It is currently Thu Mar 28, 2024 10:54 am View unanswered posts | View active topics |


Board index » Community » Computers & Technology


Post new topic Reply to topic  [ 3 posts ] 
Author Message
 Post subject: Local IP discovery with HTML5 WebRTC: Security and privacy?
PostPosted: Thu Oct 31, 2013 1:13 pm 
Decent Challenge
Decent Challenge
User avatar

Joined: Mon Jun 07, 2004 10:02 pm
Posts: 416
https://2x.io/read/security-by-obscurity
**Ties in with the CSRF exploit post other day.

Demonstration:
https://dl.dropboxusercontent.com/u/187 ... hosts.html
** had wrong long link for demonstration -- oops


Content for those who can't view above site if at work:

Local IP discovery with HTML5 WebRTC: Security and privacy risk?

With the progression of HTML5 WebRTC, browsers are getting ever closer to making pluginless video conferencing a reality. One feature of WebRTC is the ability to discover the local IP addresses of the browsing machine. Does that put us at an increased risk?

Recently I stumbled across Nathan Vander Wilt's net.ipcalf.com. When opened from a relatively new version of Chrome or Firefox, your computer's local IP addresses should present itself.

I've coded up another example, which attempts to use WebRTC to find your local IPs, and then probe for other live hosts on your network(s).

Others will likely cover the usefulness of these APIs, so I will -- for the sake of argument -- comment on the tinfoilhat-y perspective. Bear with me.

Privacy concerns

I know for a fact that some people use multiple browsers on the same PC, in order to separate identities or browsing profiles. These people might browse Reddit's cute-cat-picture-subreddits with Firefox and the programming subreddits with Chrome. From the web server's perspective, both browsers will likely have the same public IP address, but their headers, tracking cookies and whatnot will clearly differ.

With the WebRTC local IP discovery technique, those interested in tracking you, be that ad agencies or some spy organization, will be able to do make connections between browsers based on a combination of public and local IP. If they for whatever reason can tie an identity to one browser, they will probably assume that the same person is hiding behind the second one.

There's also a risk that the local IP info can aid in identification between public IPs. Let's say that you use some VPN service, or Tor, whenever you surf cute cat pictures, but you use the same browser. EFF's Panopticlick tells the story of how each browser is pretty much unique, based on HTTP header fingerprinting and so forth. Add local IP addresses, or even subnets to circumvent DHCP lease times, and your browser / PC is even more unique. And by unique, I mean trackable.

Security concerns

Consider some evil page which, based on the local IP returned from the WebRTC technique, starts scanning devices on your LAN. Let's say your IP is 10.0.8.13, then the evil javascript could start out by guessing that your router is at 10.0.8.1. Then let's move on to assume that your router, which probably hasn't had it's firmware upgraded for a while, has some half-assed web interface, which is accessible from your LAN.

The chance of this router being remote exploitable -- that is from your public IP -- isn't huge. It has happened, but it doesn't happen that often. The chance of there still being some obscure XSS flaw hidden in there somewhere, however, is much greater. So what if this evil page, which has now identified that your router is on 10.0.8.1, and figured out which software it runs, then goes on to exploit one of the XSS vulnerabilities -- and adds some evil person as remote admin?

Now this doesn't have to be your router. It would be fairly trivial for a javascript to discover which hosts are up on your local network -- I've had great luck doing timed HTTPS-request against non-HTTPS ports on IPs to do just that. With this information, the evil page can go on to test the discovered hosts for a plethora of vulnerabilities, based on simple fingerprinting. That could do all kinds of damage.

I just put this to the test on an office network I am part of, which happens to house an old Canon printer. I'm pretty sure it predates the pyramids -- but at the very least the dawn of security bugs, because it will do pretty much exactly what a rogue javascript tells it to do.

So, yeah, your printer is now part of a botnet, and is routinely DDoS-ing powerplants in Iran. Congratulations.

But what does it all mean?

So there are privacy concerns, and the feature can at least make local exploitation easier for an attacker.

On the other hand, there are bigger privacy concerns around today (yes I'm talking to you, NSA), and from a security perspective not yielding the ip is arguably security through obscurity.

So I'll let you lot make up your own minds. My tinfoil hat stays on.


Last edited by ChickenNoodleSoup on Thu Oct 31, 2013 3:23 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Local IP discovery with HTML5 WebRTC: Security and priva
PostPosted: Thu Oct 31, 2013 1:42 pm 
Easy Prey
Easy Prey
User avatar

Joined: Fri Oct 21, 2005 10:55 am
Posts: 203
I didn't get past the second line understanding wise. But I did make a tinfoil hat so I've got that going for me.

Honestly though I've just come to the conclusion that privacy is pretty much impossible on the internet. However is there anything I can do beyond the obvious keeping windows up to date, running No-script / avast aswell as not downloading stupid shit that I can do to keep my computer more secure? Or at least just make myself just more secure than the average user. Or does that pretty much cover it.

_________________
Harmonic Rampage in XIV

Image
Somebody make me a Sig


Top
 Profile  
 
 Post subject: Re: Local IP discovery with HTML5 WebRTC: Security and priva
PostPosted: Thu Oct 31, 2013 6:46 pm 
Decent Challenge
Decent Challenge
User avatar

Joined: Mon Jun 07, 2004 10:02 pm
Posts: 416
Privacy is indeed essentially impossible on the internet.

That said, just keep doing what you are currently doing -- you are doing your part by not being the low hanging fruit and already more secure than the average computer user.

The downloading stupid shit is sometimes is out of your control as CSRF and XSS can manipulate your system to download malware without your knowledge from just simply visiting a site (or having a compromised advertisement space load) -- which is where script blockers and ad blockers come into play

There are definitely things you can do beyond what you mention to keep your computer more secure than the 'average' user but it requires a bit more effort and probably a change in your day to day computer habits

Your best defense really, is being informed and aware enough to know when to take action when it is required (download update patches, be aware of new vectors of phishing/exploit attacks). Take the time to follow security new sites/blogs to keep up with the latest vulnerabilities and exploits. You don't need to know the nitty gritty technical details of a vulnerability and/or exploit -- it's more for getting an idea of of how cyber criminals think and attack and how it may affect your day to day computer activities (and of course if immediate action is required on your end to protect yourself).

Some suggestions (a lot out there):

http://krebsonsecurity.com/
http://www.csoonline.com/attributes/index/41014/news/1
http://googleonlinesecurity.blogspot.ca/
http://www.securelist.com/en/weblog
http://nakedsecurity.sophos.com

_________________
Image


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

Board index » Community » Computers & Technology


Who is online

Users browsing this forum: No registered users and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group