Highlights

  • Check Point Research (CPR) in collaboration with Claroty Team82 uncovered major security vulnerabilities in the popular QuickBlox platform, used for telemedicine, finance and smart IoT devices
  • If exploited, the vulnerabilities could allow threat actors to access applications’ user databases and expose sensitive data of millions.
  • QuickBlox worked closely with Team82 and CPR to address our disclosure and has fixed the vulnerabilities via a new secure architecture design and new API. 
  • CPR and Team82 disclosed the findings to QuickBlox who fixed the vulnerabilities via a new more secured architecture and API

Introduction and Research motivation

Real-time chat and video services available within many telemedicine, finance and smart IoT device applications used by millions of people, rely on the popular QuickBlox framework.

QuickBlox is a chat and video calling platform for developing iOS, Android, and web applications. It provides an API for authentication, user management, chat, messaging, file management, etc., and an easy-to-use SDK that enables voice and video features. Therefore, it is no surprise we first encountered QuickBlox while researching a particular intercom mobile application that would rely on such a framework. This led us down the research rabbit hole into both the QuickBlox framework and various applications that use it.

A joint Research with Claroty Team82 

Check Point Research (CPR) in collaboration with Claroty Team82, conducted a joint research project to look into the security of the QuickBlox SDK. Together, we uncovered a few major security vulnerabilities in the QuickBlox platform architecture that, if exploited, could allow threat actors to access tens of thousands of applications’ user databases and put millions of user records at risk.

In this report, we will demonstrate exploits against multiple applications running the QuickBlox SDK under the hood, specifically against smart intercom and telemedicine applications. By chaining the vulnerabilities we identified with other flaws in the targeted applications, we found unique ways to carry out attacks that enabled us to remotely open doors via intercom applications, and also leak sensitive patient information from a major telemedicine platform.

Security Vulnerabilities 

After analyzing the QuickBlox architecture, we decided to look into the QuickBlox API and examine what we can access using “public” information: application secret keys. We discovered a few critical vulnerabilities in the QuickBlox API that could allow attackers to leak the user database from many popular applications.

Exploiting Intercom IoT Platform- Rozcom

While examining Rozcom, an Israel-based vendor that sells intercoms for residential and commercial use cases including video intercoms, we found multiple vulnerabilities in the Rozcom architecture that enabled us to download all user databases and perform full account takeover attacks. As a result, we were able to take over all Rozcom intercom devices, giving us full control and allowing us to access device cameras and microphones, wiretap into its feed, open doors managed by the devices, and more.

User database and medical record history leakage from Telemedicine Platform

Telemedicine is a platform for health-related services and information via electronic information and telecommunication technologies. It allows long-distance patient and clinician contact, care, advice, reminders, education, intervention, monitoring, and remote admissions. By combining the QuickBlox vulnerabilities alongside the specific telemedicine app vulnerabilities, we were able to access all of the [REDACTED] user database, along with the related medical records and history kept in the application.

Responsible disclosure 

Team82 and CPR worked closely with QuickBlox to resolve all of the uncovered vulnerabilities. After acknowledging the findings, QuickBlox committed to apply fixes by designing a new, secure architecture and API, and urging its customers to migrate to the latest version. We would like to express our gratitude and appreciation for their effort.

QuickBlox users are advised to update to the latest version in order to remain protected against the threats described in this research.

To read the full detailed report visit Check Point Research

 

You may also like