WebRTC &security:101

OWASPWroclaw#4AlexanderAntukh

What is WebRTC?WebRTC isafree,openprojectthatprovidesbrowsersandmobileapplicationswithReal-TimeCommunications(RTC)capabilitiesviasimpleAPIs.

>>that’scorrect,it’srightinyourbrowser!

Real-timewhat?• Real-timeaudioand/orvideocalls• Webconferencing• Directdatatransfers

WebRTC ITW• WhatsApp• FacebookMessenger• Tonsofwebchats• Andmanymore!

http://www.webrtcworld.com/webrtc-list.aspx

WebRTC architecture

WebRTC:Signaling

• Signalinginthreewords:exchangeofmetadata

• Signalingserver:

• Loadsclient-sidecontext(JScode)• Mediatescontrolmessagesandmeta-metabetweenendpoints

• Signalingprotocolisnotspecified(BIY)

WebRTC:Media

• Encrypted P2Pconnection between browsers• Stepsforsettingthemediapathup:• Exchangeofmediaparameters(SDP)• Exchangeofnetworkparameters• UDPholepunching• STUN (SessionTraversalUtilitiesforNAT)• TURN (TraversalUsingRelaysaroundNAT)• ICE (InteractiveConnectivityEstablishment)

SDP:Session Description Protocol

• Initialization parameters forstreamingmedia• Sessionannouncement• Sessioninvitation• Parameternegotiation(mmtypes,codecs,...)

UDPholepunching• Simplebutnotalways applicable (e.g.symmetric NATs)

Browser A Browser B

NAT/Firewall NAT/Firewall

Publicserver (S)

N:P2 M:P41. Aà NàM:A:P1⇄ N:P22. BàMà N:B:P3⇄M:P43. N:P2,M:P4à S4. A:P1,B:P3⇄ S(P2,P4)5. A:P1àM:P4à B

B:P3à N:P2à AA⇄ B

A:P1 B:P3

What about other scary acronyms?

• STUN• Tocollect your local networksetup(local IPs,local subnets,NATconfiguration…)

• TURN• Torelay your mediaconnection if P2Pfails

• ICE• Bundles all STUN/TURNinfoforexchangeviathesignaling channelandprobing until pair works

WebRTC API• getUserMedia():captureaudioandvideo• MediaRecorder*:recordaudioandvideo• RTCPeerConnection:streamaudioandvideo

betweenusers• RTCDataChannel:streamdatabetweenusers

“Beskepticalofreportsthataplatform'supportsWebRTC'.OftenthisactuallyjustmeansthatgetUserMedia issupported,butnotanyoftheotherRTCcomponents”

WebRTC API:getUserMedia()navigator.getUserMedia =navigator.getUserMedia ||navigator.webkitGetUserMedia ||navigator.mozGetUserMedia;

var constraints ={audio:false,video:true};…functionsuccessCallback(stream){window.stream =stream;//streamavailtoconsoleif(window.URL){video.src =window.URL.createObjectURL(stream);}else{video.src =stream;}}…navigator.getUserMedia(constraints,successCallback,errorCallback);

WebRTC API:RTCPeerConnection• Responsibleformanagingthefulllife-cycleofeachP2P

connectionandencapsulatesalltheconnectionsetup,management,andstatewithinasingleeasy-to-useinterface

• Connectioninitiation:SDPdescriptionexchange

• Afteritisestablished:sendingofreal-timeaudioandvideodataasabitstream var conn=newRTCPeerConnection(conf);

conn.onaddstream =function(stream){//usestreamhere

};

WebRTC API:RTCDataChannel

• Enablespeer-to-peerexchangeofarbitrarydata,withlowlatencyandhighthroughput

• Features:• LeveragingofRTCPeerConnection sessionsetup• Multiplesimultaneouschannels,withprioritization• Reliableandunreliabledeliverysemantics• Built-insecurity(DTLS)andcongestioncontrol• Abilitytousewithorwithoutaudioorvideo

Trymy*bear:https://www.cubeslam.com/dcegjx

WebRTC API:RTCDataChannelvar pc=newwebkitRTCPeerConnection(servers,{optional:[{RtpDataChannels:true}]});

pc.ondatachannel =function(event){receiveChannel =event.channel;receiveChannel.onmessage =function(event){document.querySelector("div#receive").innerHTML =event.data;};};

sendChannel =pc.createDataChannel("sendDataChannel",{reliable:false});

document.querySelector("button#send").onclick =function(){var data=document.querySelector("textarea#send").value;sendChannel.send(data);};

WebRTC API:MediaRecorder

https://webrtc.github.io/samples/src/content/getusermedia/record/

• IntroducedbackinSep2016(stillexperimental)• Samplerecordingfunctionality:

• mediaRecorder.start()• mediaRecorder.stop()• mediaRecorder.ondataavailableà recordedBlobs.push(event.data)• … andthen make it available forplay/download

• Example ofrecorded videoobject link:blob:https://webrtc.github.io/4d25f90a-244b-4e1c-9495-e5f21074aab9

WebRTC:security perspective

• BrowseractsasTCB• Naturalpartofit,notaplugin• Frequentupdates• Permissions(explicituserconsent*)

• Enforcedencryption• RTPisexplicitlyforbidden• End-to-endencryptionbetweenpeers• MandatoryHTTPS+DTLS/SRTP

WebRTC:security perspectiveWhatcouldgowrong?• WhataretheeffectsofJavaScript/HTMLinjection?• CanwestealWebRTC credentials?• Canwestealprivilegedinformationaboutaclient?• Whataretheeffectsoftakingoverasignalingserver?• Canwecrashtheserver,orrenderitunresponsive?• Whatinformationcanbeextracted?• Canwecauseaclienttoconnecttoaroguenetwork?

WebRTC security:browser• Directdatatransferbetweenpeerse.g.inchat• …mightequaltoacompletetakeoverofthevictim’scontext

incaseofXSS• ...aswellasleadstoobtaininginternaladdressesofyour

counterparts(moresoon)• ...andfacilitatesdirecttransfersofmalware• Additional considerations:

• Poor registration mechanisms ~access andabuse• Poor session termination ~session reuse

WebRTC security:Androidclient• Installationpermissions

• Malware tocapture private infoabout theuser

• Datastorage• Malicious app could steal datafromWebRTC-powered app

• Networkinterception• Credentials could besent over HTTPbeforehand

• UIphishing /malware

WebRTC security:inbetween• Signalingservertakeover

• MiTM viafakeuserorcreationof“invisible”one?;)• Orsimplycrashingitandbringingchaos

• Registrationhijacking• Capture/changeIPaddressestoforwardcallstoattacker’sserver• DoSagainstuser’sdevice• Raceconditions(overridinglegitimateREGISTERrequests)

• Replayattacks

WebRTC security:authentication• Signalingservershouldnotbetrusted,anditshouldbe

possibletoperformauthenticationindependently

IdentityProviders(FacebookLogin,BrowserID,OAuth)provideauth foruserswithoutparticipationofthesignalingserver

WebRTC:additionalconsiderations

• Screen(over)sharing• PrivacyissuesinSRTP• IPlocationprivacy

Screen(over)sharing inone pic

Privacyissues inSRTP

• EncryptsthepayloadofRTPpackets,nottheheaders

• Exampleofpossibleinfoleak:• timestamp• audiolevels ofcontained media• ???• PROFIT!

IPlocation privacy

IPlocation privacy:scan your LAN!

https://aan.sh/LANScan/

Whatcouldgowrongwiththat?

IPlocation privacy:scan your LAN!FrameworkfordevelopingexploitsusingWebRTC – sonar.js

• Enumeratehostsoninternalnetwork• Fingerprintdevicesusingonload()eventsandknown

CSS/images• Usingpre-setDBofexploitsfordevices,launchthem

againstdetectedone

https://thehackerblog.com/sonar-a-framework-for-scanning-and-exploiting-internal-hosts-with-a-webpage/

Demo time

IPlocation privacy:protection

• WebRTCLeakPreventandsimilaradd-ons• Browserconfiguration

WebRTC:security designpractices

• Securesignaling• Authenticationandpeermonitoring• Permissionrequests• MitM protection• Screensharing• Fallbackmeasures

WebRTC:security designpractices

• Securesignaling

Itisrecommendedtoimplementasignalingprotocolthatprovidesencryption (SIPS,OpenSIP,HTTPSorWSS),topreventeavesdropping.

WebRTC:security designpractices

• Authenticationandpeermonitoring

Basicappsrequireonlyauser'sIDtoperformacall,soitmightbeagoodideatohavepre-registrationorauthenticationtopreventfromuntrustedparties.Anotherbestpracticeistoconsistentlymonitorthenumberofpeersincommunicationvstotalnumberonthesignalingserver(nospies,please!)

WebRTC:security designpractices

• Permissionrequests

Clearlydetailonthepagewhatpermissionstheapplicationwillaskfor,asoftenuserswillagreetopermissionrequestsorsimilardialogswithoutconsciouslyreadingthemessage

WebRTC:security designpractices

• MitM protection

Regularmonitoringofthemediapathfornosuspiciousrelaysandencryptedsignalingshouldbepresented

WebRTC:security designpractices

• Screensharing

Beforeinitiatingthestreamingofanypartofthescreen,theusershouldbeproperlynotifiedandadvisedtocloseanyscreencontainingsensitiveinformation

WebRTC:security designpractices

• Fallbackmeasures

Ifit is confirmed thecall is compromised byunauthparty,it should bewithin thepower ofWebApplicationserver renderingtheWebRTC capablepage tocut offthecall

Furtherreading:• https://www.html5rocks.com/en/tutorials/webrtc/basics/• https://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-12• http://webrtc-security.github.io• https://2015.appsec.eu/wp-content/uploads/2015/09/owasp-appseceu2015-desmet.pdf• https://webrtchacks.com/webrtc-and-man-in-the-middle-attacks/• https://arxiv.org/pdf/1601.00184.pdf• https://thehackerblog.com/sonar-a-framework-for-scanning-and-exploiting-internal-hosts-

with-a-webpage/

Contactme:@c0rdis

Fin.