Can You Hear Me Now? Remote Eavesdropping Vulnerabilities in Mobile Messaging Applications

Presented at Black Hat USA 2021, Aug. 5, 2021, 2:30 p.m. (30 minutes)

On January 29, 2019, a serious vulnerability was discovered by multiple parties in Group FaceTime which allowed an attacker to call a target and force the call to connect without user interaction from the target, allowing the attacker to listen to the target's surroundings without their knowledge or consent.

While this remarkable bug was soon fixed, it presented a new and unresearched attack surface in mobile applications that support video conferencing.

This presentation covers my attempts to find similar bugs in other messaging applications, including Signal, JioChat, Mocha, Google Duo, and Facebook Messenger.


Presenters:

  • Natalie Silvanovich - Security Researcher, Google
    Natalie Silvanovich is a security researcher on Google Project Zero. Her current focus is messaging applications and video conferencing. Previously, she worked in mobile security on the Android Security Team at Google and as a team lead of the Security Research Group at BlackBerry, where her work included finding security issues in mobile software and improving the security of mobile platforms. Outside of work, Natalie enjoys applying her hacking and reverse engineering skills to unusual targets and has spoken at several conferences on the subject of Tamagotchi hacking.

Links: