Exploitation in WebRTC: Coming to a Browser Near You in 2014Exploitation in WebRTC: Coming to a Browser Near You in 2014

WebRTC is going to be exploited in bad ways this year. However, this will be a good thing because it will indicate that WebRTC is interesting enough for hackers.

As I always say, WebRTC is a technology and not a service. As such, it can be used for good purposes, or for bad.

This is going to be the only prediction you see from me about the year ahead: WebRTC is going to be exploited in bad ways this year. However, this is going to be a good thing because it will indicate that WebRTC is interesting enough for hackers, which for me means more than how many millions/billions/trillions of dollars it adds or takes away from the UC market.

There are two reasons this caught my attention, and I'd like to share them with you here.

1. The data channel
I'll let you in on a secret: I am looking at the data channel a lot lately, trying to understand what role it plays and what will become of it. For me, the data channel--not the ability to do video calls on the Web--is the game changer in WebRTC..

Computer programmer and security blogger Einar Otto Stangvik published a post on how the data channel can be used to find IP addresses on local networks . He provided a demo on his site, which was easily able to find all the devices on my home network: the set-top-box, the PC, the smartphone, the router, the external storage and my beloved raspberry pi . All of that was possible on a simple HTML Web page using WebRTC technology that promises the best security model and the ability to boost privacy in our lives via the data channel.

2. Because it is a new toy in the toolbox
Steven Sinofsky, former President of the Windows Division at Microsoft, wrote on his blog about the exploitation of APIs . To summarize his post, if there's an API, it will be used in ways you don't intend.

Best example in his post?

The original design for Outlook had a wonderful API that enabled one to create an add-in that would automate routine tasks in Outlook. [...] These became a huge part of the value of the platform and an important part of the utility of the PC in the workplace at the time.

Then one day in 1999 we all (literally) received email from our friend Melissa . This was a virus that spread by using these same APIs for an obviously terrible usage. What this code did was nothing different than all those add-ins did, but it did it at Internet scale to everyone in an unsuspecting way.

Then one day in 1999 we all (literally) received email from our friend Melissa . This was a virus that spread by using these same APIs for an obviously terrible usage. What this code did was nothing different than all those add-ins did, but it did it at Internet scale to everyone in an unsuspecting way.

Read Steven's post--it is worth your time. And then think of WebRTC. WebRTC is an API, and as such, it is going to be exploited.

In some ways, it already has been. One of my first interviews about WebRTC was with Serge Lachapelle , the Product Manager in charge of WebRTC at Google. Here's what he had to say about the uses they saw on the market of WebRTC:

All the games, augmented reality and the gesture tracking have really surprised the whole team.

Why in 2014?
We already have a potential of more than a billion browsers out there with WebRTC capabilities. There are more than 300 vendors who use WebRTC in different stages--some of them making money from it already (not billions, but interesting numbers nonetheless).

There are also a lot of bored developers looking at this technology--some of them hackers at heart. Don't believe me? Just look at the code coming from one of the founders of PeerCDN... Expect more of his kind tinkering with this technology on a daily basis.

This gives you the best recipe for exploits--I wonder what the future has in store for us here.

***

While we're on the topic of technology and exploits, you might want to read Ramez Naam's great SciFi book--Nexus. It will make you think about technologies and their uses differently.