-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
It is not possible to identify if a device listed in MediaDevices.enumerateDevices() is virtual #896
Comments
@franEID It is physically impossible to determine whether the audio/video capture is attached to the device, or is generated somewhere else. Can you elaborate on your requirement? |
@bradisbell Hi!. We use video (plus audio sometimes) stream for user identification, similar to faceID. When identified, the user is able to operate in different services as an authenticathed user. |
@franEID This is not possible. The system has no way of knowing what a "real" devices is for your use case. At best, you can use heuristics. (For instance, if you see the exact same movement in the video and other frames match past auth attempts, it's likely the video is replayed.) |
It is possible to ensure continuity of existence of a device using the deviceId. So if you have trusted a device once, you can figure out whether you still have the same device. But in general, I don't think the OS offers this functionality, so it's not possible to add it in the browser. |
I find this issue interesting because we have the same problem due to new legal requirements. I think that @bradisbell solution solves a part of the problem for video injection but there is another problematic case for video virtualization. In the case that user uses a program like OBS Studio which allow not only video injection, allow video virtualization, for example, replace your face with the face of another person, it is impossible to detect this by software right now (deepfake detection research is a complicated problem). As i researched, current state of art video securization in physical devices (Android and iOS only) is related to app securization like root/jailbreak detection, frida detection or blacklist of applications that can't be used in background at the same moment of your app. Problem here is navigator is an external application where our web application is hosted and we don't have capacity to add this security controls. Maybe a good idea could be add more information to navigator related with hardware devices like real camera dimensions allowed, FPS,... because device hardware info is so limited and maybe we can play with info provided to detect some anomalies. In the other hand, could be interesting if navigator could tell to web application if programs like OBS Studio are used or maybe detect some possible frauds to evaluate if we can allow user to continue or not. For example, if OBS create a virtual device, only create fake device with one available resolution, but a real device has multiple resolutions. Problem here is navigator behaviors aren't same and if OBS create a fake device with resolution of 640x480, we can only check this with resolution iteration what is hard to use. Also some navigators like chrome, open camera even if resolution is not allowed because open closest resolution. I don't know if is possible or not, they are some ideas to approach this problem. |
It still is not possible. Suppose I have a perfectly normal webcam attached at one moment, and then for the next session I replace it with a modified camera or something emulating a webcam. Not all USB devices have unique IDs in their descriptor, so as long as these devices are attached to the same port, it is impossible to distinguish the fake device from the real device. Perhaps another scenario... take a smartphone, unplug its camera from the board, and plug something else in, emulating the video data. Impossible legal requirements for an application should not have any bearing on the general specifications for API standards. |
it seems that this requirement is not possible to address in a Web API specification. Closing. |
For legal requirements in some streaming services it is mandatory that the video and audio captured come from real physical devices on the user device so video and audio injection must be blocked.
The https://developer.mozilla.org/en-US/docs/Web/API/MediaDeviceInfo does not identify virtual devices.
Is it possible to add the functionality to identify virtual devices?
thanks
The text was updated successfully, but these errors were encountered: