Written by Check Point Research.
Real-time chat and video services available within many telemedicine, finance and smart IoT device applications used by millions of people, rely on the popular QuickBlox framework.
QuickBlox is a chat and video calling platform for developing iOS, Android, and web applications. It provides an API for authentication, user management, chat, messaging, file management, etc., and an easy-to-use SDK that enables voice and video features.
Therefore, it is no surprise we first encountered QuickBlox while researching a particular intercom mobile application that would rely on such a framework. This led us down the research rabbit hole into both the QuickBlox framework and various applications that use it.
A joint Research with Claroty Team82
Check Point Research (CPR) in collaboration with Claroty Team82, conducted a joint research project to look into the security of the QuickBlox SDK. Together, we uncovered a few major security vulnerabilities in the QuickBlox platform architecture that, if exploited, could allow threat actors to access tens of thousands of applications’ user databases and put millions of user records at risk.
In this report, we will demonstrate exploits against multiple applications running the QuickBlox SDK under the hood, specifically against smart intercom and telemedicine applications. By chaining the vulnerabilities we identified with other flaws in the targeted applications, we found unique ways to carry out attacks that enabled us to remotely open doors via intercom applications, and also leak sensitive patient information from a major telemedicine platform.
Security Vulnerabilities
After analyzing the QuickBlox architecture, we decided to look into the QuickBlox API and examine what we can access using “public” information: application secret keys. We discovered a few critical vulnerabilities in the QuickBlox API that could allow attackers to leak the user database from many popular applications.
Exploiting Intercom IoT Platform- Rozcom
While examining Rozcom, an Israel-based vendor that sells intercoms for residential and commercial use cases including video intercoms, we found multiple vulnerabilities in the Rozcom architecture that enabled us to download all user databases and perform full account takeover attacks. As a result, we were able to take over all Rozcom intercom devices, giving us full control and allowing us to access device cameras and microphones, wiretap into its feed, open doors managed by the devices, and more.
User database and medical record history leakage from Telemedicine Platform
Telemedicine is a platform for health-related services and information via electronic information and telecommunication technologies. It allows long-distance patient and clinician contact, care, advice, reminders, education, intervention, monitoring, and remote admissions. By combining the QuickBlox vulnerabilities alongside the specific telemedicine app vulnerabilities, we were able to access all of the [REDACTED] user database, along with the related medical records and history kept in the application.