[wroclaw #4] webrtc & security: 101
TRANSCRIPT
What is WebRTC?WebRTC isafree,openprojectthatprovidesbrowsersandmobileapplicationswithReal-TimeCommunications(RTC)capabilitiesviasimpleAPIs.
>>that’scorrect,it’srightinyourbrowser!
WebRTC ITW• WhatsApp• FacebookMessenger• Tonsofwebchats• Andmanymore!
http://www.webrtcworld.com/webrtc-list.aspx
WebRTC:Signaling
• Signalinginthreewords:exchangeofmetadata
• Signalingserver:
• Loadsclient-sidecontext(JScode)• Mediatescontrolmessagesandmeta-metabetweenendpoints
• Signalingprotocolisnotspecified(BIY)
WebRTC:Media
• Encrypted P2Pconnection between browsers• Stepsforsettingthemediapathup:• Exchangeofmediaparameters(SDP)• Exchangeofnetworkparameters• UDPholepunching• STUN (SessionTraversalUtilitiesforNAT)• TURN (TraversalUsingRelaysaroundNAT)• ICE (InteractiveConnectivityEstablishment)
SDP:Session Description Protocol
• Initialization parameters forstreamingmedia• Sessionannouncement• Sessioninvitation• Parameternegotiation(mmtypes,codecs,...)
UDPholepunching• Simplebutnotalways applicable (e.g.symmetric NATs)
Browser A Browser B
NAT/Firewall NAT/Firewall
Publicserver (S)
N:P2 M:P41. Aà NàM:A:P1⇄ N:P22. BàMà N:B:P3⇄M:P43. N:P2,M:P4à S4. A:P1,B:P3⇄ S(P2,P4)5. A:P1àM:P4à B
B:P3à N:P2à AA⇄ B
A:P1 B:P3
What about other scary acronyms?
• STUN• Tocollect your local networksetup(local IPs,local subnets,NATconfiguration…)
• TURN• Torelay your mediaconnection if P2Pfails
• ICE• Bundles all STUN/TURNinfoforexchangeviathesignaling channelandprobing until pair works
WebRTC API• getUserMedia():captureaudioandvideo• MediaRecorder*:recordaudioandvideo• RTCPeerConnection:streamaudioandvideo
betweenusers• RTCDataChannel:streamdatabetweenusers
“Beskepticalofreportsthataplatform'supportsWebRTC'.OftenthisactuallyjustmeansthatgetUserMedia issupported,butnotanyoftheotherRTCcomponents”
WebRTC API:getUserMedia()navigator.getUserMedia =navigator.getUserMedia ||navigator.webkitGetUserMedia ||navigator.mozGetUserMedia;
var constraints ={audio:false,video:true};…functionsuccessCallback(stream){window.stream =stream;//streamavailtoconsoleif(window.URL){video.src =window.URL.createObjectURL(stream);}else{video.src =stream;}}…navigator.getUserMedia(constraints,successCallback,errorCallback);
WebRTC API:RTCPeerConnection• Responsibleformanagingthefulllife-cycleofeachP2P
connectionandencapsulatesalltheconnectionsetup,management,andstatewithinasingleeasy-to-useinterface
• Connectioninitiation:SDPdescriptionexchange
• Afteritisestablished:sendingofreal-timeaudioandvideodataasabitstream var conn=newRTCPeerConnection(conf);
conn.onaddstream =function(stream){//usestreamhere
};
WebRTC API:RTCDataChannel
• Enablespeer-to-peerexchangeofarbitrarydata,withlowlatencyandhighthroughput
• Features:• LeveragingofRTCPeerConnection sessionsetup• Multiplesimultaneouschannels,withprioritization• Reliableandunreliabledeliverysemantics• Built-insecurity(DTLS)andcongestioncontrol• Abilitytousewithorwithoutaudioorvideo
Trymy*bear:https://www.cubeslam.com/dcegjx
WebRTC API:RTCDataChannelvar pc=newwebkitRTCPeerConnection(servers,{optional:[{RtpDataChannels:true}]});
pc.ondatachannel =function(event){receiveChannel =event.channel;receiveChannel.onmessage =function(event){document.querySelector("div#receive").innerHTML =event.data;};};
sendChannel =pc.createDataChannel("sendDataChannel",{reliable:false});
document.querySelector("button#send").onclick =function(){var data=document.querySelector("textarea#send").value;sendChannel.send(data);};
WebRTC API:MediaRecorder
https://webrtc.github.io/samples/src/content/getusermedia/record/
• IntroducedbackinSep2016(stillexperimental)• Samplerecordingfunctionality:
• mediaRecorder.start()• mediaRecorder.stop()• mediaRecorder.ondataavailableà recordedBlobs.push(event.data)• … andthen make it available forplay/download
• Example ofrecorded videoobject link:blob:https://webrtc.github.io/4d25f90a-244b-4e1c-9495-e5f21074aab9
WebRTC:security perspective
• BrowseractsasTCB• Naturalpartofit,notaplugin• Frequentupdates• Permissions(explicituserconsent*)
• Enforcedencryption• RTPisexplicitlyforbidden• End-to-endencryptionbetweenpeers• MandatoryHTTPS+DTLS/SRTP
WebRTC:security perspectiveWhatcouldgowrong?• WhataretheeffectsofJavaScript/HTMLinjection?• CanwestealWebRTC credentials?• Canwestealprivilegedinformationaboutaclient?• Whataretheeffectsoftakingoverasignalingserver?• Canwecrashtheserver,orrenderitunresponsive?• Whatinformationcanbeextracted?• Canwecauseaclienttoconnecttoaroguenetwork?
WebRTC security:browser• Directdatatransferbetweenpeerse.g.inchat• …mightequaltoacompletetakeoverofthevictim’scontext
incaseofXSS• ...aswellasleadstoobtaininginternaladdressesofyour
counterparts(moresoon)• ...andfacilitatesdirecttransfersofmalware• Additional considerations:
• Poor registration mechanisms ~access andabuse• Poor session termination ~session reuse
WebRTC security:Androidclient• Installationpermissions
• Malware tocapture private infoabout theuser
• Datastorage• Malicious app could steal datafromWebRTC-powered app
• Networkinterception• Credentials could besent over HTTPbeforehand
• UIphishing /malware
WebRTC security:inbetween• Signalingservertakeover
• MiTM viafakeuserorcreationof“invisible”one?;)• Orsimplycrashingitandbringingchaos
• Registrationhijacking• Capture/changeIPaddressestoforwardcallstoattacker’sserver• DoSagainstuser’sdevice• Raceconditions(overridinglegitimateREGISTERrequests)
• Replayattacks
WebRTC security:authentication• Signalingservershouldnotbetrusted,anditshouldbe
possibletoperformauthenticationindependently
IdentityProviders(FacebookLogin,BrowserID,OAuth)provideauth foruserswithoutparticipationofthesignalingserver
Privacyissues inSRTP
• EncryptsthepayloadofRTPpackets,nottheheaders
• Exampleofpossibleinfoleak:• timestamp• audiolevels ofcontained media• ???• PROFIT!
IPlocation privacy:scan your LAN!FrameworkfordevelopingexploitsusingWebRTC – sonar.js
• Enumeratehostsoninternalnetwork• Fingerprintdevicesusingonload()eventsandknown
CSS/images• Usingpre-setDBofexploitsfordevices,launchthem
againstdetectedone
https://thehackerblog.com/sonar-a-framework-for-scanning-and-exploiting-internal-hosts-with-a-webpage/
WebRTC:security designpractices
• Securesignaling• Authenticationandpeermonitoring• Permissionrequests• MitM protection• Screensharing• Fallbackmeasures
WebRTC:security designpractices
• Securesignaling
Itisrecommendedtoimplementasignalingprotocolthatprovidesencryption (SIPS,OpenSIP,HTTPSorWSS),topreventeavesdropping.
WebRTC:security designpractices
• Authenticationandpeermonitoring
Basicappsrequireonlyauser'sIDtoperformacall,soitmightbeagoodideatohavepre-registrationorauthenticationtopreventfromuntrustedparties.Anotherbestpracticeistoconsistentlymonitorthenumberofpeersincommunicationvstotalnumberonthesignalingserver(nospies,please!)
WebRTC:security designpractices
• Permissionrequests
Clearlydetailonthepagewhatpermissionstheapplicationwillaskfor,asoftenuserswillagreetopermissionrequestsorsimilardialogswithoutconsciouslyreadingthemessage
WebRTC:security designpractices
• MitM protection
Regularmonitoringofthemediapathfornosuspiciousrelaysandencryptedsignalingshouldbepresented
WebRTC:security designpractices
• Screensharing
Beforeinitiatingthestreamingofanypartofthescreen,theusershouldbeproperlynotifiedandadvisedtocloseanyscreencontainingsensitiveinformation
WebRTC:security designpractices
• Fallbackmeasures
Ifit is confirmed thecall is compromised byunauthparty,it should bewithin thepower ofWebApplicationserver renderingtheWebRTC capablepage tocut offthecall
Furtherreading:• https://www.html5rocks.com/en/tutorials/webrtc/basics/• https://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-12• http://webrtc-security.github.io• https://2015.appsec.eu/wp-content/uploads/2015/09/owasp-appseceu2015-desmet.pdf• https://webrtchacks.com/webrtc-and-man-in-the-middle-attacks/• https://arxiv.org/pdf/1601.00184.pdf• https://thehackerblog.com/sonar-a-framework-for-scanning-and-exploiting-internal-hosts-
with-a-webpage/
Contactme:@c0rdis