On January 29, 2019, a serious vulnerability was discovered by multiple parties in Group FaceTime which allowed an attacker to call a target and force the call to connect without user interaction from the target, allowing the attacker to listen to the target's surroundings without their knowledge or consent.
While this remarkable bug was soon fixed, it presented a new and unresearched attack surface in mobile applications that support video conferencing.
This presentation covers my attempts to find similar bugs in other messaging applications, including Signal, JioChat, Mocha, Google Duo, and Facebook Messenger.
Natalie Silvanovich is a security researcher on Google Project Zero. Her current focus is on script engines, particularly understanding the subtleties of the scripting languages they implement and how they lead to vulnerabilities. She is a prolific finder of vulnerabilities in this area, reporting over a hundred vulnerabilities in Adobe Flash in the last year.
Previously, she worked in mobile security on the Android Security Team at Google and as a team lead of the Security Research Group at BlackBerry, where her work included finding security issues in mobile software and improving the security of mobile platforms. Outside of work, Natalie enjoys applying her hacking and reverse engineering skills to unusual targets and has spoken at several conferences on the subject of Tamagotchi hacking.
After working for fintech and database technology companies, Hank has found a home in cybersecurity. Before Lookout, he was the 20th employee at a cloud infrastructure security startup and helped the company grow to over 160 employees. At Lookout, he is a Senior Manager on the Security Solutions team, enabling internal teams and informing the market about the growing need to secure mobile devices as part of the larger security strategy.