WebRTC is an open-source project that provides browsers and mobile applications with real-time communications capabilities via simple APIs. It allows for real-time audio/video calls, web conferencing, and direct data transfers between browsers. While WebRTC has encryption and permissions to protect users, security issues still exist, such as the potential for JavaScript injection, signaling server takeovers, and IP address leaks. The document outlines best practices for WebRTC security such as secure signaling, user authentication, clear permission requests, and fallback measures in case of compromise.
2. What is WebRTC?
WebRTC is a free, open project that provides browsers
and mobile applications with Real-Time Communications
(RTC) capabilities via simple APIs.
>> that’s correct, it’s right in your browser!
7. WebRTC: Media
• Encrypted P2P connection between browsers
• Steps for setting the media path up:
• Exchange of media parameters (SDP)
• Exchange of network parameters
• UDP hole punching
• STUN (Session Traversal Utilities for NAT)
• TURN (Traversal Using Relays around NAT)
• ICE (Interactive Connectivity Establishment)
9. UDP hole punching
• Simple but not always applicable (e.g. symmetric NATs)
Browser A Browser B
NAT / Firewall NAT / Firewall
Public server (S)
N:P2 M:P4
1. A à N à M : A:P1 ⇄ N:P2
2. B à M à N : B:P3 ⇄ M:P4
3. N:P2, M:P4 à S
4. A:P1, B:P3 ⇄ S (P2, P4)
5. A:P1 à M:P4 à B
B:P3 à N:P2 à A
A ⇄ B
A:P1 B:P3
10. What about other scary acronyms?
• STUN
• To collect your local network setup (local IPs,
local subnets, NAT configuration…)
• TURN
• To relay your media connection if P2P fails
• ICE
• Bundles all STUN/TURN info for exchange via the
signaling channel and probing until pair works
11. WebRTC API
• getUserMedia(): capture audio and video
• MediaRecorder*: record audio and video
• RTCPeerConnection: stream audio and video
between users
• RTCDataChannel: stream data between users
“Be skeptical of reports that a platform 'supports WebRTC'. Often this actually just
means that getUserMedia is supported, but not any of the other RTC components”
19. WebRTC security: browser
• Direct data transfer between peers e.g. in chat
• … might equal to a complete takeover of the victim’s context
in case of XSS
• ... as well as leads to obtaining internal addresses of your
counterparts (more soon)
• ... and facilitates direct transfers of malware
• Additional considerations:
• Poor registration mechanisms ~ access and abuse
• Poor session termination ~ session reuse
20. WebRTC security: Android client
• Installation permissions
• Malware to capture private info about the user
• Data storage
• Malicious app could steal data from WebRTC-powered app
• Network interception
• Credentials could be sent over HTTP beforehand
• UI phishing / malware
21. WebRTC security: in between
• Signaling server takeover
• MiTM via fake user or creation of “invisible” one? ;)
• Or simply crashing it and bringing chaos
• Registration hijacking
• Capture/change IP addresses to forward calls to attacker’s server
• DoS against user’s device
• Race conditions (overriding legitimate REGISTER requests)
• Replay attacks
28. IP location privacy: scan your LAN!
Framework for developing exploits using WebRTC – sonar.js
• Enumerate hosts on internal network
• Fingerprint devices using onload() events and known
CSS/images
• Using pre-set DB of exploits for devices, launch them
against detected one
https://thehackerblog.com/sonar-a-framework-for-scanning-and-exploiting-internal-hosts-with-a-webpage/
Unlike most real-time systems (e.g. SIP), WebRTC communications are directly controlled by some Web server, via a JavaScript API.
Unlike most real-time systems (e.g. SIP), WebRTC communications are directly controlled by some Web server, via a JavaScript API.
Two major paths: signaling and media
Signaling is the process of coordinating communication. In order for a WebRTC application to set up a 'call', its clients need to exchange information:
- Session control messages used to open or close communication.
- Error messages.
- Media metadata such as codecs and codec settings, bandwidth and media types.
- Key data, used to establish secure connections.
- Network data, such as a host's IP address and port as seen by the outside world.
This signaling process needs a way for clients to pass messages back and forth.
Build It Yourself!
As of today SDP is widely used in the contexts of Session Initiation Protocol (SIP), Real-time Transport Protocol (RTP), and Real-time Streaming Protocol (RSP).
With that, once the SDP session descriptions have been exchanged via the signaling channel, both parties have now negotiated the type of streams to be exchanged, and their settings. We are almost ready to begin our peer-to-peer communication! Now, there is just one more detail to take care of: connectivity checks and NAT traversal.
https://www.safaribooksonline.com/library/view/high-performance-browser/9781449344757/ch18.html
N/A for symmetric NAT (restrictions to receive)
Пользователь А отправляет пакет с порта P1 на M, и неважно, какой порт. Пакет игнорируется устройством М, но на устройстве N появляется временная таблица соответствия A:P1 с P2. Аналогично, B отправляет пакет с порта P3 на M. Пакет игнорируется устройством N, но на устройстве M появляется временная таблица соответствия B:P3 с P4. A и B отправляют аналогичные пакеты на S, и S узнает порты P2 и P4. A и B связываются с S и сообщают ему порты P1 и P2, а он им сообщает все, что знает. Подготовка проведена.
Теперь A может отправлять пакет с A:P1 на M:P4 - и он будет переправлен на B. Аналогично, пакет с B:P3 на N:P2 может быть переправлен на A.
You could run your own server with a custom protocol, our you could use STUN and existing STUN servers. (Only a few packets are needed for setup, the rest are peer-to-peer).
Of course, some NAT firewalls are incompatible with the above, so you may need a custom protocol. Bittorrent does this: they use different techniques depending on which clients are behind firewalls and whatnot.
ICE : A protocol for establishing direct connectivity once STUN or TURN address candidates are obtained..
offer/answer ICE candidates b/w peers. Used for establishing a connection between peers over the internet. By trying all possibilities in parallel, ICE is able to choose the most efficient option that works. ICE first tries to make a connection using the host address obtained from a device's operating system and network card; if that fails (which it inevitably will for devices behind NATs) ICE then obtains an external address using a STUN server. If that also fails, traffic falls back to routing via a TURN relay server.
The key difference between STUN and TURN is that media will travel directly between both endpoints if STUN is used, whereas media will be proxied through the server if TURN is utilized.
https://www.webrtc-experiment.com/docs/STUN-or-TURN.html
Симметричный NAT (Symmetric NAT) — Трансляция, при которой каждое соединение, инициируемое парой «внутренний адрес: внутренний порт» преобразуется в свободную уникальную случайно выбранную пару «публичный адрес: публичный порт». При этом инициация соединения из публичной сети невозможна. ЗДЕСЬ STUN НЕ ПРОЙДЕТ!!!
Cone NAT, Full Cone NAT — Однозначная (взаимная) трансляция между парами «внутренний адрес: внутренний порт» и «публичный адрес: публичный порт». Любой внешний хост может инициировать соединение с внутренним хостом (если это разрешено в правилах межсетевого экрана).
https://www.html5rocks.com/en/tutorials/webrtc/basics/#toc-history
The RTCPeerConnection object accepts a conf parameter, which we will cover later in these tutorials. The onaddstream event is fired when the remote user adds a video or audio stream to their peer connection.
Trusted computer base:
We need to understand it’s not a plugin and is built-in the browser (frequent updates, no malware as could be in 3rd party apps). In order to access camera/voice/record, user has to give explicit permissions
Signaling: HTTP, SIP and media: RTP
Plus, secure certificate exchange (since unsigned, first sent via signaling channel, and then via media, and then compared)
tools.ietf.org/html/draft-ietf-rtcweb-security-08
https://www.netscan.co/blog/webrtc-security-just-how-secure-is-web-real-time-communication/
Secure signaling: encryption (SIPS, OpenSIP, HTTPS or WSS). WebRTC does not impose any constraints on the signalling process, rather leaving the developer to decide upon their own preferred method
Authentication and peer monitoring: by default no auth/pre-registration, WebRTC app requires only a user's ID in order to perform a call.
Permission requests: users often click ”yes” – idea would be to clearly detail what kind of permissions are needed
MitM: monitoring media path for suspicious relays + encrypted signaling
Screensharing: before initiating the streaming of any part of the screen, the user should be properly notified and advised to close any screen containing sensitive information.
Fallback measures: if it is confirmed the call is compromised by unauth party, it should be within the power of Web Application server rendering the WebRTC capable page to cut off the call.