When the Web(RTC) Spies on You

WebRTC may be a great technology, but by giving remote web servers access to cameras and speakers it poses a real security risk.

WebRTC is a great technology. It enables web developers to make use of the camera and microphone of the laptop (or device) and even handle media processing in real time. You can do cool tricks with it: video processing on the server side to deal with face recognition, object detection, etc.

But it brings with it another aspect: it is the Trojan horse of the browser – a spy in every device.

You do get that nice Allow/Deny buttons on Chrome when WebRTC tries to access the camera, but that's only from one of the recent alpha releases of it. and even then, I think this is the first time that native browser technology gets such strength and allowing server side web applications to spy on its users.

Need convincing?

See this nice video of a demo – it uses the camera to decide how light or dark the room is and adjusts the web page's background accordingly:

http://www.youtube.com/watch?v=4xUADQkuuX0

I don't know about you, but this one got me spooked and thinking about this technology.

The things to think about here:

• Browser developers should take some extra care with this tech. I think I mentioned something about developers and security the other day…
• Application developers should give me a damn good reason to let them access my local camera – especially now when developing video calling apps is becoming a commodity
• It is only time until rogue web apps will start analyzing web cam data through browsers