Serious Security Vulnerability in Major Video Calling SDK

Video Calling Software screenshot

The current digital trends coupled with record numbers of online users point to the fact that mass online platforms will be the busiest this year. Technology has shifted to the cloud, to the Internet-of-Things, and online communities. This means that platforms such as video, streaming, gaming, and video calling will continue to be saturated by global users. Cybersecurity is a top priority today for consumers and developers alike, which underlines the importance of cybersecurity awareness for the consumer. For the developer, it means being proactive about software vulnerability issues.

There are several cybersecurity research teams out there working overtime, dealing with upcoming and ongoing threats. One of these specialist teams, the McAfee Advanced Threat Research (ATR) team to be precise, has revealed in-depth research about a potentially severe security flaw in a widely used video calling software development kit, or SDK. While analyzing communication with a personal robot called ‘temi’, they have come across an eyebrow-raising vulnerability with Agora.io’s video calling SDK kit.

What is an SDK

An SDK, or software development kit (also referred to as a developer kit or devkit) is a software ‘bundle’ that includes tools, code, libraries, processes, and guides that are for software developers. SDKs are the basis of modern-day software and apps. SDKs work together with APIs (Application Programming Interface), where an API facilitates the connection element in development. An SDK will ‘create’ the foundation and an API is designed to ‘communicate’ the creation of the developer. An SDK will generally house and contain an API, however, an API does not contain an SDK. Both SDKs and APIs are the founding blocks of software that are also always vulnerable to attack.

What is Agora.io?

Agora.io is a “Real-Time Engagement Platform for meaningful human connections“. In essence, it is a complete multi-platform development kit that is widely used for video and voice communications. Social mobile applications such as MeetMe, Skout, eHarmony, and Plenty of Fish utilize Agora. Healthcare apps such as Practo, Talkspace, and Dr.First’s Backline also make use of the SDK. The kit is used by mobile and desktop applications on 1.7 billion devices around the world. Agora is openly downloadable, which provides many benefits for developers, but is also open to modification by hackers.

Vulnerabilities Within Agora.io SDK

According to researchers at McAfee Advanced Threat Research, while delving into vulnerability analysis and potential mitigation on a ‘personal’ teleconference robot called ‘temi’, a ‘byproduct’ of this process was uncovering a security flaw within the Agora SDK categorized as security flaw CVE-2020-25605.

The potentially severe implications of this flaw, included;

  • Allowing cybercriminals to spy on video calls
  • Allowing cybercriminals to spy on audio calls

Detailed analysis of the flaw revealed;

  • A hardcoded key was found in the ‘temi’ Android application
  • The code pointed at a link to Agora.io’s dashboard
  • Unsecured tokens could allow a hacker to hijack and join a video or audio call
  • Tokens were sent in ‘plaintext’ or ‘cleartext’ with incomplete encryption
  • Agora developers have not focused on encryption in the ‘initial call setup’ process

By going through a process of ‘sniffing‘, an attacker can exploit the vulnerable Agora SDK code, intercept data packets, gather call information and launch a separate Agora video application. This allows the cybercriminal to join the call and users will be oblivious to this. Since the SDK caters to several ‘social’ and ‘healthcare’ apps, this vulnerability could have had dire consequences for online dating, as well as caused sensitive medical information leaks. Even still, if the app was to make it on ‘personal robots’ in its vulnerable form, a cybercriminal could spy on a user’s personal life.

According to today’s McAfee threat report, the issue was mitigated in December with a patched SDK version 3.2.1. Any threats to users were eliminated. At present, it is unclear whether this vulnerability was exploited. It is difficult to gauge whether cybercriminals have facilitated this in other ways, although McAfee researchers have stated they have succeeded in stopping malicious cybercriminals exploiting the flaw that “may have affected millions of users”.

Security Takeaways For Consumers And Developers

McAfee’s research team suggests that developers utilizing Agora SDK immediately upgrade to the latest version if they have not done so already. It is also strongly recommended that development teams implement encryption wherever possible, and take a look at Agora’s recently updated ‘Security Best Practices‘ page.

For the consumer end, it is always important to keep all software and operating systems up to date. Internet users should practice using long and complex passwords on all devices. Finally, researching any software before downloading should be fundamental.

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at VPNoverview.com, while in his free time he likes to work on documentary projects, read about sociology and write about world events.