Protect endpoint security and IP addresses from WebRTC data leaks with VPN testing and secure browsers and extensions.

September 16, 2019

10 Min Read
Data leak
Shutterstock

By Derek Handova

For years, CPaaS API, e-commerce, content management system and other online solutions providers have known that browsers make real-time communications WebRTC security vulnerable to data flaws and IP address leaks. Yet the WebRTC flaw has persisted due to benign neglect, ignorance, sloth or just plain laziness, endangering data privacy for endpoint security customers and their MSSP partners. That’s important because many remote workers such as IT directors, road warriors, computer engineers and other personnel rely on real-time voice and video communications made possible by WebRTC. But they shouldn’t have to risk their endpoint security, IP addresses and data privacy in the process.

Zlotkin-Adi_GeoEdge.jpg

GeoEdge’s Adi Zlotkin

“WebRTC technology exists in all modern web browsers,” said Adi Zlotkin, head of security at GeoEdge, which has published a white paper on WebRTC malvertising. “WebRTC protocols are an open framework that provides browsers and mobile applications with real-time communications capabilities via simple APIs, allowing platforms to communicate via a common set of protocols. This open source technology is essential in sharing videos, yet can be exploited and used as a white encrypted data channel. Due to its peer-to-peer protocols, the technology is highly attractive to attackers, and the attacks launched are extremely difficult to detect since the data is sent directly between peers.”

So the very capabilities that make real-time communications possible through WebRTC are what put endpoint security at risk. And all the major browsers — Chrome, Edge, Firefox — have WebRTC flaws to some extent, which make WebRTC leaks inevitable.

Heid-Alexander_SecurityScorecard.jpg

SecurityScorecard’s Alex Heid

“WebRTC has powerful features that can reveal the real IP address, location and other identifying metadata about a user,” said Alex Heid, chief R&D officer at SecurityScorecard, a security company with solutions for measuring and communicating security risk. “Even when VPN services or other anonymization technologies are in place, web browsers configured to allow the WebRTC protocol can hypothetically be leveraged by attackers to obtain information about a target system or exploit a vulnerability in the application or browser. The WebRTC framework is open source, and therefore the code is available for analysis by both developers and malicious actors. Widespread adoption of WebRTC indicates this protocol will be a popular client-side attack vector going forward.”

WebRTC Security Leaks and Data Privacy Risks

Any two devices talking to each other directly via WebRTC need to know each other’s real IP addresses, according to network security experts. So in theory, a third-party website can exploit WebRTC leaks in your browser to detect your real IP address and use it to identify you.

Tennent-Callum_Top10VPN.jpg

Top10VPN.com’s Callum Tennent

“Technically, these WebRTC leaks aren’t flaws, they’re simply part of the browser design,” said Callum Tennent, site editor, Top10VPN.com a virtual private network (VPN) review website. “Efficient IP sharing is supposed to provide convenience and speed, so WebRTC uses clever techniques to figure out your true IP address and get around any firewalls that might otherwise prevent your real-time connection from taking place.”

The problem with WebRTC is that it uses techniques to discover your IP address that are more advanced than those used in “standard” IP…

…detection. WebRTC discovers IP addresses via the Interactive Connectivity Establishment (ICE) protocol. This protocol specifies different techniques for discovering IP addresses, including the use of STUN/TURN servers, according to Tennent.

Turner-Gabe_Security-Baron.jpg

Security Baron’s Gabe Turner

“While a STUN — Session Traversal Utilities for NAT— server lets clients discover their public IP address, a TURN — Traversal Using Relay NAT— server communicates between the two clients, which are then traversed to the STUN server,” said Gabe Turner, director of content at Security Baron, a website dedicated to cybersecurity. “Of course, the purpose of ICE, STUN and TURN is to get past firewalls to access private IP addresses. The new IP addresses are either IPv6 — the current standard of Internet Protocol — or IPv4, which is running out of IP addresses.”

Most devices have multiple IP addresses associated with their hardware, usually hidden from websites and STUN/TURN servers via firewalls, but the ICE protocol allows browsers to gather them by simply reading them from your device. IPv6 addresses can affect your data privacy as they are unique to each device, according to Tennent.

“If you have an IPv6 address associated with your device, and it is discovered via ICE, your data privacy could be compromised,” Tennent said. “A malicious website can use STUN/TURN servers or this IPV6 discovery to trick your browser into revealing an IP address that could identify you.”

Solving WebRTC Leaks, Endpoint Security, Data Privacy

For those who don’t really need the real-time communications that WebRTC leaks endangers or just don’t want to take a chance with their IP address or data privacy, the easiest solution may be simply to use a web browser plugin to disable WebRTC. According to Heid, multiple solutions for the WebRTC flaw are available for both Chrome and Firefox. Of course, none of the leading browsers has WebRTC real time communications enabled by default, according to Gustavo Carvalho, CMO at Copahost, a hosting, IT, marketing and e-commerce company.

“It’s an application that you can install — only if you want,” Carvalho said. “Chrome and Firefox appear to be more vulnerable, but Edge has more controls over communications and traffic.”

However, others seem to have the more mainstream view that every major browser has the WebRTC flaw enabled by default.

“So you’re trusting that the WebRTC service you’re interfacing with isn’t operating as a bad actor,” said Stuart R. Crawford, president and CEO at Ulistic LP, a marketing company that works with managed IT service providers. “If you wanted to be extra cautious, you could forcibly disable this feature. In Chrome, there are various extensions — WebRTC Network Limiter, WebRTC control — that can be installed to allow you to selectively use this, or disable it entirely. Similarly in Firefox, you can go to ‘about:config’ and toggle the ‘media.peerconnection.enabled’ to cripple this feature.”

In particular, the WebRTC Network Limiter extension seems to have merit in that it configures WebRTC to not use certain IP addresses or protocols. For example, with this extension, WebRTC will not use private IP addresses or any public IP addresses not used…

…for web traffic, and requires WebRTC traffic to go to proxy servers as configured in Chrome, according to the Google team that wrote the extension. So your browser shouldn’t give up any IP addresses not already associated with your endpoint security web traffic, theoretically tightening WebRTC security.

“Another easy way to stop WebRTC leaks without disabling WebRTC is a secure VPN,” said Jamie Cambell, founder of GoBestVPN, which helps protect digital privacy through education. “Some VPNs offer protection against various leaks like IP leaks and DNS leaks — WebRTC isn’t exempt.”

Testing for WebRTC Leaks

And if you’re not using a VPN, undoubtedly you’re exposing some private information to third parties. But even if you are using a VPN, you need to test for WebRTC leaks. Fortunately, there are a number of WebRTC browser leak tools available online. According to secure browser vendor Authentic8, you should always assume your VPN privacy is vulnerable to the WebRTC data flaw. They suggest checking your IP address data privacy by using WebRTC leak testing tools such as VoidSec or Sploit.io.

“Use one of these tools and make note of any public IP addresses you see,” Tennent said. “Then, connect to your VPN and reopen the tool. Test again; if you still see any of the public IP addresses from the previous step, then there is a privacy leak.”

However, others seem to think that testing your network security for the WebRTC data flaw is actually relatively complicated because things change over time.

Katz-Eyal_Pangeo.jpg

Pangeo’s Eyal Katz

“Simply writing a script to look for loopholes or security vulnerabilities and report them to you is not enough as things change over time,” said Eyal Katz, head of data security at Pangeo, a VPN for professional use. “This is where dedicated cyber security solutions — backed with machine learning technology — can spot vulnerabilities at their onset and safeguard from them.”

WebRTC Leaks Versus Usability

When thinking about WebRTC leaks, some suggest taking a step back to consider the original purpose of the open source protocol. According to leading conversational technology provider Twilio, WebRTC enables business phone communications with only a browser without the need to provision and deploy software to each endpoint — much less single-purpose hardware, as older real-time communications protocols require, in the view of other technology experts.

“Enterprise voice/video technology like SIP trunks and H.323 require dedicated physical endpoints or proprietary software clients,” said Joel Bilheimer, vice president of cybersecurity at Pershing Technologies, an audiovisual collaboration technology vendor. “If you’re a large service provider providing public outreach services, that’s a big problem when you have thousands or millions of users, the very large majority of whom are not technical and can’t configure their devices beyond default. WebRTC’s ability to provide clientless real-time data transfer using a tool everyone has on their devices — a browser — solves this problem. Disabling WebRTC or using a lockdown VPN kills this service.”

So solutions must be flexible enough to let untrained users use WebRTC services while protecting personal data, the way Bilheimer sees it. Fortunately, laws…

…and frameworks such as GDPR, HIPAA and ISO 27001 provide guidance for service providers.

In the final analysis, the purpose of WebRTC is to improve speed when using “live” applications, according to web tracking experts. And these are only increasing in popularity.

“And which browser wants to deliberately make live applications worse?” asks Daniel Steen, founder and CTO of MirageID, a provider of dedicated browsers that mitigate online tracking and monitoring. “But that is only part of the story. People believe if you block your IP address you can be anonymous. That may have been true five or 10 years ago, but in today’s age of deep user tracking, behavioral analysis and browser fingerprinting, IP addresses are only the tip of the iceberg. Users can be tracked in so many ways that blocking your IP is only marginally effective. What browser wants to disable a useful protocol for little real gain?”

It all comes down to WebRTC security leaks versus usability.

Kolga-Rene_Nyotron.jpg

Nyotron’s Rene Kolga

“Remember endpoint security is about risk management,” said Rene Kolga, vice president of product strategy at Nyotron, an endpoint security provider. “And you have to consider what is the risk of the WebRTC data flaw, compared to the benefit that you get and how much you have to invest to verify a lack of WebRTC data leaks. Again, if you can use an encrypted connection, it will help.”

Read more about:

MSPs
Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like