Local IP discovery with HTML5 WebRTC: Security and privacy risk?

With the progression of HTML5 WebRTC, browsers are getting ever closer to making pluginless video conferencing a reality. One feature of WebRTC is the ability to discover the local IP addresses of the browsing machine. Does that put us at an increased risk?

Recently I stumbled across Nathan Vander Wilt’s net.ipcalf.com. When opened from a relatively new version of Chrome or Firefox, your computer’s local IP addresses should present itself.

I’ve coded up another example, which attempts to use WebRTC to find your local IPs, and then probe for other live hosts on your network(s).

Others will likely cover the usefulness of these APIs, so I will — for the sake of argument — comment on the tinfoilhat-y perspective. Bear with me.

Privacy concerns

I know for a fact that some people use multiple browsers on the same PC, in order to separate identities or browsing profiles. These people might browse Reddit’s cute-cat-picture-subreddits with Firefox and the programming subreddits with Chrome. From the web server’s perspective, both browsers will likely have the same public IP address, but their headers, tracking cookies and whatnot will clearly differ.

local-network

With the WebRTC local IP discovery technique, those interested in tracking you, be that ad agencies or some spy organization, will be able to do make connections between browsers based on a combination of public and local IP. If they for whatever reason can tie an identity to one browser, they will probably assume that the same person is hiding behind the second one.

There’s also a risk that the local IP info can aid in identification between public IPs. Let’s say that you use some VPN service, or Tor, whenever you surf cute cat pictures, but you use the same browser. EFF’s Panopticlick tells the story of how each browser is pretty much unique, based on HTTP header fingerprinting and so forth. Add local IP addresses, or even subnets to circumvent DHCP lease times, and your browser / PC is even more unique. And by unique, I mean trackable.

Security concerns

Consider some evil page which, based on the local IP returned from the WebRTC technique, starts scanning devices on your LAN. Let’s say your IP is 10.0.8.13, then the evil javascript could start out by guessing that your router is at 10.0.8.1. Then let’s move on to assume that your router, which probably hasn’t had it’s firmware upgraded for a while, has some half-assed web interface, which is accessible from your LAN.

The chance of this router being remote exploitable — that is from your public IP — isn’t huge. It has happened, but it doesn’t happen that often. The chance of there still being some obscure XSS flaw hidden in there somewhere, however, is much greater. So what if this evil page, which has now identified that your router is on 10.0.8.1, and figured out which software it runs, then goes on to exploit one of the XSS vulnerabilities — and adds some evil person as remote admin?

Now this doesn’t have to be your router. It would be fairly trivial for a javascript to discover which hosts are up on your local network — I’ve had great luck doing timed HTTPS-request against non-HTTPS ports on IPs to do just that. With this information, the evil page can go on to test the discovered hosts for a plethora of vulnerabilities, based on simple fingerprinting. That could do all kinds of damage.

I just put this to the test on an office network I am part of, which happens to house an old Canon printer. I’m pretty sure it predates the pyramids — but at the very least the dawn of security bugs, because it will do pretty much exactly what a rogue javascript tells it to do.

So, yeah, your printer is now part of a botnet, and is routinely DDoS-ing powerplants in Iran. Congratulations.

But what does it all mean?

So there are privacy concerns, and the feature can at least make local exploitation easier for an attacker.

On the other hand, there are bigger privacy concerns around today (yes I’m talking to you, NSA), and from a security perspective not yielding the ip is arguably security through obscurity.

So I’ll let you lot make up your own minds. My tinfoil hat stays on.