Clubhouse at risk, experts warn: fear of backtracking

Recently, the voice social platform “Clubhouse” has become a rage and has aroused heated concern, but it has also been revealed that the platform uses the Chinese audio technology company Agora, which may have information security risks. Experts warned that, after actual testing, it was found that Clubhouse does not use P2P transmission as claimed, and the voice packet contains ID information, which may be backtracked, so it is recommended not to talk about sensitive or illegal topics on the platform.

Clubhouse is a voice community application that only accepts “invitation codes” to join, currently only on the App Store, Google Play is still in beta, and even the official website has not yet been set up, but millions of people have already registered, and has received a lot of financial investment.

However, it has been revealed recently that Clubhouse uses Agora’s technology for its instant audio application instead of developing it by itself. However, neither Clubhouse nor Agora has acknowledged their partnership so far.

Experts test Clubhouse for fear of non-P2P transmission

Taiwan Intelligent Home (TIH) CEO Pichu Chen said that Agora’s claim that the technology is transmitted via P2P (peer-to-peer) is basically problematic, or at least the results he measured through the network packet analysis tool Wireshark are not, and he also shared his own test results.

When connecting through Chunghwa Telecom’s Optical Generation, all voice packets are transmitted to 45_255_124_0/24 AOFEI-JP, which is not the IP of Amazon Web Services (AWS), the leading cloud industry. He presumed that it was Agora’s own server room, and the mnt-by: MAINT-YINGDA-CN should be controlled by the companies in Hong Kong and Shenzhen.

He said that this network segment, which is essentially controlled by Hong Kong, may also not be on AWS.

Chen Qingyao said no successful point-to-point connections were detected, meaning no packets were sent directly from the user’s phone to the general user’s phone, and no packets were received from any other user’s phone. This result proves that the claimed use of P2P transmission is either technically too poor or actually fake.

Voice packet ID information is being tracked in reverse

Prior to February 8 this year, users in mainland China were able to use Clubhouse without going through a VPN (over the wall) to talk about sensitive topics such as June 4, Taiwan, Hong Kong, Xinjiang and Tibet on the platform, reaching a true sense of “communication with global users. “However, the platform was immediately blocked by the Chinese Communist Party‘s Internet firewall.

Chen Qingyao said that originally he only intercepted the packets without decrypting them, so theoretically he should only know that someone connected to Agora’s server and should not know the details of the packets, but after the blocking of Clubhouse on February 8, it became more important to confirm the details of the packet content.

He therefore analyzed the Internet voice packets and found that the user’s ID was “f01a8089” (as in room number f01a8089) when sending and receiving specific chat room messages. information, there is a possibility that it will be paired and recorded.

He said that law enforcement agencies can use the records of the packet to know what Time, minutes and seconds a certain IP spoke in which room, and as long as the IP is available, there is a way to track down the person who applied for the network, so they can also reverse the speaker who is speaking.

“There are a few proofs to say a few words, I only use my own account for observation, so I can be sure that if I repeatedly enter a room, there will be a room ID that is fixed to appear.” Chen Qingyao said the room ID does not appear explicitly on Clubhouse’s user interface, so he could not conclude for the time being whether the room ID is exclusive to an individual, or a room ID shared across the platform.

He used the credit card swipe as an example, the cashier will see the 16-digit credit card number, so the company can use this to track customers. Apple Pay’s swipe, however, provides a different virtual card number each time, so what the customer spends is not tracked.

He guessed that Agora’s design for privacy should not be done to the extent of Apple, so it is likely that the room ID is shared across the platform, which means that if a cyber police officer wants to know the ID of a room, he just needs to use his account to enter that room and he will know it. But he stressed that because he did not test with a second account, so it is pure speculation at this point.

It’s OK to talk about gossip sensitive content don’t go on Clubhouse

In addition, Clubhouse use of voice packets may not be aligned 128-bit, meaning that the software may not use the higher-order encryption standards (AES, there are sub 128-bit, 192-bit, 256-bit length of the key).

Chen Qingyao said that even if the transmission data is only 8 bits, in order to avoid violent cracking of the content, usually encryption will still be at least 128-bit blocks together for block encryption, but the transmission packet of Clubhouse does not seem to be aligned 128-bit, which means that it may not use the common encryption means of modern cryptography, but may be a self-invented encryption method, or not at all It is possible that the encryption was invented by itself, or that it was not encrypted at all, but claimed to be encrypted to the public.

He said that the next Chinese friends should go to Clubhouse through VPN, according to past information so that should be able to connect smoothly, but you do not know which VPN will record packets, so it may be easier to be locked.

He believes that although there is no direct evidence that Agora has any malicious leakage of user information, there is evidence that Agora may have unintentionally created a privacy weakness, which may allow intermediate ISPs or the government to privately collect user behavior without the consent of Clubhouse or Agora before authorization. He said that in obtaining Clubhouse’s authorization, the government could have been able to collect information on user behavior.

He said that before obtaining information from Clubhouse or Agora’s internal staff, people subjectively believe their promised privacy policy, but the privacy policies they submitted to Apple and Clubhouse also clearly indicate that they will collect users’ contacts, contact information, usage information, device ID, etc., and link to the users themselves.

“So users must be careful not to arbitrarily break local laws. For example, it may be okay to discuss marijuana use in California, but sharing marijuana use experiences in Taiwan could potentially be targeted by prosecutors.” Chen Ching-Yao said.

He suggested that if you feel that the content of your conversation is heard at the next table in Starbucks, it does not matter, for example, to talk about gossip, horoscope, discuss investment experience, or share Music creation, etc., in principle, there will be no problem, but if you really do not want the government to know the information, it is recommended to use Telegram or the like, “with peer-to-peer encryption function However, if you really don’t want the government to know the information, it is recommended to use a chat software like Telegram, which “has peer-to-peer encryption and has really been audited by information security personnel.