webrtc and network privacy leakage
TRANSCRIPT
webRTC and Network Privacy Leakage
Pål-Erik Martinsen, Cisco
Post “Snowden” Era- End-to-End principle- Make it expensive, not
impossible- Do not leak meta-data
Cullen Jennings “Fluffy”IETF webRTC Chair
But I want to communicate...
In webRTC this means:- Having some sort of
rendezvous service- Exchange IP addresses where
encrypted end-to-end media/data can flow(For NAT/FW traversal actually a lot of addresses needs to be exchanged..)
Providing p2p Connectivity(Or at least somewhere in the 96-99% range)
ICE (Interactive Connectivity Establishment)
● IETF Standard for NAT/FW traversal● Part of webRTC “media” stack● Developed for SIP, minor adjustments
to fit webRTC● Get local candidates, exchange with remote and
test what works
BobIP: 192.168.1.34Port: 4567
BobIP: 192.168.1.34Port: 4567
NAT/FirewallIP: 1.4.7.4Port: 7865
BobIP: 192.168.1.34Port: 4567
NAT/FirewallIP: 1.4.7.4Port: 7865
TURN Server AllocatedIP: 45.67.89.34Port: 45678
BobIP: 192.168.1.34Port: 4567
NAT/FirewallIP: 1.4.7.4Port: 7865
TURN Server AllocatedIP: 45.67.89.34Port: 45678
Alice
BobIP: 192.168.1.34Port: 4567
NAT/FirewallIP: 1.4.7.4Port: 7865
TURN Server AllocatedIP: 45.67.89.34Port: 45678
AliceIP: 192.168.1.35Port: 4567
BobIP: 192.168.1.34Port: 4567
NAT/FirewallIP: 1.4.7.4Port: 7865
TURN Server AllocatedIP: 45.67.89.34Port: 45678
So Where Is Information Leaked?
● Signalling path○ Lots of candidate describing local network information shared with
nodes in the signalling path○ Should be encrypted so no middleman can evesdrop
● Data path○ Connectivity checks are sent out on all interfaces on your device ○ Default route override○ Problematic for dissidents using VPN to cover their tracks○ Possible to correlate connectivity checks to get host identity
Some Service
VPN Server
Some OtherService
tun0
Some Service
VPN Server
Some OtherService
tun0
eth1
eth0
ICE will try all interfaces it gets access to
Some VPN clients shuts down all other interfaces, some do not Easy to correlate
traffic and identify VPN user
VPN Split Tunneling allows access to local and “enterprise” resources ?
ICE works similarly, tries to figure out best way to connect without knowing anything about the network topology
WiFi
LTE
● Nytimes datachannel leak. ○ Used ICE addresses from the data-channel○ Fingerprinted unique users behind a NAT.
● Knowing someone's private IP is not terrible useful. ○ Mine is 192.168.10.34, go exploit that..○ It can help an attacker save a few scanning cycles if a host in the network is compomised○ If you keep call logs please think about this.
● It is like the postal system○ We need addresses ○ Need somewhere to deliver the mail. ○ That to can be exploited.
● The real problem is browser changing behaviour without people knowing. ○ Dissidents that use private mode and VPN suddenly can be tracked. ○ Browser vendors are actively investigating how this can be solved.
Go home and do not lose sleep over this!