Agenda- WebRTC and security?- VoIP attacks- WebRTC vulnerabilities- Protection- Identity Management- Questions and answers...
WebRTC andsecurity?
WebRTC. FeaturesOpen system, no propietary implementations¡No plugins!Multi-platform...
WebRTC. Features.Multidevice:○ Desktop and laptops○ Tablets and notebooks○ Smartphones○ Mozilla FirefoxOS devices○ Set-Top...
WebRTC. Use cases.More information aboutuse cases available here:Corporate:○ Audio webclients for IMS, NGN, MS Lync, Cisco...
WebRTC. Architecture.New potential weak elements in the UCnetworks in terms of security:○ Web Server○ WebRTC gateway○ Lapt...
Efforts in WebRTC security.RFC Draft:Security considerationsfor RTC-WebWebRTC inherits part of the potential VoIP attacks ...
VoIP attacks
VoIP attacks. Introduction.Types of VoIP attacks:1. Denial of service2. Fraud3. Illegal interception4. Illegal controlA Vo...
VoIP attacks. Denial of service.The aim of an attack of DoS is to degrade the quality of the service thatperceives the use...
VoIP attacks. Fraud.An attacker registers in the system with a valid user (discovers the password,alters an IP, etc.) with...
VoIP attacks. Illegal interception.Because of the IP nature is simpler to capture signalling and media traffic bypotential...
VoIP attacks. Illegal control.If an attacker achieves the credenciales of anuser or an administrator, he has absolutecontr...
WebRTCvulnerabilities
Access to devices. ThreatsHTML and JS script are executed by the browser as a"sandbox" designed to be isolated from the re...
Access to devices. ThreatsMaliciousWebSeverUsers can potentially being recorded withJavascript code downloaded from a mali...
Websocket.Websocket (RFC6445): provides a full-duplex socketbetween a browser and a server.Its just a TCP socket upgraded ...
Websocket DoS. ThreatsBrowser NAttacked ServerwebsocketMaliciousWebSeverWebsocket allows cross-origin connection. DDoS att...
Websocket cross-protocol attack. ThreatsebsocketA malicious script could potentially inject code whichis valid in HTTP poi...
SIPoverWS.By default it implements digest authentication, however it hasa number of disadvantages:● Several security optio...
Protection
SIPoverWSS.SIP traffic can be sent over Secure Websocket: data issent over a TLS socket. Equivalent to SIP over TLS.TLS pr...
Access to devices. ProtectionsWebRTC standard requires that access to device to benotified to the user.Browser notifies th...
Access to devices. ProtectionsShowing own video to the user helps to be aware thatthe browser is accessing cam and micro. ...
Access to devices. ProtectionsAnother WebRTC features like screen sharing could getyou in trouble if its not properly noti...
Protection. SDES vs DTLS-SRTPSIP devices implementnormally RTP encryptionusing SRTP with SDES.They exchange the key in the...
Protection. SDES vs DTLS-SRTPDTLS-SRTP manage the SRTP key exchange within theRTP flow before starting media. This is done...
Websocket poisoning. Protectionwebsockethttp://tools.ietf.org/agenda/80/slides/hybi-2.pdfBrowser Server<Websocket opening ...
DDoS. ProtectionDoS and DDoS protections are pretty similar to theimplemented in Web Servers. Attacks can be potentially b...
ICE. ProtectionICE(RFC5245) allows RTP flows to traverse NAT routers. Itfinds the best path for RTP/RTCP traffic.STUN is u...
Testing your network. Protections- Its a good practice to test your network withautomatic tools to find vulnerabilities.- ...
Monitoring. ProtectionIt is possible to monitor all thetraffic, similar to standard SIP.Similar to SIP over TLS, ifWSS is ...
ID management
Identity management. OpenID vs IdentityCallBy default, WebRTC does not define any authentication method, sodifferent ident...
Identity management. OpenID vs IdentityCallMakes possible to be sure of theidentity using a thirdpartyAdds a second factor...
Identity management. IdentityCall
Summary
What we have learned● Legacy VoIP attacks could also beimportant in WebRTC.● Access to mic/cam can cause damage.● Beware o...
Our offering: SIPPOSIPPO is the first enterprise-grade WebRTC HTML5 communicator, supportingaudio, video and instant messa...
Try it yourself!Basic WebRTC demo: http://webrtc.quobis.comOpen WebRTC client: http://webrtc.quobis.com/opendemoOnline mee...
Iago Soto MataCMO@iagosotoiago.soto@quobis.comAntón RománCTO@antonromananton.roman@quobis.comElías Pérez CarreraCEO@epcarr...
Webinar WebRTC security concerns, a real problem?
Upcoming SlideShare
Loading in …5
×

Webinar WebRTC security concerns, a real problem?

4,436 views
4,230 views

Published on

My name is Elías Pérez and together with my colleagues Iago Soto and Antón Román, we are going to talk about WebRTC and security during 40-45 minutes

In this slide you can review the agenda of this webinar.
Iago Soto is going to introduce the problem of security in WebRTC and is going to mention traditional VoIP attacks that are going to be present in WebRTC services.

Later, our CTO, Antón Román, is going to talk about ad-hoc WebRTC attacks and protection mechanisms.
Finally, we are going to close with an overview of identity management solutions and we will leave time to your questions.

Please, feel free to use the chat tool of GoToWebinar to send us your questions during this webinar.
At the end, we will try to answer them.



Now it’s the turn of Iago Soto, who will try to answer this suggestive question.


Thank you very much Elias.


I understand that part of our audience has a strong background about WebRTC so I am going to pass quickly through the description of the technology

WebRTC is called to be the next big thing in unified communications during the next years, as Web browsers will be able to manage voice and video communication in a native way, with no plugins, extensions or applications to be installed.

WebRTC is promoted by Google and is being standardized by W3C and IETF in a coordinated way.
WebRTC technology was initially designed to have a browser-to-browser real-time communication in mind, but it allows to be used in conjunction with different kinds of servers to provide additional services such as connection to PSTN.

The independence from the platform or the type of device, together with the fact that there is no need to install or update anything, is going to make easier the adoption by end users. This represents a big opportunity for industry, but (!!!) could be the base of new security holes that we will try to explain here.


WebRTC is independent of the device so could be the best enabler or the base to create the new business strategy for service providers and internet companies.
WebRTC adoption is increasing because it can be use in different devices like:

Desktops and laptops, that were the first adopters of WebRTC services.
The use of WebRTC makes sense in enterprises and residential cases, because is not needed to install or upgrade anything and is independent of the operating system that is being used.
Additionally, Most recent devices include webcam and mic so the adoption is really fast.

Since Google for Android supports WebRTC, tablets have become a new device for real time communications, taking into consideration that this type of devices have microphone and camera, are mobile and include a wide screen to extend collaboration environments that could not be deploy in smartphones.
In addition, netbooks like Chromebook are a new type of low-cost laptops that only run web browsers but can be great for the use of WebRTC services.

Published in: Technology
0 Comments
10 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,436
On SlideShare
0
From Embeds
0
Number of Embeds
155
Actions
Shares
0
Downloads
0
Comments
0
Likes
10
Embeds 0
No embeds

No notes for slide

Webinar WebRTC security concerns, a real problem?

  1. 1. Agenda- WebRTC and security?- VoIP attacks- WebRTC vulnerabilities- Protection- Identity Management- Questions and answersIago Soto Mata@iagosotoAntón Román@antonromanElías Pérez Carrera@epcarrera
  2. 2. WebRTC andsecurity?
  3. 3. WebRTC. FeaturesOpen system, no propietary implementations¡No plugins!Multi-platform...
  4. 4. WebRTC. Features.Multidevice:○ Desktop and laptops○ Tablets and notebooks○ Smartphones○ Mozilla FirefoxOS devices○ Set-Top-Boxes and WebTVsMore information aboutWebRTC is available :
  5. 5. WebRTC. Use cases.More information aboutuse cases available here:Corporate:○ Audio webclients for IMS, NGN, MS Lync, Cisco, etc.○ Video webclients for conference bridges○ Click to call (click to video/chat) solutions○ Contact center solutionsResidential:○ OTT services○ Audio webclients for residential users○ Webchats○ Vertical applications (ehealth,...)○ Extended RCS/Joyn services
  6. 6. WebRTC. Architecture.New potential weak elements in the UCnetworks in terms of security:○ Web Server○ WebRTC gateway○ Laptop/desktop used as endpoint
  7. 7. Efforts in WebRTC security.RFC Draft:Security considerationsfor RTC-WebWebRTC inherits part of the potential VoIP attacks andadds new threads:○ New network elements to be hijacked, etc.○ Open communications (new open ports, etc.)○ Privacy issues through access to microphones and cams.
  8. 8. VoIP attacks
  9. 9. VoIP attacks. Introduction.Types of VoIP attacks:1. Denial of service2. Fraud3. Illegal interception4. Illegal controlA VoIP attack causes an immediate economic damage for the attacked entityand a direct economic profit to the attacker. This does not occur with thertype of attacks.VoIP security
  10. 10. VoIP attacks. Denial of service.The aim of an attack of DoS is to degrade the quality of the service thatperceives the user by means of the massive delivery of messages that requireof the use of resources (CPU, BW or memory) in the attacked system.Examples: flood of register requests or calls in a softswitch or switchboardthat can pretend:■ A simple failure of the service.■ Attack for telephone fraud.Also other "non intentional" attacks should be taking into account:■ flood after a power blackout.■ Bugs in terminals.■ Viruses.
  11. 11. VoIP attacks. Fraud.An attacker registers in the system with a valid user (discovers the password,alters an IP, etc.) with the aim to do calls to international numbers. CFCAestimates 40 Billions USD annually.They are not only calls through the network. Sometimes the attacker obtainsremote access to a SIP proxy or softswitch that can use to originate illegalcalls by console.● These attacks cause not only economic losses. Sometimes the legitimateuser has to pay the bill !!.● In most cases, its difficult to determine the responsibility (customer oroperator) of the attacks.
  12. 12. VoIP attacks. Illegal interception.Because of the IP nature is simpler to capture signalling and media traffic bypotential attackers to obtain information (audio of the call, other informationof the call exchanged, etc.)As traditional VoIP SIP traffic is opened, this is more dangerous in Wi-Finetworks where traffic is not ciphered.WebRTC uses ciphered traffic forsignalling and media, so interceptioncould only be done in the endpointsor media gateway.
  13. 13. VoIP attacks. Illegal control.If an attacker achieves the credenciales of anuser or an administrator, he has absolutecontrol:● Can be used to do calls with high costs:causing losses to the service providerand/or end customer.● Hijacked lines can be used to finish callsof other customers to which the attackersells services● For illegal activities, makes moredifficult the judicial follow-up of thecalls.
  14. 14. WebRTCvulnerabilities
  15. 15. Access to devices. ThreatsHTML and JS script are executed by the browser as a"sandbox" designed to be isolated from the rest of thecomputer. However bugs may exist.WebRTC API needs to access physical devices whichwill provide real-time media information (and files):THREAT: Web pages access to users camera andmicrophone without permissions.
  16. 16. Access to devices. ThreatsMaliciousWebSeverUsers can potentially being recorded withJavascript code downloaded from a maliciousWeb Server.MaliciousScriptSRTP
  17. 17. Websocket.Websocket (RFC6445): provides a full-duplex socketbetween a browser and a server.Its just a TCP socket upgraded from an HTTPhandshake.Standardized way for the server to send content to thebrowser without being solicited by the client.Image from http://blog.kaazing.com Image from: http://stackoverflow.com
  18. 18. Websocket DoS. ThreatsBrowser NAttacked ServerwebsocketMaliciousWebSeverWebsocket allows cross-origin connection. DDoS attackscan be implemented in a Web-oriented way.Browser 1websockethttphttpMaliciousScriptMaliciousScript
  19. 19. Websocket cross-protocol attack. ThreatsebsocketA malicious script could potentially inject code whichis valid in HTTP poisoning HTTP intermediaries (i.e.HTTP proxy). This is avoided natively by WS RFC.http://tools.ietf.org/agenda/80/slides/hybi-2.pdf
  20. 20. SIPoverWS.By default it implements digest authentication, however it hasa number of disadvantages:● Several security options (like qop for integrity) areoptional.● Vulnerable to man-in-the-middle attacks.Sending the messages in plain-text is not a good idea, it canbe authenticated but not privacy and integrity.SDES negotiated over plain-text messages is totallyuseless.SIP traffic can be sent over Websocket: data is sentover a TCP socket without any encryption. Equivalentto SIP over UDP/TCP.
  21. 21. Protection
  22. 22. SIPoverWSS.SIP traffic can be sent over Secure Websocket: data issent over a TLS socket. Equivalent to SIP over TLS.TLS provides privacy and integrity.It also provides server authentication, and clientauthentication if a client certificate is provided.If the client certificate is signed by a Trusted CertificationAuthority (CA) the real-time communication can have legalvalue.
  23. 23. Access to devices. ProtectionsWebRTC standard requires that access to device to benotified to the user.Browser notifies theuser that a tab iscurrently accessingmedia devices. With ablinking red spot InChrome.
  24. 24. Access to devices. ProtectionsShowing own video to the user helps to be aware thatthe browser is accessing cam and micro. It also helps tocheck if you got your hair done right ;-)Applications should prevent the user fromautomatically clicking on the permission pop-up.
  25. 25. Access to devices. ProtectionsAnother WebRTC features like screen sharing could getyou in trouble if its not properly notified to the user
  26. 26. Protection. SDES vs DTLS-SRTPSIP devices implementnormally RTP encryptionusing SRTP with SDES.They exchange the key in the SDP protocol. It requiressignaling to be encrypted >> TLS.It is not mandatory (optional) forImplemented byNot implemented byWebRTC forces audio encryption.
  27. 27. Protection. SDES vs DTLS-SRTPDTLS-SRTP manage the SRTP key exchange within theRTP flow before starting media. This is done using DTLS,a version of TLS based on datagrams.Keys are not exchanged in the SDP protocol. It protectsthe RTP flow even if signaling is not encrypted.It is mandatory forImplemented byNot implemented by
  28. 28. Websocket poisoning. Protectionwebsockethttp://tools.ietf.org/agenda/80/slides/hybi-2.pdfBrowser Server<Websocket opening handshake string>*u0!GDDD&GIO[[[ONx<[&BM#>;:$MMGGDDDF4xOFDA@E6XU7$&UU<U<!4U6UY&0OY X$%CIOCBM#HNXDWBK69ESIP/2.0 200 OKVia: SIP/2.0/WS NO72tU858jVE.invalid;branch=z9hG4bKFhlN824OuTkQrgQl7FD8t1ejvP080E;rport=48095;received=46.25.57.69Browser-To-ServerServer-To-Browser
  29. 29. DDoS. ProtectionDoS and DDoS protections are pretty similar to theimplemented in Web Servers. Attacks can be potentially belaunched from thousands of browsers.Signaling is going to be received via TCP/TLS: WS, WSS,REST APIs, etcTypical attack vectors (SYN flood, RESET attack etc) mustbe stopped as soon as possible to limit resources exhaustionwhich causes a denial of service.WebRTC Gateways/servers normally will be exposed toInternet listening on know ports which are very well known(443 and 80).
  30. 30. ICE. ProtectionICE(RFC5245) allows RTP flows to traverse NAT routers. Itfinds the best path for RTP/RTCP traffic.STUN is used to find out the paths to send the RTP flow.ICE, includes a handshake designed to verify that thereceiving element wishes to receive traffic from the sender.This identifier/password are created by the browser and usedduring the ICE negotiation. The scripts running on thebrowser must send this identifier to each other. The calleecan be sure that
  31. 31. Testing your network. Protections- Its a good practice to test your network withautomatic tools to find vulnerabilities.- It is a common practice in many IT fields.- It implements the most common attack vectoryou can suffer and it allows you to check yourprotections against them.Quobis hasdeveloped Bluebox,a node.js-based toolwhich allows you toimplement commonas sophisticatedattacks, even overWS and WSS.
  32. 32. Monitoring. ProtectionIt is possible to monitor all thetraffic, similar to standard SIP.Similar to SIP over TLS, ifWSS is used (secureWebsockets) monitorizationshould be done at the edges(most usually in the server).Additional measures can beapplied:- IP geolocation.- Access URL.- Browser info.- ...
  33. 33. ID management
  34. 34. Identity management. OpenID vs IdentityCallBy default, WebRTC does not define any authentication method, sodifferent identity management solutions could be deployed:● Anonymous calls● Third party companies● Third party entities● Telco authentication● Strong or Double-factorauthentication
  35. 35. Identity management. OpenID vs IdentityCallMakes possible to be sure of theidentity using a thirdpartyAdds a second factor of authentications because wevalidate the device (smartphone or PC) and thecredentials are introduced ciphered in a SIPsignalling packet.
  36. 36. Identity management. IdentityCall
  37. 37. Summary
  38. 38. What we have learned● Legacy VoIP attacks could also beimportant in WebRTC.● Access to mic/cam can cause damage.● Beware of phising in web servers.● WebRTC provides security by default(mandatory encryption, accesspermissions, etc).● SBCs and monitoring tools can help.● Authentication is a must !!!
  39. 39. Our offering: SIPPOSIPPO is the first enterprise-grade WebRTC HTML5 communicator, supportingaudio, video and instant messaging with presence supportSIPPO has been built on top of QoffeeSIP, so it can be connected to any SIPPBX to provide a complete communication experience just by using a webbrowser.Coming soon:- File transfer- Desktop sharing- LDAP integration- oAuth support- Local call recordingDownload thedatasheet here
  40. 40. Try it yourself!Basic WebRTC demo: http://webrtc.quobis.comOpen WebRTC client: http://webrtc.quobis.com/opendemoOnline meetings with WebRTC http://meetings.quobis.comSippo (with PSTN connectity) http://sippo.quobis.com
  41. 41. Iago Soto MataCMO@iagosotoiago.soto@quobis.comAntón RománCTO@antonromananton.roman@quobis.comElías Pérez CarreraCEO@epcarreraelias.perez@quobis.comSee you inAny questions?

×