Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

It is not possible to identify if a device listed in MediaDevices.enumerateDevices() is virtual #896

Closed
franEID opened this issue Aug 2, 2022 · 7 comments
Closed

It is not possible to identify if a device listed in MediaDevices.enumerateDevices() is virtual #896

franEID opened this issue Aug 2, 2022 · 7 comments

Comments

@franEID
Copy link

franEID commented Aug 2, 2022

For legal requirements in some streaming services it is mandatory that the video and audio captured come from real physical devices on the user device so video and audio injection must be blocked.
The https://developer.mozilla.org/en-US/docs/Web/API/MediaDeviceInfo does not identify virtual devices.

Is it possible to add the functionality to identify virtual devices?

thanks
@franEID franEID changed the title Is is not possible to identify if a device listed in MediaDevices.enumerateDevices() is virtual It is not possible to identify if a device listed in MediaDevices.enumerateDevices() is virtual Aug 2, 2022
@bradisbell
Copy link

@franEID It is physically impossible to determine whether the audio/video capture is attached to the device, or is generated somewhere else. Can you elaborate on your requirement?

@bradisbell bradisbell mentioned this issue Aug 2, 2022
Closed
@franEID
Copy link
Author

franEID commented Aug 3, 2022

@bradisbell Hi!. We use video (plus audio sometimes) stream for user identification, similar to faceID. When identified, the user is able to operate in different services as an authenticathed user.
Our requirement is, if possible, detect if the device used by the user for authentication is physical or virtual (like ODB virtual camera) to abort the process in case of virtual. thanks

@bradisbell
Copy link

@franEID This is not possible. The system has no way of knowing what a "real" devices is for your use case.

At best, you can use heuristics. (For instance, if you see the exact same movement in the video and other frames match past auth attempts, it's likely the video is replayed.)

@alvestrand
Copy link
Contributor

It is possible to ensure continuity of existence of a device using the deviceId. So if you have trusted a device once, you can figure out whether you still have the same device.

But in general, I don't think the OS offers this functionality, so it's not possible to add it in the browser.

@Suaro
Copy link

Suaro commented Aug 8, 2022
edited
Loading

Hi @bradisbell @franEID

I find this issue interesting because we have the same problem due to new legal requirements.

I think that @bradisbell solution solves a part of the problem for video injection but there is another problematic case for video virtualization. In the case that user uses a program like OBS Studio which allow not only video injection, allow video virtualization, for example, replace your face with the face of another person, it is impossible to detect this by software right now (deepfake detection research is a complicated problem).

As i researched, current state of art video securization in physical devices (Android and iOS only) is related to app securization like root/jailbreak detection, frida detection or blacklist of applications that can't be used in background at the same moment of your app.

Problem here is navigator is an external application where our web application is hosted and we don't have capacity to add this security controls. Maybe a good idea could be add more information to navigator related with hardware devices like real camera dimensions allowed, FPS,... because device hardware info is so limited and maybe we can play with info provided to detect some anomalies.

In the other hand, could be interesting if navigator could tell to web application if programs like OBS Studio are used or maybe detect some possible frauds to evaluate if we can allow user to continue or not.

For example, if OBS create a virtual device, only create fake device with one available resolution, but a real device has multiple resolutions. Problem here is navigator behaviors aren't same and if OBS create a fake device with resolution of 640x480, we can only check this with resolution iteration what is hard to use. Also some navigators like chrome, open camera even if resolution is not allowed because open closest resolution.

I don't know if is possible or not, they are some ideas to approach this problem.

@bradisbell
Copy link

It is possible to ensure continuity of existence of a device using the deviceId. So if you have trusted a device once, you can figure out whether you still have the same device.

It still is not possible. Suppose I have a perfectly normal webcam attached at one moment, and then for the next session I replace it with a modified camera or something emulating a webcam. Not all USB devices have unique IDs in their descriptor, so as long as these devices are attached to the same port, it is impossible to distinguish the fake device from the real device.

Perhaps another scenario... take a smartphone, unplug its camera from the board, and plug something else in, emulating the video data.

Impossible legal requirements for an application should not have any bearing on the general specifications for API standards.

@alvestrand
Copy link
Contributor

it seems that this requirement is not possible to address in a Web API specification.

Closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@alvestrand @bradisbell @Suaro @franEID