Stealthy Peers: Understanding Security Risks of WebRTC-Based Peer-Assisted Video Streaming

TL;DR

This paper investigates the security and privacy risks of WebRTC-based peer-assisted video streaming services, revealing new vulnerabilities and providing insights into their implications for content delivery.

Contribution

It introduces methodologies to discover PDN services and analyze their security risks, uncovering previously unreported vulnerabilities in real-world deployments.

Findings

Discovered 3 major PDN providers and their 172 customer websites/apps.

Identified security risks including free riding, video pollution, IP exposure, resource squatting.

Provided mitigation discussions with PDN providers.

Abstract

As an emerging service for in-browser content delivery, peer-assisted delivery network (PDN) is reported to offload up to 95\% of bandwidth consumption for video streaming, significantly reducing the cost incurred by traditional CDN services. With such benefits, PDN services significantly impact today's video streaming and content delivery model. However, their security implications have never been investigated. In this paper, we report the first effort to address this issue, which is made possible by a suite of methodologies, e.g., an automatic pipeline to discover PDN services and their customers, and a PDN analysis framework to test the potential security and privacy risks of these services. Our study has led to the discovery of 3 representative PDN providers, along with 134 websites and 38 mobile apps as their customers. Most of these PDN customers are prominent video streaming services with millions of monthly visits or app downloads (from Google Play). Also found in our study are another 9 top video/live streaming websites with each equipped with a proprietary PDN solution. Most importantly, our analysis on these PDN services has brought to light a series of security risks, which have never been reported before, including free riding of the public PDN services, video segment pollution, exposure of video viewers' IPs to other peers, and resource squatting. All such risks have been studied through controlled experiments and measurements, under the guidance of our institution's IRB. We have responsibly disclosed these security risks to relevant PDN providers, who have acknowledged our findings, and also discussed the avenues to mitigate these risks.