WebRTC Security: Real-Time Data Flaw Leaks Endpoint IP Addresses

Written by Derek Handova
September 16, 2019

Protect endpoint security and IP addresses from WebRTC data leaks with VPN testing and secure browsers and extensions.

…for web traffic, and requires WebRTC traffic to go to proxy servers as configured in Chrome, according to the Google team that wrote the extension. So your browser shouldn’t give up any IP addresses not already associated with your endpoint security web traffic, theoretically tightening WebRTC security.

“Another easy way to stop WebRTC leaks without disabling WebRTC is a secure VPN,” said Jamie Cambell, founder of GoBestVPN, which helps protect digital privacy through education. “Some VPNs offer protection against various leaks like IP leaks and DNS leaks — WebRTC isn’t exempt.”

Testing for WebRTC Leaks

And if you’re not using a VPN, undoubtedly you’re exposing some private information to third parties. But even if you are using a VPN, you need to test for WebRTC leaks. Fortunately, there are a number of WebRTC browser leak tools available online. According to secure browser vendor Authentic8, you should always assume your VPN privacy is vulnerable to the WebRTC data flaw. They suggest checking your IP address data privacy by using WebRTC leak testing tools such as VoidSec or Sploit.io.

“Use one of these tools and make note of any public IP addresses you see,” Tennent said. “Then, connect to your VPN and reopen the tool. Test again; if you still see any of the public IP addresses from the previous step, then there is a privacy leak.”

However, others seem to think that testing your network security for the WebRTC data flaw is actually relatively complicated because things change over time.

Pangeo’s Eyal Katz

“Simply writing a script to look for loopholes or security vulnerabilities and report them to you is not enough as things change over time,” said Eyal Katz, head of data security at Pangeo, a VPN for professional use. “This is where dedicated cyber security solutions — backed with machine learning technology — can spot vulnerabilities at their onset and safeguard from them.”

WebRTC Leaks Versus Usability

When thinking about WebRTC leaks, some suggest taking a step back to consider the original purpose of the open source protocol. According to leading conversational technology provider Twilio, WebRTC enables business phone communications with only a browser without the need to provision and deploy software to each endpoint — much less single-purpose hardware, as older real-time communications protocols require, in the view of other technology experts.

“Enterprise voice/video technology like SIP trunks and H.323 require dedicated physical endpoints or proprietary software clients,” said Joel Bilheimer, vice president of cybersecurity at Pershing Technologies, an audiovisual collaboration technology vendor. “If you’re a large service provider providing public outreach services, that’s a big problem when you have thousands or millions of users, the very large majority of whom are not technical and can’t configure their devices beyond default. WebRTC’s ability to provide clientless real-time data transfer using a tool everyone has on their devices — a browser — solves this problem. Disabling WebRTC or using a lockdown VPN kills this service.”

So solutions must be flexible enough to let untrained users use WebRTC services while protecting personal data, the way Bilheimer sees it. Fortunately, laws…