McAfee uncovers vulnerability in telehealth kit
McAfee’s Advanced Threat Research (ATR) team has uncovered a new vulnerability in video calling software used by telemedicine providers.
The security issue was discovered in Agora, a video calling software development kit (SDK) included in healthcare apps like Dr. First Backline, Talkspace and temi, and used across more than 1.7 billion devices globally.
According to McAfee, Agora’s SDK until recently included a vulnerability that could have allowed an attacker to spy on ongoing video and audio calls. The McAfee ATR team discovered that this stemmed from an error in incomplete encryption. Agora’s SDK implementation did not allow applications to securely configure the setup of video/audio encryption, leaving a potential for hackers to snoop on them.
If exploited, this particular vulnerability could’ve allowed a criminal to launch manin-the-middle attacks, which occur when a hacker secretly intercepts and possibly alters the communications between two unsuspecting users.
Encryption has increasingly become the new standard for communication; often even in cases where data privacy is not explicitly sensitive. For example, all modern browsers have begun to migrate to newer standards (HTTP/2) which enforce encryption by default, a complete change from just a few years ago where a significant amount of browsing traffic was sent in clear text and could be viewed by any interested party.
While the need to protect truly sensitive information such as financial data, health records, and other personally identifiable information (PII) has long been standardised, consumers are increasingly expecting privacy and encryption for all web traffic and applications.
In accordance with McAfee’s safe vulnerability disclosure policy, ATR provided Agora with details of its research, so that the software developer could take action to address it with a software update. Agora was very receptive to receiving this information and advanced its security capabilities, by providing developers with a new SDK option to encrypt the initial call setup information. McAfee have since tested this and confirmed there is no further risk.
Uncovering vulnerabilities like this highlight the importance of researchers working closely with app developers to make tools as secure as possible. McAfee also recommends that consumers take care when downloading the latest apps, as software apps tend to struggle with bugs and vulnerabilities in their early days.
“McAfee is unaware of any instances of this vulnerability being exploited in the wild, which demonstrates another powerful success story of mitigating an issue which may have affected millions of users before it is used for malicious purposes” the ATR team said in a press release.
“Our partnership with Agora resulted in the release of a more secure SDK which has empowered developers across multiple companies to produce more secure video calling applications. We strongly recommend any development team which uses the Agora SDK to upgrade to the latest version, follow Agora’s outlined best practices, and implement full encryption wherever possible.”
COVID-19 app for NHS staff launches as restrictions lift
A new app has launched today to support UK hospital staff who have been redeployed to care for COVID-19 patients.
The Acute COVID app has been co-developed by Chelsea and Westminster Hospital NHS Foundation Trust and its charity CW+, along with health tech company Imagineear Health.
It provides information to healthcare staff via a step-by-step guide, aimed at both doctors and nurses. This includes the different stages of COVID-19 so they have guidance around triage at A&E, hospital admission, in-hospital treatments, and advanced care management.
The app also provides training on non-invasive ventilation. In the first wave of the pandemic the numbers of patients needing this type of ventilation led to staff who would not normally administer this to patients having to do so.
Additionally the app signposts staff to where they can access mental and physical wellbeing support, acknowledging the levels of staff burnout, particularly among frontline staff, the pandemic has created.
The launch of the app comes on the same day England lifts its COVID-19 restrictions, labelled "freedom day" by some. However infection rates have soared in recent weeks and the move has been fiercely opposed by scientists and doctors, both in the UK and abroad.
In a letter published in medical journal The Lancet backed by 1,200 international scientists, experts called the unlocking "a threat to the world", as allowing infection rates to rise enables the virus to mutate and potentially become resistant to the vaccination.
At the weekend the newly appointed health secretary Sajid Javid announced he had tested positive for coronavirus, and both Prime Minister Boris Johnson and the chancellor Rishi Sunak are self-isolating.
Meanwhile in the first week of July more than 500,000 alerts were issued by the NHS Covid-19 app telling people they had been exposed to the virus. As a result businesses are considering cutting their opening hours while staff are self-isolating at home. The government has issued guidance saying that fully vaccinated frontline NHS staff in England will be allowed to carry on working even if they've come into contact with someone with COVID-19.