Security researchers reveal ways that willy-waving Chatroulette users might be leaving themselves open to much more than accusations of just being dirty perverts as privacy attack scenarios are explored.
If you have ever been tempted, like so many male Chatroulette users, to show complete strangers the contents of your trousers new security research might persuade you not to join in this offensive nonsense. Video chat services such as Chatroulette enable random strangers to get virtually connected, but the lure of perceived anonymity and a somewhat ironic assumption of privacy has meant that it has attracted a somewhat unsavoury crowd of what a few years ago we would have called flashers or perhaps more correctly perverts.
I have tried using Chatroulette myself, and every single time have been greeted with the sight of some bloke playing with his erect penis within seconds or minutes at the longest. Word of this kind of behaviour quickly spreads and, when coupled with an apparent inability of the site operators to prevent it, attracts more willy-waving perverts until things inevitably reach the point where people use the service just to look at these members, if you'll excuse the pun.
Indeed, according to one analysis of Chatroulette traffic 1 in 8 sessions resulted in something R-rated or worse, and 89% of users were male - you are more likely to connect to nobody at all than a single female apparently. Chatroulette itself has tried to combat this misuse by prohibiting 'pornographic behavior' and implementing a temporary user ban if three users complain about immoral or pornographic activity within a five minute period.
A group of computer security researchers based at the University of Colorado, Boulder, USA and McGill University, Montreal, Canada have been exploring the security and privacy implications of using online video chat service. The report ' Intrusions into Privacy in Video Chat Environments: Attacks and Countermeasures ' reveals that membership of Chatroulette has grown by some 500% since 2009 and has started to address privacy issues. However, it also looked at the privacy problems faced by this generic class of video chat service and identified "three specific classes of attack on such systems" and proposes countermeasures to address the threats.
The first and most direct attack against a video chat environment is labelled as the Enhanced De-anonymization Attack which seeks to identify users' geographical location. The researchers state that Chatroulette uses the Adobe Stratus platform in order to reduce bandwidth costs associated with video services. Chatroulette "handles the behind the scenes handshakes involved in making two clients connect, but the actual connection is a direct, peer-to-peer link between the two users." The researchers show how an attacker could easily get the source IP address from a packet header during the exchange of data between peers, and then use geo-IP mapping services to home in on an approximate user location.
Secondly, there's the phishing approach during which an attacker takes the guise of someone likely to be found attractive in a video-chat scenario in order to solicit sensitive data. You might call this the virtual Mata Hari attack, or perhaps the Anna Chapman attack these days I guess. The researchers suggest that instead of using email, as per a traditional phishing attack, it is possible to use a pre-prepared video to "lure unsuspecting individuals into a conversation" where details of social network accounts and other personal data could be extracted.
Finally, the report looks at a Man-in-the-Middle (MIM) attack scenario where a supposedly 'private' video interaction directly between two participants could be subject to eavesdropping. By combining this with the de-anonymization tactic it is possible, according to the researchers, to determine the identities of the people involved who could then be blackmailed using video capture footage. Especially if they have been engaged in the kind of typical mutual masturbation exercise so popular amongst users of these services.
Worryingly for the more dubious of Chatroulette users, the researchers warn that they have only "just begun to scratch the surface of interesting attacks" on video chat services and that "current security and privacy issues of these systems have been neglected."
Chatroulette founder Andrey Ternovskiy told Robert McMillan that the research was no big deal , saying "I think that it would be exaggeration of some sort to look at it too seriously."