Surfeit and Blasé Security
SonicWall has released firmware patches for SMA 100 series products in an update to its previous alert from February 3, 2021. A remote attacker could exploit a vulnerability in versions of SMA 10 prior to 10.2.0.5-29sv to take control of an affected system.
CISA encourages users and administrators to review the updated SonicWall alert and apply the necessary patches as soon as possible.
This product is provided subject to this Notification and this Privacy & Use policy.
SonicWall has released firmware patches for SMA 100 series products in an update to its previous alert from February 3, 2021. A remote attacker could exploit a vulnerability in versions of SMA 10 prior to 10.2.0.5-29sv to take control of an affected system.
CISA encourages users and administrators to review the updated SonicWall alert and apply the necessary patches as soon as possible.
This product is provided subject to this Notification and this Privacy & Use policy.
On January 28, 2021, due to the Data Privacy Day, the Brazilian National Data Protection Authority (“ANPD”), through Ordinance No. 11, made public the Regulatory Agenda approved by the Directing Council for the 2021-2022 biennium, through which it lists the topics to be regulated by the ANPD in this period and the respective deadlines for its beginning.
The agenda foresees the regulation of the so-called ‘priority aspects’. The deadlines defined by the ANPD for the regulation of these topics are divided into 3 distinct phases, highlighting that the scheduled date indicates the beginning of the regulation process, not its conclusion.
Although Ordinance No. 11 provides for the beginning of the regulatory process to take place in up to 1 year, for the aspects comprising phase 1, 1 and a half year for phase 2 and up to 2 years for the aspects comprising phase 3, Appendix I of the Ordinance, although it may still be changed, brings more optimistic forecasts for the beginning of the regulations, as shown in the schedule below:
| Aspects / Subjects | Phase | Forecasting beginning of the regulatory process |
|---|---|---|
| Publication of the First Internal Rules of the ANPD | 1 | 1st semester of 2021 |
| Publication of ANPD’s Strategic Planning for the 2021-2023 triennium | 1 | 1st semester of 2021 |
| Edition of simplified and differentiated rules, guidelines and procedures for adaptation of micro and small businesses to the LGPD1 , as well as startups and individuals who process personal data under economic purposes – according to article 55-J, XVIII of the LGPD | 1 | 1st semester of 2021 |
| Establishment of rules for the application of administrative sanctions provided for in article 52 of the LGPD, including the calculation of the base value of fines and the circumstances and conditions for their appliance | 1 | 1st semester of 2021 |
| Regulation of the notification, by the Controller to the ANPD, of security incidents, as provided for in article 48 of the LGPD, including deadline, templates and procedure for forwarding the information | 1 | 1st semester of 2021 |
| Edition of Regulations and Procedures on Data Protection Impact Assessments in cases on which the processing represents a high risk to the guarantee of the general principles of personal data protection | 1 | 1st semester of 2021 |
| Establishment of complementary rules on the definition and duties of the DPO, appointed by Controllers, pursuant to article 41, §3 of the LGPD | 2 | 1st semester of 2022 |
| Regulation of International Transfer of Personal Data, including authorized countries, the assessment of the level of protection of personal data and the standard contractual clauses that allow the transfer | 2 | 1st semester of 2022 |
| Regulation of the data subjects rights already provided for in the LGPD | 3 | 1st semester of 2022 |
| Edition of Document providing for the legal hypotheses for the processing of personal data and the consequent application of the LGPD, on various topics | 3 | 2nd semester of 2022 |
This challenging scenario and the uncertainties surrounding the LGPD should start to become less obscure in a short time. We will continue to follow all topics regarding the regulation of the LGPD and soon we expect to be able to provide more information on the development of the law and the effective start of the regulatory process for the matters set out above.
On February 17th, 2021, McAfee disclosed findings based on a 10-month long disclosure process with major video conferencing vendor Agora, Inc. As we disclosed the findings to Agora in April 2020, this lengthy disclosure timeline represents a nonstandard process for McAfee but was a joint agreement with the vendor to allow sufficient time for the development and release of a secure SDK. The release of the SDK mitigating the vulnerability took place on December 17th, 2020. Given the implications of snooping and spying on video and audio calls, we felt it was important to provide Agora the extended disclosure time. The affected users of Agora include popular voice and video messaging apps, with one notable application being the popular new iOS app known as Clubhouse.
Clubhouse Application Screenshot
Clubhouse has made headlines recently as one of the newest players in the social networking sphere, rising in popularity after a series of high-profile users including Elon Musk, Kanye West and influencers in various geographies posted about the platform. Released in April of 2020, Clubhouse quickly carved out a niche in Chinese social media as the platform to discuss sensitive social and political topics – perhaps aided by its invite-only approach to membership – and the spotlight shined on it by these key players further propelled it into viral status early this year. Perhaps unsurprisingly, the application was blocked for use in China on February 8th, 2021.
Last week, Stanford Internet Observatory (SIO) released research regarding the popular Clubhouse app’s use of Agora real-time engagement software and suggested that Agora could have provided the Chinese government access to Clubhouse user information and communications. While the details of Stanford’s disclosure focus on the audio SDK compared to our work on the video SDK, the functionality and flaw are similar to our recent disclosure, CVE-2020-25605. This includes the plaintext transmission of app ID, channel ID and token – credentials necessary to join either audio or video calls. We can confirm that Clubhouse updated to the most recent version of the Agora SDK on February 16th – just a day prior to our public disclosure.
Despite the recent noise surrounding Clubhouse, the reality is that this application is just one of many applications that leverage the Agora SDK. Among others, we investigated the social apps eHarmony, Skout, and MeetMe, along with several widely-used healthcare apps, some of which have a significantly larger user base. For example, MeetGroup (comprised of several apps) reported approximately 18 million monthly users compared to Clubhouse, which had approximately 600k total users as of December 2020.
We felt it was important to highlight these data points and are continuing to investigate these applications as well as monitor any potential instances of malicious actors exploiting this vulnerability. Given that Agora has released an updated SDK that fixes the call setup issues, vulnerable applications should have already switched to the secure calling SDK, thus protecting the sensitive audio and video call data as many claim to do. With that in mind, we decided to check back in with some of the Agora-based apps we previously investigated to confirm whether they had updated to the patched version. We were surprised to see many, as of February 18, 2020, still had not:
| App Name | Installs | App Version | App Version Date | Updated Agora SDK |
| MeetMe | 50,000,000+ | 14.24.4.2910 | 2/9/2021 | Yes |
| LOVOO | 50,000,000+ | 93.0 | 2/15/2021 | No |
| Plenty of Fish | 50,000,000+ | 4.36.0.1500755 | 2/5/2021 | No |
| SKOUT | 50,000,000+ | 6.32.0 | 2/3/2021 | Yes |
| Tagged | 10,000,000+ | 9.32.0 | 12/29/2020 | No |
| GROWLr | 1,000,000+ | 16.1.1 | 2/11/2021 | No |
| eharmony | 5,000,000+ | 8.16.2 | 2/5/2021 | Yes |
| Clubhouse | 2,000,000+ | 0.1.2.8 | 2/16/2021 | Yes |
| Practo | 5,000,000+ | 4.93 | 1/26/2021 | No |
With the context around censorship and basic privacy concerns, it will be interesting to see if these and many other apps using the vulnerable SDK update quickly, or even ever, and what kind of lasting effects these types of findings have on users’ trust and confidence in social media platforms.
For more on McAfee ATR’s research into the Agora SDK, please see our technical research blog.
For information on how users can protect themselves when using such apps, please see our consumer safety tips blog.
The post Beyond Clubhouse: Vulnerable Agora SDKs Still in Widespread Use appeared first on McAfee Blogs.