WebRTC Security: Real-Time Data Flaw Leaks Endpoint IP Addresses

Written by Derek Handova
September 16, 2019

Protect endpoint security and IP addresses from WebRTC data leaks with VPN testing and secure browsers and extensions.

…detection. WebRTC discovers IP addresses via the Interactive Connectivity Establishment (ICE) protocol. This protocol specifies different techniques for discovering IP addresses, including the use of STUN/TURN servers, according to Tennent.

Security Baron’s Gabe Turner

“While a STUN — Session Traversal Utilities for NAT— server lets clients discover their public IP address, a TURN — Traversal Using Relay NAT— server communicates between the two clients, which are then traversed to the STUN server,” said Gabe Turner, director of content at Security Baron, a website dedicated to cybersecurity. “Of course, the purpose of ICE, STUN and TURN is to get past firewalls to access private IP addresses. The new IP addresses are either IPv6 — the current standard of Internet Protocol — or IPv4, which is running out of IP addresses.”

Most devices have multiple IP addresses associated with their hardware, usually hidden from websites and STUN/TURN servers via firewalls, but the ICE protocol allows browsers to gather them by simply reading them from your device. IPv6 addresses can affect your data privacy as they are unique to each device, according to Tennent.

“If you have an IPv6 address associated with your device, and it is discovered via ICE, your data privacy could be compromised,” Tennent said. “A malicious website can use STUN/TURN servers or this IPV6 discovery to trick your browser into revealing an IP address that could identify you.”

Solving WebRTC Leaks, Endpoint Security, Data Privacy

For those who don’t really need the real-time communications that WebRTC leaks endangers or just don’t want to take a chance with their IP address or data privacy, the easiest solution may be simply to use a web browser plugin to disable WebRTC. According to Heid, multiple solutions for the WebRTC flaw are available for both Chrome and Firefox. Of course, none of the leading browsers has WebRTC real time communications enabled by default, according to Gustavo Carvalho, CMO at Copahost, a hosting, IT, marketing and e-commerce company.

“It’s an application that you can install — only if you want,” Carvalho said. “Chrome and Firefox appear to be more vulnerable, but Edge has more controls over communications and traffic.”

However, others seem to have the more mainstream view that every major browser has the WebRTC flaw enabled by default.

“So you’re trusting that the WebRTC service you’re interfacing with isn’t operating as a bad actor,” said Stuart R. Crawford, president and CEO at Ulistic LP, a marketing company that works with managed IT service providers. “If you wanted to be extra cautious, you could forcibly disable this feature. In Chrome, there are various extensions — WebRTC Network Limiter, WebRTC control — that can be installed to allow you to selectively use this, or disable it entirely. Similarly in Firefox, you can go to ‘about:config’ and toggle the ‘media.peerconnection.enabled’ to cripple this feature.”

In particular, the WebRTC Network Limiter extension seems to have merit in that it configures WebRTC to not use certain IP addresses or protocols. For example, with this extension, WebRTC will not use private IP addresses or any public IP addresses not used…