VoIP and WebRTC
Security Articles and News

New White Paper: DTLS “ClientHello” Race Conditions in WebRTC Implementations

Our white paper on DTLS ClientHello race conditions in WebRTC reveals vulnerabilities in RTPEngine, Asterisk, FreeSWITCH, and Skype. We tested platforms including Janus, Discord, Google Meet, and Zoom, and provide mitigation strategies for secure real-time communication.…

TADSummit Innovators Podcast reviews the Last 6 Months of RTC Security Trends with Sandro Gauci

This week, I had the pleasure of joining Alan Quayle on the TADSummit Innovators Podcast to review the last six months of VoIP and WebRTC security news. We delved into some of the most intriguing trends emerging in the RTC security space.

We covered the following RTC security trends for 2024 so far:

1. Increasing focus on WebRTC vulnerabilities and security
2. Growing concern over VoIP and conferencing platform security
3. Emerging threats from AI and machine learning in audio manipulation
4. Growing importance of resilience in communication systems
5. SMS/Voice 2FA is hugely problematic

Here are the top 10 insights that emerged from our discussion:

A Novel DoS Vulnerability affecting WebRTC Media Servers

Executive summary (TL;DR)

A critical denial-of-service (DoS) vulnerability has been identified in media servers that process WebRTC’s DTLS-SRTP, specifically in their handling of ClientHello messages. This vulnerability arises from a race condition between ICE and DTLS traffic and can be exploited to disrupt media sessions, compromising the availability of real-time communication services. Mitigations include filtering packets based on ICE-validated IP and port combinations. The article also indicates safe testing methods and strategies for detecting the attack.

OpenSIPS Security Audit Report is fully disclosed and out there

It’s almost a year since the OpenSIPS project published a minimized version of our security audit report from 2022. Now, the full version has been published, with all the information intact on how to reproduce the vulnerabilities and extra details in an 80+ page report.

The OpenSIPS security audit report can be found here.

What is the OpenSIPS security audit?

OpenSIPS is a SIP server that often has a critical security function within an IP communications system. Thus, it makes absolute sense to perform a thorough security audit for such software. We had been dealing with OpenSIPS servers from time to time in our work so we were rather familiar with the software and the project itself. Then back in January 2021, the lead developer for OpenSIPS, Bogdan-Andrei Iancu, asked us if we would be interested in doing some proper security work. Naturally, our answer was yes please!

SIPVicious PRO incremental update - and Gitlab CI/CD examples

We just pushed out a new SIPVicious PRO update to our subscribing members! This version does not include any new major features. Instead, it fixes various bugs and brings missing but necessary features to various SIPVicious PRO tools. We have the following highlights in this update:

• Documentation now includes realistic Gitlab CI/CD examples
• The RTP fuzzer in the experimental version now supports SRTP
• Support for new SIP DoS flood request methods
• The RTP inject tool can now specify the RTP’s SSRC and payload ID
• The SIP password cracking tool now supports closing the connection upon each attempt
• The SIP ping utility supports INVITE

For the boring details, including a list of bug fixes, do read the release notes for v6.0.0-experimental.6 and v6.0.0-beta.6.

Kamailio’s exec module considered harmful

Executive summary (TL;DR)

• The combination of pseudo-variables and Kamailio’s exec can be risky and may result in code injection.
• By using special SIP headers and environment variables, it becomes effortless to exploit a vulnerable configuration.
• We have created a Docker environment to assist readers in reproducing this vulnerability and testing solutions.
• Protection is tricky and the official documentation may have previously misled developers - we aim to fix that by updating the module’s official documentation.
• Kamailio configurations should use a strict allow list or avoid the module altogether.

Introduction to Kamailio’s exec module and its capabilities

The Kamailio SIP server ships with a module for executing external commands from within a Kamailio configuration. The topic of this article is how the exec module may be misused to lead to remote code execution vulnerabilities. The default Kamailio configuration, which is used as a starting point for many live installations, does not make use of this module. On the other hand, we have seen this module being used in various production environments and have, in the past, found some of these installations to be vulnerable.

How to perform a DDoS attack simulation

TL;DR

A DDoS simulation is a practical exercise that various organisations are capable of doing. Understand the reasons why you would want to do this, then combine custom with off-the-shelf attack tools. Follow the best practices, apply solutions and mitigation; and you can finally answer: what if we got attacked?

Introduction

In this post, we give an overview of how you too can perform your own distributed denial of service (DDoS) simulation exercises. We focus on attacking real-time communications systems because this is an area where DoS attacks can really cause damage. But the instructions and ideas outlined in this text will apply to any system in general that you might need to test. Even if in this article we do not really focus on the defensive side of protecting against DoS, ultimately the goal is to design and implement solutions that actually work for the systems and applications that need to be protected.

RTCSec newsletter is one year old!

Roughly a year ago, we sent out the first RTCSec newsletter and have been doing so every month. Each time, we have covered more and more of our favourite topics, VoIP and WebRTC security. And now, it has become our primary way of keep up to date with what is happening, and our most regular publication too.

If you are not yet subscribed, do so at https://www.enablesecurity.com/subscribe/. The next one is out in a few days!

SIPVicious PRO experimental now supports STIR/SHAKEN and 5 new tools

At the time of writing, we maintained two SIPVicious PRO builds for internal use: a stable build and an experimental build. The v6.0.0-beta.5 stable build includes a large number of fixes, much better (or sane) defaults and full coverage of SRTP throughout the toolset.

The experimental version is where the excitement is. Our members now have access to 5 new tools that we find useful in our work:

• RTP fuzzer
• SIP STIR/SHAKEN fuzzer
• SIP Iterator utility
• TCP flood tool
• SIP server for fuzzing

Each new tool warrants a blog post of its own. But that’s not all, because some of the existent tools have now been blessed with STIR/SHAKEN capabilities and also the ability to use multiple source IP addresses for the SIP flood DoS tool.

We’re hiring a pentester / security researcher

Do you know anyone who would like to join the team at Enable Security as a pentester / security researcher?

We have a remote open position for the right person. We are mainly looking for someone full-time but persons interested in joining us part-time should also apply. More details can be found at the actual hiring page.