A Quick Look into Clubhouse’s Network Traffic

The audio-only social networking app "Clubhouse" is rapidly gaining popularity among users. This report illustrates the network traffic research conducted at Keysight ATI Research Center and the traffic simulation offering on the Breaking Point system.

What is Clubhouse?

Clubhouse is an emerging voice-based social media platform which lets users join "rooms" that are basically group audio chats. The users can interact with friends or strangers in a room. In the time of writing this blog clubhouse has more than 9 million active users with some big names from across the globe. The app is still in beta and just started support Android in addition to iOS. New users can join Clubhouse only through invitation from existing users.

Is the security tight enough?

With increasing number of application users increases questions to protect their data. There have been a plenty of reports where serious security flaws have been reported by security research community. From collecting privacy information to transferring them through network equipment’s, there are many opportunities to research in order to protect user’s privacy and data.

Network Traffic Analysis

ATI researchers at Keysight have developed advanced mobile application research tools to analyze the latest emerging mobile applications, provide intelligence and simulation to Keysight customers. The ATI team have analyzed the Clubhouse network traffic; the traffic was mostly encrypted although we have seen some information which can be useful for researchers.

All the TCP traffic is encrypted with TLS1.2 or TLS1.3. We have observed the hostnames involved with the traffic and some of the servers seems to be AWS S3 buckets indicating that some data is stored in third party servers. We have also seen hostnames with "pubnubapi.com" which indicates the in-app chat or some portion of the features of the chat is implemented using third party services like "pubnubapi".

The UDP traffic starts flowing only after the user connects to a voice chat. The hostname of each UDP stream were visible in the first packet of each stream.

clubhouse UDP stream carrying SNI

Interestingly, the IP of that server is embedded in the TLS Server Name Indicator (SNI) and the pattern was also observed in the first packets of all the UDP streams. The SNI observed is plaintext and not encoded.

The UDP streams are using destination port 8443 and 8130, which according to Agora documents are used by Agora Real Time Messaging (RTM) SDK. We can conclude that the voice chat in clubhouse is powered by Agora RTM SDK and the voice data goes to Agora servers.

Keysight Breakingpoint has Clubhouse Simulation.

Released in ATI-2021-10 StrikePack, the Clubhouse Application traffic is customizable, from changing the SNI value to changing the voice traffic volume maintaining the observed packet stream patterns in BreakingPoint System simulation. The users can mix it with other traffic in order to create a real world like traffic.

Clubhouse’s popularity has been rapidly growing in the last year despite their invite-only policy. Competitors such as Twitter have taken notice of this and are now releasing startingly similar features in their existing platforms such as Twitter Space. Please stay tuned to ATI’s StrikePacks for future related releases.

For more details about Keysight Breakingpoint, visit BreakingPoint.