Detection of JavaScript Injection Eavesdropping on WebRTC communications

WebRTC is a Google-developed project that allows users to communicate directly. It is an open-source tool supported by all major browsers. Since it does not require additional installation steps and provides ultra-low latency streaming, smart city and social network applications such as WhatsApp, Facebook Messenger, and Snapchat use it as the underlying technology on the client-side both on desktop browsers and mobile apps. While the open-source tool is deemed to be secure and despite years of research and security testing, there are still vulnerabilities in the real-time communication application programming interface (API). We show in this paper how eavesdropping can be enabled by exploiting weaknesses and loopholes found in official WebRTC specifications. We demonstrate through real-world implementation how an eavesdropper can intercept WebRTC video calls by installing a malicious code onto the WebRTC webserver. Furthermore, we identify and discuss several, easy to perform, ways to detect wiretapping. Our evaluation shows that several indicators within webrtc-internals API traces can be used to detect anomalous activities, without the need for network monitoring tools

Ensuring endpoint authenticity in WebRTC peer-to-peer communication

WebRTC is one of the latest additions to the ever growing repository of Web browser technologies, which push the envelope of native Web application capabilities. WebRTC al- lows real-time peer-to-peer audio and video chat, that runs purely in the browser. Unlike existing video chat solutions, such as Skype, that operate in a closed identity ecosystem, WebRTC was designed to be highly flexible, especially in the domains of signaling and identity federation. This flexibility, however, opens avenues for identity fraud. In this paper, we explore the technical underpinnings of WebRTC’s identity management architecture. Based on this analysis, we identify three novel attacks against endpoint authenticity. To answer the identified threats, we propose and discuss defensive strategies, including security improvements for the WebRTC specifications and mitigation techniques for the identity and service providers.status: publishe

Ensuring Endpoint Authenticity in WebRTC Peer-to-Peer Communication

International audienc