Can You Hear Me Now? Remote Eavesdropping Vulnerabilities in Mobile Messaging Applications

The speaker discusses vulnerabilities in state machines used in video conferencing applications and the importance of understanding and documenting state machines to prevent these vulnerabilities.

• Understanding state machines is important for identifying vulnerabilities in video conferencing applications
• State mismanagement is a common cause of vulnerabilities in state machines
• Developers should document state machines to ensure proper understanding and prevent vulnerabilities
• More research is needed in this area to identify additional vulnerabilities

The speaker found vulnerabilities in Signal and Facebook Messenger due to state mismanagement, where messages were sent to the wrong recipient or at the wrong time. They also found that not all state machines are well-documented, leading to vulnerabilities. The speaker emphasizes the importance of considering the possibility of attackers using state machines to connect calls without user consent. They also note that more research is needed in this area to identify additional vulnerabilities.

On January 29, 2019, a serious vulnerability was discovered by multiple parties in Group FaceTime which allowed an attacker to call a target and force the call to connect without user interaction from the target, allowing the attacker to listen to the target's surroundings without their knowledge or consent. While this remarkable bug was soon fixed, it presented a new and unresearched attack surface in mobile applications that support video conferencing. This presentation covers my attempts to find similar bugs in other messaging applications, including Signal, JioChat, Mocha, Google Duo, and Facebook Messenger.