McAfee uncovers vulnerability in telehealth kit
McAfee’s Advanced Threat Research (ATR) team has uncovered a new vulnerability in video calling software used by telemedicine providers.
The security issue was discovered in Agora, a video calling software development kit (SDK) included in healthcare apps like Dr. First Backline, Talkspace and temi, and used across more than 1.7 billion devices globally.
According to McAfee, Agora’s SDK until recently included a vulnerability that could have allowed an attacker to spy on ongoing video and audio calls. The McAfee ATR team discovered that this stemmed from an error in incomplete encryption. Agora’s SDK implementation did not allow applications to securely configure the setup of video/audio encryption, leaving a potential for hackers to snoop on them.
If exploited, this particular vulnerability could’ve allowed a criminal to launch manin-the-middle attacks, which occur when a hacker secretly intercepts and possibly alters the communications between two unsuspecting users.
Encryption has increasingly become the new standard for communication; often even in cases where data privacy is not explicitly sensitive. For example, all modern browsers have begun to migrate to newer standards (HTTP/2) which enforce encryption by default, a complete change from just a few years ago where a significant amount of browsing traffic was sent in clear text and could be viewed by any interested party.
While the need to protect truly sensitive information such as financial data, health records, and other personally identifiable information (PII) has long been standardised, consumers are increasingly expecting privacy and encryption for all web traffic and applications.
In accordance with McAfee’s safe vulnerability disclosure policy, ATR provided Agora with details of its research, so that the software developer could take action to address it with a software update. Agora was very receptive to receiving this information and advanced its security capabilities, by providing developers with a new SDK option to encrypt the initial call setup information. McAfee have since tested this and confirmed there is no further risk.
Uncovering vulnerabilities like this highlight the importance of researchers working closely with app developers to make tools as secure as possible. McAfee also recommends that consumers take care when downloading the latest apps, as software apps tend to struggle with bugs and vulnerabilities in their early days.
“McAfee is unaware of any instances of this vulnerability being exploited in the wild, which demonstrates another powerful success story of mitigating an issue which may have affected millions of users before it is used for malicious purposes” the ATR team said in a press release.
“Our partnership with Agora resulted in the release of a more secure SDK which has empowered developers across multiple companies to produce more secure video calling applications. We strongly recommend any development team which uses the Agora SDK to upgrade to the latest version, follow Agora’s outlined best practices, and implement full encryption wherever possible.”
Zoom enters the healthcare market - a timeline
Since the pandemic began Zoom has become an integral part of daily life for people working from home, as well as a vital tool for families and friends to communicate. However it's also been eyeing up the healthcare space since 2017, and following the boom in telehealth the company has been rolling out additional services. Here we chart Zoom's move into healthcare.
2011 - 2013
Zoom is founded in San Jose, California, by Eric Yuan, formerly of Cisco. He got the idea to create a video calling platform from his visits to his girlfriend while he was a student, which would take 10 hours by train.
A beta version is released in 2012, which can host up to 15 participants. In 2013 this rises to 25. By mid-2013, Zoom has 1 million users.
2014 - 2017
Zoom attracts investors, including Sequoia Capital, Emergence and Horizon Ventures. By January 2017, Zoom has a series D funding worth $100 million.
2017 - 2019
Zoom for Telehealth launches, including an integration with EHR system Epic. It has cloud-based video, audio, and content sharing features, a "waiting room" for patients, and can easily be integrated into healthcare provider's workflows.
In 2019 Zoom goes public, with its IPO rising 72% in one day.
As a result of the pandemic, Zoom gains 2.2 million new users, more than in the whole of 2019. On the 23rd of March alone - the day the UK lockdown was announced - the platform was downloaded 2.13 million times around the world.
Share prices rise to around $150, and founder and chief executive Eric Yuan becomes one of the world's richest people, with an estimated net worth of $7.9 billion.
Early security issues are addressed by encrypting data with the Advanced Encryption Standard (AES). By now the the platform allows 99 people to be on a call simultaneously
New features launch, including Zoom Home and Zoom for Chats. Throughout the year the platform is used to replace most kinds of real life events: work meetings, online classrooms, church services and social events.
Renamed Zoom for Healthcare, users can share secured video, audio, and content through desktops, mobile phones, and conference devices. As well as Epic, it can be integrated with Strmr, IntakeQ, and Practice Better.
It can also be used with diagnostic cameras and other point-of-care devices, including digital stethoscopes.
In an interview with Korea Biomedical Review, Zoom Global Healthcare Lead Ron Emerson said: "Our service is not simply a virtual care and telemedicine platform but a multi-purpose platform that can satisfy the needs of healthcare institutions."
"It can be used for administrative tasks, including telemedicine, medical team meetings, recruitment, medical education, employee training, and disease prevention. Analysing electronic records managed by Zoom could provide meaningful insights into patient care."
Phoenix Children's Hospital, Belfast's Hospital Services Limited, Butler Health Services and the global Project ECHO are among Zoom for Healthcare's current customers.