There are several cybersecurity research teams out there working overtime, dealing with upcoming and ongoing threats. One of these specialist teams, the McAfee Advanced Threat Research (ATR) team to be precise, has revealed in-depth research about a potentially severe security flaw in a widely used video calling software development kit, or SDK. While analyzing communication with a personal robot called ‘temi’, they have come across an eyebrow-raising vulnerability with Agora.io’s video calling SDK kit.
What is an SDK
An SDK, or software development kit (also referred to as a developer kit or devkit) is a software ‘bundle’ that includes tools, code, libraries, processes, and guides that are for software developers. SDKs are the basis of modern-day software and apps. SDKs work together with APIs (Application Programming Interface), where an API facilitates the connection element in development. An SDK will ‘create’ the foundation and an API is designed to ‘communicate’ the creation of the developer. An SDK will generally house and contain an API, however, an API does not contain an SDK. Both SDKs and APIs are the founding blocks of software that are also always vulnerable to attack.
What is Agora.io?
Agora.io is a “Real-Time Engagement Platform for meaningful human connections“. In essence, it is a complete multi-platform development kit that is widely used for video and voice communications. Social mobile applications such as MeetMe, Skout, eHarmony, and Plenty of Fish utilize Agora. Healthcare apps such as Practo, Talkspace, and Dr.First’s Backline also make use of the SDK. The kit is used by mobile and desktop applications on 1.7 billion devices around the world. Agora is openly downloadable, which provides many benefits for developers, but is also open to modification by hackers.
Vulnerabilities Within Agora.io SDK
According to researchers at McAfee Advanced Threat Research, while delving into vulnerability analysis and potential mitigation on a ‘personal’ teleconference robot called ‘temi’, a ‘byproduct’ of this process was uncovering a security flaw within the Agora SDK categorized as security flaw CVE-2020-25605. The potentially severe implications of this flaw, included;
Allowing cybercriminals to spy on video calls Allowing cybercriminals to spy on audio calls
Detailed analysis of the flaw revealed;
A hardcoded key was found in the ‘temi’ Android application The code pointed at a link to Agora.io’s dashboard Unsecured tokens could allow a hacker to hijack and join a video or audio call Tokens were sent in ‘plaintext’ or ‘cleartext’ with incomplete encryption Agora developers have not focused on encryption in the ‘initial call setup’ process
By going through a process of ‘sniffing‘, an attacker can exploit the vulnerable Agora SDK code, intercept data packets, gather call information and launch a separate Agora video application. This allows the cybercriminal to join the call and users will be oblivious to this. Since the SDK caters to several ‘social’ and ‘healthcare’ apps, this vulnerability could have had dire consequences for online dating, as well as caused sensitive medical information leaks. Even still, if the app was to make it on ‘personal robots’ in its vulnerable form, a cybercriminal could spy on a user’s personal life. According to today’s McAfee threat report, the issue was mitigated in December with a patched SDK version 3.2.1. Any threats to users were eliminated. At present, it is unclear whether this vulnerability was exploited. It is difficult to gauge whether cybercriminals have facilitated this in other ways, although McAfee researchers have stated they have succeeded in stopping malicious cybercriminals exploiting the flaw that “may have affected millions of users”.
Security Takeaways For Consumers And Developers
McAfee’s research team suggests that developers utilizing Agora SDK immediately upgrade to the latest version if they have not done so already. It is also strongly recommended that development teams implement encryption wherever possible, and take a look at Agora’s recently updated ‘Security Best Practices‘ page. For the consumer end, it is always important to keep all software and operating systems up to date. Internet users should practice using long and complex passwords on all devices. Finally, researching any software before downloading should be fundamental.
