Raw audio from clubhouse users could be exposed to Chinese partner

Febin MathewFebruary 14, 21 agora, chinese, clubhouse

Clubhouse, the popular app that allows people to create digital newsgroups, says it is reviewing its data security practices after the Stanford Internet Observatory discovered potential vulnerabilities in its infrastructure that could allow external access to users’ raw audio data.

The SIO confirmed that Agora Inc., a Shanghai-based start-up with offices in Silicon Valley, provides back-end infrastructure to Clubhouse and sells a “real-time voice and video engagement platform.”

User identifiers are transmitted in clear text over the Internet, which makes them “easy to intercept,” noted the Observatory. User IDs are like a serial number, not the person’s username. Agora would likely have access to users’ raw audio, potentially giving access to the Chinese government, he said.

“Any observer of Internet traffic could easily match the IDs on shared discussion boards to see who is talking to whom,” WIS said in its Twitter feed of its findings. For mainland Chinese users, this is troubling.

SIO, a Stanford University program that studies disinformation on the Internet and social media platforms, said it observed metadata from a Clubhouse chat room “relayed to servers we believe are hosted in” China. Analysts also saw the audio being relayed “to servers managed by Chinese entities and distributed around the world,” their report notes.

SIO said that as a Chinese company, Agora was subject to Chinese cybersecurity laws and would be “legally obligated to assist the government in locating and storing” audio messages, authorities say, endangering national security. .

Agora did not immediately respond to emails outside of regular business hours requesting comment.

Metadata transmission

“Any unencrypted data transmitted through servers in the PRC (People’s Republic of China) would likely be accessible to the Chinese government,” SIO said in its report. Since SIO was able to observe the transmission of metadata between servers, he believes that the Chinese government would be able to collect metadata without having to access Agora’s networks.

However, the Observatory noted that Agora claims not to store user audio or metadata “except to monitor network quality and bill its customers”, which means it would not have any data records. user if Beijing requested it.

He also said that as long as the audio is stored in the United States, the Chinese government is unlikely to be able to access it.

SIO said it chose to disclose the security issues because they were easy to find and because of the risk they pose to the millions of Clubhouse users. “SIO has discovered other security vulnerabilities that we have disclosed privately to Clubhouse and which we will publicly disclose when corrected or after a deadline.”

The core Clubhouse software is based on an older version of Agora’s voice library, said Federico Maggi, senior researcher at Trend Micro.

By analyzing the Clubhouse app, we found that it included an outdated version of the Agora software library that uses outdated encryption features, according to their technical documentation, while security best practices are to always use the latest cryptographic support, “Federico Maggi said in a telephone interview.

Additionally, this version of the Agora library forces data to be sent to China via three hard-coded IP addresses, even if the users are located in Europe or the United States, as the Stanford report shows, Maggi added. .

Clubhouse response

In a statement included in the SIO report, Clubhouse said it would roll out 72-hour changes to add “additional encryption and blocks to prevent Clubhouse customers from forwarding pings to Chinese servers.” We also plan to use an external data security company to review and validate these changes. “

Clubhouse recently raised $100 million for a reported valuation of $1 billion, and some of the most notable tech executives, including Elon Musk of Tesla Inc., have joined the service.

Agora, known primarily in tech circles as an industrious but low-key software tool provider, has climbed more than 150% since mid-January. It is now worth almost $11 billion.

In early February, Clubhouse users in China said they could not access the app after an explosion of discussions on taboo topics from Taiwan to Xinjiang. Now, it appears that users can access the app using VPNs, one of the few ways people in mainland China can access the internet beyond the Great Firewall.

Written by Jamie Tarabay.