Stop Whining about WebRTC Security Threats

It is a waste of time.

I've heard it more than one.  Security threats in WebRTC make it a bad alternative. You have MITM (man in the middle) attacks on it. It leaks IP addresses. You can screen share without the user's knowledge. The list goes on.

It isn't the first time I write about WebRTC security and it still pisses me off when I see such answers on Quora:

The WebRTC plugin (which means Web Real-Time Communication) allows to conduct audio and video teleconferencing just in a browser without any additional software installed. However, it reveals the true IP address. How to disable WebRTC in various browsers.

A few things about that one:

1. WebRTC isn't a plugin...
2. Why would you want to disable it?

If you trust Skype or any other VoIP or messaging app more, then you are in for a big surprise.

I read the above Quora answer on the same day I read Troy Hunt's piece on controlling a Nissan remotely - one that... well... isn't YOUR Nissan.

The things Nissan got wrong here includes:

• Having cars get sequential serial numbers, so they are easy to guess
• Having an undocumented backend API that controls cars remotely - with no authentication on it

I don't want to go into additional measures they could have added such as geolocation for the origination of the command or throttling to bar hackers from going berserk on their car fleet.

What would a leaked IP address on a WebRTC session in a browser do exactly compared to such stupidity?

The bane of security is developers and processes.

IOT (Internet of Things) is going to bring us many more such stories. That's because it is based on developers and they make mistakes. Increase that a thousand fold, put it in a heating market where features and gadgets take center role, pushing back privacy and security - and you get hackable cars.

Telephony and video conferencing systems or old are devices sitting in networks. They need to "interoperate". They have IT people who like controlling how things get deployed and updated. Are you sure these have been configured to work encrypted (I am sure most deployments aren't). Are you sure the IT person really upgraded to the latest version that patches a bunch of security flaws?

And while we are talking about communications. The router you have at home that gives you WiFi on one end and connects you to the internet via ADSL or whatever on the other end - when did you last upgrade its firmware? Did you ever updated its password from the default? Is your service provider taking care of these things for you by any chance?

Here's why:

• It is encrypted. By default. And there's no way to remove that encryption from occurring (people complain about that one as well - go figure)
• It gets updated every 6-8 weeks with your browser. That update includes security patches when they are found
• It now forces (at least on Chrome) the sites using it to run over HTTPS instead of HTTP (did we say encryption?)
• It has permission mechanisms around camera and microphone access
• It has stricter permission mechanisms around screen sharing (white listing and extensions)
• Whenever someone peeps about security - it gets discussed and potentially updated in the implementation. Which gets to your browser in... 6-8 weeks
• Being a part of Chrome and other browsers means security gets front row and is prioritized properly

Yes. Developers can still do stupid things on top of WebRTC and botch it all, but that's true about that snazzy new car you just bought or the smart TV that looks at you and hears what you say.

What more do you want?

If I wanted to hack you, WebRTC would be the last place I'd start.

Learn more about WebRTC security