Detection of JavaScript injection eavesdropping on WebRTC communications

Ahmed Osman; Raouf Abozariba; A. Taufiq Asyhari; Adel Aneiba; M. Ben Farah

doi:10.1109/WoWMoM54355.2022.00084

Detection of JavaScript injection eavesdropping on WebRTC communications

Ahmed Osman, Raouf Abozariba, A. Taufiq Asyhari, Adel Aneiba, M. Ben Farah

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research

1 Citation (Scopus)

Abstract

WebRTC is a Google-developed project that allows users to communicate directly. It is an open-source tool supported by all major browsers. Since it does not require additional installation steps and provides ultra-low latency streaming, smart city and social network applications such as WhatsApp, Facebook Messenger, and Snapchat use it as the underlying technology on the client-side both on desktop browsers and mobile apps. While the open-source tool is deemed to be secure and despite years of research and security testing, there are still vulnerabilities in the real-time communication application programming interface (API). We show in this paper how eavesdropping can be enabled by exploiting weaknesses and loopholes found in official WebRTC specifications. We demonstrate through real-world implementation how an eavesdropper can intercept WebRTC video calls by installing a malicious code onto the WebRTC webserver. Furthermore, we identify and discuss several, easy to perform, ways to detect wiretapping. Our evaluation shows that several indicators within webrtc-internals API traces can be used to detect anomalous activities, without the need for network monitoring tools.

Original language	English
Title of host publication	Proceedings - 2022 IEEE 23rd International Symposium on a World of Wireless, Mobile and Multimedia Networks, WoWMoM 2022
Editors	Eirini Eleni Tsiropoulou, Carla Fabiana Chiasserini
Place of Publication	Piscataway NJ USA
Publisher	IEEE, Institute of Electrical and Electronics Engineers
Pages	541-547
Number of pages	7
ISBN (Electronic)	9781665408769
ISBN (Print)	9781665408776
DOIs	https://doi.org/10.1109/WoWMoM54355.2022.00084
Publication status	Published - 2022
Externally published	Yes
Event	International Workshop on Smart Computing for Smart Cities 2023 - Belfast, United Kingdom Duration: 14 Jun 2022 → 14 Jun 2022 Conference number: 3rd https://sites.google.com/view/sc2-wowmom2022/home (Website) https://ieeexplore.ieee.org/xpl/conhome/9842746/proceeding (Proceedings)

Conference

Conference	International Workshop on Smart Computing for Smart Cities 2023
Abbreviated title	SC2 2022
Country/Territory	United Kingdom
City	Belfast
Period	14/06/22 → 14/06/22
Internet address	https://sites.google.com/view/sc2-wowmom2022/home (Website) https://ieeexplore.ieee.org/xpl/conhome/9842746/proceeding (Proceedings)

Keywords

SSH
WebRTC
XSS

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

Access to Document

10.1109/WoWMoM54355.2022.00084

Cite this

Osman, A., Abozariba, R., Taufiq Asyhari, A., Aneiba, A., & Ben Farah, M. (2022). Detection of JavaScript injection eavesdropping on WebRTC communications. In E. E. Tsiropoulou, & C. F. Chiasserini (Eds.), Proceedings - 2022 IEEE 23rd International Symposium on a World of Wireless, Mobile and Multimedia Networks, WoWMoM 2022 (pp. 541-547). IEEE, Institute of Electrical and Electronics Engineers. https://doi.org/10.1109/WoWMoM54355.2022.00084

Osman, Ahmed ; Abozariba, Raouf ; Taufiq Asyhari, A. et al. / Detection of JavaScript injection eavesdropping on WebRTC communications. Proceedings - 2022 IEEE 23rd International Symposium on a World of Wireless, Mobile and Multimedia Networks, WoWMoM 2022. editor / Eirini Eleni Tsiropoulou ; Carla Fabiana Chiasserini. Piscataway NJ USA : IEEE, Institute of Electrical and Electronics Engineers, 2022. pp. 541-547

@inproceedings{e7ba4af9fc634618a1a9ffb7f5ca3b96,

title = "Detection of JavaScript injection eavesdropping on WebRTC communications",

abstract = "WebRTC is a Google-developed project that allows users to communicate directly. It is an open-source tool supported by all major browsers. Since it does not require additional installation steps and provides ultra-low latency streaming, smart city and social network applications such as WhatsApp, Facebook Messenger, and Snapchat use it as the underlying technology on the client-side both on desktop browsers and mobile apps. While the open-source tool is deemed to be secure and despite years of research and security testing, there are still vulnerabilities in the real-time communication application programming interface (API). We show in this paper how eavesdropping can be enabled by exploiting weaknesses and loopholes found in official WebRTC specifications. We demonstrate through real-world implementation how an eavesdropper can intercept WebRTC video calls by installing a malicious code onto the WebRTC webserver. Furthermore, we identify and discuss several, easy to perform, ways to detect wiretapping. Our evaluation shows that several indicators within webrtc-internals API traces can be used to detect anomalous activities, without the need for network monitoring tools.",

keywords = "SSH, WebRTC, XSS",

author = "Ahmed Osman and Raouf Abozariba and {Taufiq Asyhari}, A. and Adel Aneiba and {Ben Farah}, M.",

note = "Publisher Copyright: {\textcopyright} 2022 IEEE.; International Workshop on Smart Computing for Smart Cities 2023, SC2 2022 ; Conference date: 14-06-2022 Through 14-06-2022",

year = "2022",

doi = "10.1109/WoWMoM54355.2022.00084",

language = "English",

isbn = "9781665408776",

pages = "541--547",

editor = "Tsiropoulou, {Eirini Eleni} and Chiasserini, {Carla Fabiana}",

booktitle = "Proceedings - 2022 IEEE 23rd International Symposium on a World of Wireless, Mobile and Multimedia Networks, WoWMoM 2022",

publisher = "IEEE, Institute of Electrical and Electronics Engineers",

address = "United States of America",

url = "https://sites.google.com/view/sc2-wowmom2022/home, https://ieeexplore.ieee.org/xpl/conhome/9842746/proceeding",

}

Osman, A, Abozariba, R, Taufiq Asyhari, A, Aneiba, A & Ben Farah, M 2022, Detection of JavaScript injection eavesdropping on WebRTC communications. in EE Tsiropoulou & CF Chiasserini (eds), Proceedings - 2022 IEEE 23rd International Symposium on a World of Wireless, Mobile and Multimedia Networks, WoWMoM 2022. IEEE, Institute of Electrical and Electronics Engineers, Piscataway NJ USA, pp. 541-547, International Workshop on Smart Computing for Smart Cities 2023, Belfast, United Kingdom, 14/06/22. https://doi.org/10.1109/WoWMoM54355.2022.00084

Detection of JavaScript injection eavesdropping on WebRTC communications. / Osman, Ahmed; Abozariba, Raouf; Taufiq Asyhari, A. et al.
Proceedings - 2022 IEEE 23rd International Symposium on a World of Wireless, Mobile and Multimedia Networks, WoWMoM 2022. ed. / Eirini Eleni Tsiropoulou; Carla Fabiana Chiasserini. Piscataway NJ USA: IEEE, Institute of Electrical and Electronics Engineers, 2022. p. 541-547.

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research

TY - GEN

T1 - Detection of JavaScript injection eavesdropping on WebRTC communications

AU - Osman, Ahmed

AU - Abozariba, Raouf

AU - Taufiq Asyhari, A.

AU - Aneiba, Adel

AU - Ben Farah, M.

N1 - Conference code: 3rd

PY - 2022

Y1 - 2022

N2 - WebRTC is a Google-developed project that allows users to communicate directly. It is an open-source tool supported by all major browsers. Since it does not require additional installation steps and provides ultra-low latency streaming, smart city and social network applications such as WhatsApp, Facebook Messenger, and Snapchat use it as the underlying technology on the client-side both on desktop browsers and mobile apps. While the open-source tool is deemed to be secure and despite years of research and security testing, there are still vulnerabilities in the real-time communication application programming interface (API). We show in this paper how eavesdropping can be enabled by exploiting weaknesses and loopholes found in official WebRTC specifications. We demonstrate through real-world implementation how an eavesdropper can intercept WebRTC video calls by installing a malicious code onto the WebRTC webserver. Furthermore, we identify and discuss several, easy to perform, ways to detect wiretapping. Our evaluation shows that several indicators within webrtc-internals API traces can be used to detect anomalous activities, without the need for network monitoring tools.

AB - WebRTC is a Google-developed project that allows users to communicate directly. It is an open-source tool supported by all major browsers. Since it does not require additional installation steps and provides ultra-low latency streaming, smart city and social network applications such as WhatsApp, Facebook Messenger, and Snapchat use it as the underlying technology on the client-side both on desktop browsers and mobile apps. While the open-source tool is deemed to be secure and despite years of research and security testing, there are still vulnerabilities in the real-time communication application programming interface (API). We show in this paper how eavesdropping can be enabled by exploiting weaknesses and loopholes found in official WebRTC specifications. We demonstrate through real-world implementation how an eavesdropper can intercept WebRTC video calls by installing a malicious code onto the WebRTC webserver. Furthermore, we identify and discuss several, easy to perform, ways to detect wiretapping. Our evaluation shows that several indicators within webrtc-internals API traces can be used to detect anomalous activities, without the need for network monitoring tools.

KW - SSH

KW - WebRTC

KW - XSS

UR - http://www.scopus.com/inward/record.url?scp=85137121965&partnerID=8YFLogxK

U2 - 10.1109/WoWMoM54355.2022.00084

DO - 10.1109/WoWMoM54355.2022.00084

M3 - Conference Paper

AN - SCOPUS:85137121965

SN - 9781665408776

SP - 541

EP - 547

BT - Proceedings - 2022 IEEE 23rd International Symposium on a World of Wireless, Mobile and Multimedia Networks, WoWMoM 2022

A2 - Tsiropoulou, Eirini Eleni

A2 - Chiasserini, Carla Fabiana

PB - IEEE, Institute of Electrical and Electronics Engineers

CY - Piscataway NJ USA

T2 - International Workshop on Smart Computing for Smart Cities 2023

Y2 - 14 June 2022 through 14 June 2022

ER -

Osman A, Abozariba R, Taufiq Asyhari A, Aneiba A, Ben Farah M. Detection of JavaScript injection eavesdropping on WebRTC communications. In Tsiropoulou EE, Chiasserini CF, editors, Proceedings - 2022 IEEE 23rd International Symposium on a World of Wireless, Mobile and Multimedia Networks, WoWMoM 2022. Piscataway NJ USA: IEEE, Institute of Electrical and Electronics Engineers. 2022. p. 541-547 doi: 10.1109/WoWMoM54355.2022.00084

Detection of JavaScript injection eavesdropping on WebRTC communications

Abstract

Conference

Keywords

UN SDGs

Access to Document

Other files and links

Cite this