At almost 1 year old, the invitation-only, audio-based social-media platform ClubHouse is dealing with security issues on many fronts, but the consensus among researchers is coming into focus: Assume your ClubHouse conversations are being recorded.
2 breaches of the audio-based social media app reinforce privacy, security concerns.
3rd Party Website
The company confirmed to Bloomberg that over the weekend a user was able to breach “multiple” ClubHouse room audio feeds & stream them on a 3rd-party website. A company spokeswoman told Bloomberg the user has been banned & that “safeguards” have been put in place.
Another user, located in mainland China, meanwhile wrote code that allows anyone to listen in on ClubHouse conversations without the required invitation code, & posted it on GitHub, Silicon Angle reported. That, along with other malicious code designed to breach Clubhouse, have been blocked, says the outlet.
Agora Platform
The essence of Clubhouse’s security problems is its backend “real-time voice & video engagement platform” provided by Shanghai-based start-up Agora. Clubhouse web traffic is directed to Agora’s server in China, including personal metadata, without encryption, according to the Stanford Internet Observatory (SIO), which was the 1st to raise the alarm about ClubHouse’s privacy & security protections on Feb. 12.
Because Agora is based in China & Silicon Valley, it is subject to cyber-security laws of the People’s Republic of China, which the company acknowledged could require it to assist the government in investigations by providing audio.
Metadata
Agora, for its part, denies storing metadata.
“However, the Chinese Govt. could still theoretically tap Agora’s networks & record it themselves,” SIO observed. “Or Agora could be misrepresenting its data storage practices.”
Consumers should be aware their data is likely exposed.
“It’s alarming that platforms like this are built on leveraging coarse data transfer practices that users accept when they install these apps,” Burak Agca, an engineer with Lookout commented.
“Consumers trust their mobile devices & the apps on them to be inherently secure. This may lead them to open up their devices to unknown communications with data-collection and traffic-management systems.”
Similar to TikTok
Agca observed that the issues surrounding ClubHouse are much like previous security concerns raised around TikTok.
“The TikTok parent company, ByteDance, explained that it didn’t share any user data with the Chinese Govt.,” he explained. “In the case of both TikTok & ClubHouse, we all know that if the Chinese government really wants something, they’ll get it.”
ClubHouse, which is only available for iPhone, has been downloaded by more than 8m users, which, according to USA Today, is double the number it had on Feb. 1. The company is currently valued at $1b & includes famous users like Silicon Valley investor Ben Horowitz, CBS news anchor Gayle King & even Beyonce’s mum, Tina Knowles.
Routing through China
As ClubHouse gains notoriety, Katie Moussouris, CEO of Luta Security told Silicon Angle that it is important for users & analysts to keep an eye on how its security posture evolves.
“Today’s ClubHouse data routing through China while optimising for maximum social graph is tomorrow’s congressional inquiry of another runaway tech giant, too big & too late to regulate,” she concluded.
https://www.cybernewsgroup.co.uk/virtual-conference-march-2021/
