In January 2019, a grave fault was reported in Apple’s FaceTime group chats feature that enabled users to begin a FaceTime video call and listen in on targets by adding their own number as a third person in a group chat even before the individual on the other end accepted the incoming call.
The weakness was believed to be so serious that the iPhone maker detached the FaceTime group chats feature altogether before the issue was fixed in a following iOS update.
Since then, a number of similar faults have been exposed in multiple video chat apps such as Signal, JioChat, Mocha, Google Duo, and Facebook Messenger — all due to the work of Google Project Zero researcher Natalie Silvanovich.
“While [the Group FaceTime] bug was soon fixed, the fact that such a serious and easy to reach vulnerability had occurred due to a logic bug in a calling state machine — an attack scenario I had never seen considered on any platform — made me wonder whether other state machines had similar vulnerabilities as well,” Silvanovich wrote in a Tuesday deep-dive of her year-long investigation.
Although most of the messaging apps today depend on WebRTC for communication, the connections themselves are created by swapping call set-up information using Session Description Protocol (SDP) between peers in what’s called signaling, which characteristically works by sending an SDP offer from the caller’s end, to which the callee responds with an SDP answer.
In other words, when a user starts a WebRTC call to another user, a session description called an “offer” is created comprising all the information essential for setting up a connection.
The whole process is a state machine, which indicates “where in the process of signaling the exchange of offer and answer the connection currently is.”