Stop Whining about WebRTC Security Threats

03/03/2016

It is a waste of time.

Spying

I’ve heard it more than one.  Security threats in WebRTC make it a bad alternative. You have MITM (man in the middle) attacks on it. It leaks IP addresses. You can screen share without the user’s knowledge. The list goes on.

It isn’t the first time I write about WebRTC security and it still pisses me off when I see such answers on Quora:

The WebRTC plugin (which means Web Real-Time Communication) allows to conduct audio and video teleconferencing just in a browser without any additional software installed. However, it reveals the true IP address. How to disable WebRTC in various browsers.

A few things about that one:

  1. WebRTC isn’t a plugin…
  2. Why would you want to disable it?

If you trust Skype or any other VoIP or messaging app more, then you are in for a big surprise.

I read the above Quora answer on the same day I read Troy Hunt’s piece on controlling a Nissan remotely – one that… well… isn’t YOUR Nissan.

The things Nissan got wrong here includes:

  • Having cars get sequential serial numbers, so they are easy to guess
  • Having an undocumented backend API that controls cars remotely – with no authentication on it

I don’t want to go into additional measures they could have added such as geolocation for the origination of the command or throttling to bar hackers from going berserk on their car fleet.

What would a leaked IP address on a WebRTC session in a browser do exactly compared to such stupidity?

The bane of security is developers and processes.

IOT (Internet of Things) is going to bring us many more such stories. That’s because it is based on developers and they make mistakes. Increase that a thousand fold, put it in a heating market where features and gadgets take center role, pushing back privacy and security – and you get hackable cars.

Telephony and video conferencing systems or old are devices sitting in networks. They need to “interoperate”. They have IT people who like controlling how things get deployed and updated. Are you sure these have been configured to work encrypted (I am sure most deployments aren’t). Are you sure the IT person really upgraded to the latest version that patches a bunch of security flaws?

And while we are talking about communications. The router you have at home that gives you WiFi on one end and connects you to the internet via ADSL or whatever on the other end – when did you last upgrade its firmware? Did you ever updated its password from the default? Is your service provider taking care of these things for you by any chance?

Here’s why:

  • It is encrypted. By default. And there’s no way to remove that encryption from occurring (people complain about that one as well – go figure)
  • It gets updated every 6-8 weeks with your browser. That update includes security patches when they are found
  • It now forces (at least on Chrome) the sites using it to run over HTTPS instead of HTTP (did we say encryption?)
  • It has permission mechanisms around camera and microphone access
  • It has stricter permission mechanisms around screen sharing (white listing and extensions)
  • Whenever someone peeps about security – it gets discussed and potentially updated in the implementation. Which gets to your browser in… 6-8 weeks
  • Being a part of Chrome and other browsers means security gets front row and is prioritized properly

Yes. Developers can still do stupid things on top of WebRTC and botch it all, but that’s true about that snazzy new car you just bought or the smart TV that looks at you and hears what you say.

What more do you want?

If I wanted to hack you, WebRTC would be the last place I’d start.

Responses

Jeff - VoipDIY says:
March 3, 2016

Hello Tsahi – your points are well founded and I’m certainly in alignment with your perspective. You were clearly fired-up when you wrote this article… 🙂

We live in such a complicated technological world these days. We are all users of technologies that on one hand we may claim to be power users of, and on the other hand we clearly have only scratched the surface in truly understanding the science behind the technologies we use. The difference between those who know what they are talking about and those who only think they do, is often just a short distance in the learning curve.

I recently purchase a new 2016 Subaru Forester after 23 years of driving a 1992 Honda Civic VX Hatchback. That old car was so reliable – we hated to get rid of it. Everything was mostly mechanical. We totally trusted it. I used to do most of the minor maintenance myself. The thought of driving a brand new car scares the $xxx out of me. Cars are now all so highly computerized from front to back, top to bottom. I’ve been using computers for over 20 years. Computers are always buggy in some way or other. Not only are they buggy, but their are always requiring security patches. If it wasn’t for may PC background, perhaps I wouldn’t be so distrustful and apprehensive of the new computerized cars potential for bugs and security risks. Perhaps my new car fears are unfounded, but perhaps that is just my lack of knowledge of how they really function these days.

I expect those people on Quora who express their security fears of WebRTC are in the camp of those who know just enough to be fearful of the unknown. And, those who advise on disabling or not using WebRTC know just enough to encourage the spread unfounded fears.

You are doing your part in helping dispel those fears…
Keep up the good work!

Reply
keeggolb says:
July 21, 2016

We know that without end-to-end authentication, man-in-the-middle attacks on WebRTC are trivially easy to perform wholesale, for mass collection of data. It’s designed that way.

You seem to be saying “Yes, this protocol is insecure, but it doesn’t matter because so are many others.” That could be said of each and every one of them and nothing would improve. “Hey, it doesn’t matter that the lock on your front door is no good, because someone can climb over your back fence and force open my kitchen window.”

Your list of good things about WebRTC boils down to:
Encryption (but authentication is missing)
Security-updates
Permissions-system

Those are essential in any communications software.

For secure audio conversations over the net, I’d look at Signal, from Open Whisper Systems: Moxie Marlinspike etc. (it doesn’t handle video at present).

WebRTC enhanced with ZRTP (or other user-to-user authentication) might be good.

For audio/video/text, another option might be the Tox protocol, but I’ve not yet looked into how well it lives up to its goals, or how well written (and maintained) the implementations are.

Reply
    Tsahi Levent-Levi says:
    July 21, 2016

    Thanks. The idea is that WebRTC enables you to write secure systems – and in that, it is far more advanced than anything out there that is available to developers.

    Reply

Comment