Search the Community
Showing results for tags 'sdk'.
SDK Bug Lets Attackers Spy on User’s Video Calls Across Dating, Healthcare Apps Apps like eHarmony and MeetMe are affected by a flaw in the Agora toolkit that went unpatched for eight months, researchers discovered. A vulnerability in an SDK that allows users to make video calls in apps like eHarmony, Plenty of Fish, MeetMe and Skout allows threat actors to spy on private calls without the user knowing. Researchers discovered the flaw, CVE-2020-25605, in a video-calling SDK from a Santa Clara, Calif.-based company called Agora while doing a security audit last year of personal robot called “temi,” which uses the toolkit. Agora provides developer tools and building blocks for providing real-time engagement in apps, and documentation and code repositories for its SDKs are available online. Healthcare apps such as Talkspace, Practo and Dr. First’s Backline, among various others, also use the SDK for their call technology. SDK Bug Could Have Impacted Millions Due to its shared use in a number of popular apps, the flaw has the potential to affect “millions–potentially billions–of users,” reported Douglas McKee, principal engineer and senior security researcher at McAfee Advanced Threat Research (ATR), on Wednesday. McKee said he did not find evidence of the bug is being exploited in the wild. The flaw makes it easy for third parties to access details about setting up video calls from within the SDK across various apps due to their unencrypted, cleartext transmission. This paves the way for remote attackers to “obtain access to audio and video of any ongoing Agora video call through observation of cleartext network traffic,” according to the vulnerability’s CVE description. Researchers reported this research to Agora.io on April 20, 2020. The flaw remained unpatched for about eight months until Dec. 17, 2020 when the company released a new SDK, version 3.2.1, “which mitigated the vulnerability and eliminated the corresponding threat to users,” McKee said. Researchers first were alerted to an issue when, during their analysis of the temi ecosystem, they found a hardcoded key in the Android app that pairs with the temi robot. Upon further exploration, they found a connection to the Agora SDK through “detailed logging” by developers to the Agora.io dashboard, McKee said. Upon examination of the Agora video SDK, researchers discovered that it allows information to be sent in plaintext across the network to initiate a video call. They then ran tests using sample apps from Agora to see if third parties could leverage this scenario to spy on a user. SDK Bug Allows Attackers to Circumvent Encryption What they discovered through a series of steps is that they can, a scenario that affects various apps using the SDK, according to McKee. Further, threat actors can hijack key details about calls being made from within apps even if encryption is enabled on the app, he said. The first step for an attacker to exploit the vulnerability is to identify the proper network traffic he or she wants to target. ATR achieved this by building a network layer in less than 50 lines of code using a Python framework called Scapy “to help easily identify the traffic the attacker cares about,” McKee explained. “This was done by reviewing the video call traffic and reverse-engineering the protocol,” he said. In this way researchers were able to sniff network traffic to gather information pertaining to a call of interest and then launch their own Agora video applications to join the call, “completely unnoticed by normal users,” McKee wrote. While developers do have the option in the Agora SDK to encrypt the call, key details about the calls are still sent in plaintext, allowing attackers to acquire these values and use the ID of the associated app “to host their own calls at the cost of the app developer,” McKee explained. However, if developers encrypt calls using the SDK, attackers can’t view video or hear audio of the call, he said. Still, while this encryption is available, it’s not widely adopted, McKee added, “making this mitigation largely impractical” for developers. Other Apps Impacted by Faulty SDK In fact, in addition to temi, researchers examined a cross-section of apps on Google Play that use Agora—including MeetMe, Skout and Nimo TV—and found that all four of the applications have hardcoded App IDs that allow access to call details and do not enable encryption. “Even though the encryption functions are being called, the application developers are actually disabling the encryption based on this documentation,” McKee explained. “Without encryption enabled and the setup information passed in cleartext, an attacker can spy on a very large range of users.” Agora did not immediately respond to an email request for comment sent by Threatpost on Thursday. ATR said the company “was very receptive and responsive to receiving” information about the vulnerability, and that after testing the SDK they “can confirm it fully mitigates CVE-2020-25605.” Source: SDK Bug Lets Attackers Spy on User’s Video Calls Across Dating, Healthcare Apps
zanderthunder posted a topic in Technology NewsToday, at the 5G Mobile World Conference, Nvidia co-founder and CEO Jensen Huang, announced Nvidia Jarvis, a multi-modal AI software development kit, that combines speech, vision, and other sensors in one AI system. Here's a YouTube video of the presentation: As stated before, Jarvis is the company's attempt to process multiple inputs from different sensors simultaneously. The wisdom behind this approach is that it will help build context for accurately predicting and generating responses in conversation-based AI applications. To preface this, Nvidia exemplified situations where this might help on its blog post: In Jarvis, Nvidia has included modules that can be tweaked according to the user's requirements. For vision, Jarvis has modules for person detection and tracking, detection of gestures, lip activity, gaze, and body pose. While for speech, the system has sentiment analysis, dialog modeling, domain and intent, and entity classification. For integration into the system, fusion algorithms have been employed to synchronize the working of these models. Moreover, the firm claims that Jarvis-based applications work best when used in conjunction with Nvidia Neural Modules (NeMo), which is a framework-agnostic toolkit for creating AI applications built around neural modules. For cloud-based applications, services developed using Jarvis can be deployed using the EGX platform, which Nvidia is touting as the world's first edge supercomputer. For edge and Internet of Things use cases, Jarvis runs on the Nvidia EGX stack, which is compatible with a large swath of Kubernetes infrastructure available today. Jarvis is now open for early access. If you are interested, you can log in to your Nvidia account and sign up for early access to it here. Source: Nvidia Jarvis—a multi-modal AI SDK—fuses speech, vision, and other sensors into one system (via Neowin)