Messaging Apps Have an Eavesdropping Problem

In early 2019, a bug in group FaceTime calls would have let attackers activate the microphone, and even the camera, of the iPhone they were calling and eavesdrop before the recipient did anything at all. The implications were so severe that Apple invoked a nuclear option, cutting off access to the group-calling feature entirely until the company could issue a fix. The vulnerability—and the fact that it required no taps or clicks at all on the part of the victim—captivated Natalie Silvanovich.

“The idea that you could find a bug where the impact is, you can cause a call to be answered without any interaction—that’s surprising,” says Silvanovich, a researcher in Google’s Project Zero bug-hunting team. “I went on a bit of a tear and tried to find these vulnerabilities in other applications. And I ended up finding quite a few.”

Silvanovich has spent years studying “interaction-less” vulnerabilities, hacks that don’t require their targets to click a malicious link, download an attachment, enter a password in the wrong place, or participate in any way. Those attacks have taken on increasing significance as targeted mobile surveillance explodes around the world.

At the Black Hat security conference in Las Vegas on Thursday, Silvanovich is presenting her findings about remote eavesdropping bugs in ubiquitous communication apps like Signal, Google Duo, and Facebook Messenger, as well as popular international platforms JioChat and Viettel Mocha. All of the bugs have been patched, and Silvanovich says that the developers were extremely responsive about fixing the vulnerabilities within days or a few weeks of her disclosures. But the sheer number of discoveries in mainstream services underscores how common these flaws can be and the need for developers to take them seriously.

“When I heard about that group FaceTime bug I thought it was a unique bug that would never occur again, but that turned out not to be true,” says Silvanovich. “This is something we didn’t know about before, but it’s important now for the people who make communication apps to be aware. You’re making a promise to your users that you’re not going to suddenly start transmitting audio or video of them at any time, and it’s your burden to make sure that your application lives up to that.”

The vulnerabilities Silvanovich found offered an assortment of eavesdropping options. The Facebook Messenger bug could have allowed an attacker to listen in on audio from a target’s device. The Viettel Mocha and JioChat bugs both potentially gave advanced access to audio and video. The Signal flaw exposed audio only. And the Google Duo vulnerability gave video access, but only for a few seconds. During this time an attacker could still record a few frames or grab screenshots.

The apps Silvanovich looked at all build much of their audio and video calling infrastructure on real-time communication tools from the open source project WebRTC. Some of the interaction-less calling vulnerabilities stemmed from developers who seemingly misunderstood WebRTC features, or implemented them poorly. But Silvanovich says that other flaws came from design decisions specific to each service related to when and how it sets up calls.