coward on Saturday January 23 2021, @05:37AM
And all the submissions on Parler's failure to strip locale data, which can place idiots in the riot and insurrection against the US Capital, are rejected in favor of this pablum? Be afraid, alt-righters, be very afraid. Your tech incompetence will bring you down!
(Score: 4, Interesting) by All Your Lawn Are Belong To Us on Friday January 22 2021, @10:54PM (3 children)
Wouldn't it be nice if cell phones and tablets have indicator lights for when the camera is actually activated the way laptops and many standalone cameras do? And wouldn't it be nice if microphones likewise had an indicator for when they were hot?
Oh well, I can go off and listen to the Beach Boys and dream.
This sig for rent.
(Score: 0) by Anonymous Coward on Saturday January 23 2021, @12:58AM (2 children)
Actually, iPhones now do that starting with iOS 14.
(Score: 3, Touché) by Runaway1956 on Saturday January 23 2021, @01:45AM (1 child)
It's a software switch, rather than a hardware switch, right? Meaning, the switch only works if "they" want it to work.
(Score: -1, Troll) by Anonymous Coward on Saturday January 23 2021, @05:46AM
The important thing, is that if Runaway has gotten a letter from the Feds, he would not be able to tell us that the Feds are now survelleilng all his posts, and responses, because, you know PATRIOT Act, of which Runaway is one. I mean, they have him on violation or his oath as a semen. So now he is a stoll pidgeon, a snitch, an informer, and collaborator. Traitor, to all sides! Asshole perfectus!! That's our Runaway!
(Score: 2) by Frosty Piss on Friday January 22 2021, @11:24PM (3 children)
Obscure but critical bug found and fixed! NEWS AT 11!
(Score: 3, Interesting) by RamiK on Friday January 22 2021, @11:46PM (2 children)
5 different bugs in 5 different signaling state machines for WebRTC out of 7 inspected video chat apps...
It's a good case and point on why standard protocols are not enough and how the industry needs to work together on open and functional reference implementations that they commit to using in the real world.
compiling...
(Score: 0) by Anonymous Coward on Saturday January 23 2021, @03:12AM (1 child)
Yes, that way NSA could get away with 1/5th as much work, saving taxpayer money for something more important.
(Score: 2) by RamiK on Saturday January 23 2021, @05:58AM
That line of thinking doesn't add up:
1. While placing back doors becomes easier with LoC and multiple projects, detecting them only becomes harder. Inversely, the smaller the code base and team, the less likely it will be infiltrated by a malicious actor.
2. The industry has more personal for coding and reviewing than any three letter agency.
3. The specs are written with dozens and hundreds of different implementations and needs in mind.
4. Due to how the economy favors centralization, there's never more than a handful of major implementations. But, they still have to account for all the special cases built into the standards.
Combine the above and you end up with a few high value targets containing way too much LoC, managed by government-friendly entities or those with loose hiring practicing and limited oversight over the actual work due to different companies working on separate implementations.
OpenSSL saw all this happen as it got drowned by too many features and competing implementations before someone finally sat down to try and review it. Messaging apps aren't fairing any better by the looks of it.
compiling...
(Score: 0) by Anonymous Coward on Monday January 25 2021, @11:57PM
Misleading title; the tense of "let" is unclear. It's past tense. Please consider "used to let" instead next time. Or please consider appending "some until 2020" or "until recently".