Skip to main content

VoIP and WebRTC
Security Articles and News

Articles and security news about vulnerabilities and attacks affecting VoIP and WebRTC by Enable Security.

Subscribe
a phone receiver being crushed by a hand

    How doing QA testing for SIPVicious PRO led to an Asterisk DoS

    Published on Nov 10, 2020 in , , , ,

    Executive summary (TL;DR)

    While heavily testing SIPVicious PRO for bugs, we encountered an unexpected crash in Asterisk. We reported this to the Asterisk team, who issued a fix. (Update February 4, 2026: SIPVicious PRO is an internal tool and is not sold or licensed.)

    How the Asterisk crash was found

    We test our software as much as we can because, like any other software, ours contains bugs too! When it comes to SIPVicious PRO, one of our quality assurance tests is to run it against instances of Asterisk and Kamailio and check for expected results. Our test suite loads these servers in a docker environment and automatically runs SIPVicious PRO against these targets. During these tests, we look for crashes, race conditions and other unchecked states that we might have failed to address in our own code. We do this through various methods, one of which is to observe exit codes in SIPVicious PRO that indicate the result of the test.

    Read more about How doing QA testing for SIPVicious PRO led to an Asterisk DoS

    ClueCon Weekly with Sandro Gauci, demonstration of SIP Digest Leak

    Published on Oct 16, 2020 in , ,

    ClueCon weekly is a regular video by the people behind Freeswitch and Signalwire, hosted by the very friendly David Duffet. I had the pleasure of recording an interview and a presentation with David a few weeks back. If you would like a summary of what the video chat was about, scroll down to the points below. Otherwise, hope you enjoy the chat as much as I did!

    Summary

    Here’s an outline of what went on:

    Read more about ClueCon Weekly with Sandro Gauci, demonstration of SIP Digest Leak

    RTC Security chat at Kamailio World Online with Daniel and Olle

    Published on Oct 5, 2020 in , , , ,

    It’s been a month already since the Kamailio World RTC security chat! The conversation included Daniel-Constantin Mierla and Olle E. Johansson from the Kamailio project and myself. Daniel is the lead developer of Kamailio, can be found at ASIPTO while Olle is behind Edvina.net.

    If you don’t have time to watch the entire conversation, the following is my summary of this discussion:

    Read more about RTC Security chat at Kamailio World Online with Daniel and Olle

    The great Kamailio security debate and some misconceptions debunked

    Published on Sep 22, 2020 in ,

    Introduction

    The Kamailio community has always been very welcoming to us since our first connection in 2015 where I gave a dangerous demo showing the open-source version of SIPVicious scanning the Internet and discovering all sorts of SIP devices. Since then, we’ve been contributing through presentations at Kamailio World each year, highlighting various security concerns for the RTC community and the occasional security report and advisory urging people to upgrade their Kamailio. One thing that I personally appreciate is the positive reception of security reports and the security fixes that are made very quickly available in the public git repository.

    Read more about The great Kamailio security debate and some misconceptions debunked

    Smuggling SIP headers past Session Border Controllers FTW!

    Published on Sep 1, 2020 in , , ,

    Executive summary (TL;DR)

    SIP Header smuggling is a thing; in some cases it may be super-bad. It affected Kamailio and we have published a Github project to easily demonstrate and test this for yourself. Kamailio has since fixed the issue in release 5.4.0 but similar issues are likely to affect other SBCs.

    Usage of special SIP headers

    When it comes to trusted SIP networks, one of the primary ways that information is passed across different hops is through SIP headers. Some of these headers are quite standard, such as the P-Asserted-Identity header, while many are custom and specific to the requirements of the business logic and infrastructure. During our work, we have seen headers being passed to identify authenticated customers, to store information such as the source IP for a particular SIP message (which could be used for authentication purposes), to pass the name of the SIP trunk originating a call and of course, for billing purposes.

    Read more about Smuggling SIP headers past Session Border Controllers FTW!

    Kamailio World Online SIP and VoIP Security Panel

    Published on Aug 27, 2020 in , , , ,

    On 2nd September, 14:00-14:30 Berlin time, the author of this post is joining Olle E. Johansson to chat at Kamailio World online about (guess what?) SIP and VoIP security, and recommendations on how working from home impacts security. I very much look forward to our discussions that will be streamed live on the Kamailio World youtube channel!

    My arguments will likely be turned into an opinion piece later on, but they’ll likely steer towards the following thoughts:

    Read more about Kamailio World Online SIP and VoIP Security Panel

    Bug bounty bout report 0x01 - WebRTC edition

    Published on Jun 16, 2020 in , ,

    Read the full report here.

    In April 2020, in between SIPVicious PRO development and VoIP Pentesting and WebRTC, we dedicated some days to bug bounties and vulnerability disclosure programs to see what comes out of it. Our focus was on those that have WebRTC infrastructure in scope. In the end, we reported 3 vulnerabilities to 4 different vendors, for 6 different products. So finally, after making sure that the affected vendors have addressed these security issues and have agreed with publication, we are putting out a compiled report!

    Read more about Bug bounty bout report 0x01 - WebRTC edition

    Attacking a real VoIP System with SIPVicious OSS

    Published on Jun 8, 2020 in , ,

    Recently, we put out a target server on the Internet at demo.sipvicious.pro which hosts a Kamailio Server handling SIP over UDP, TCP, TLS as well as WebSockets. Behind that, the observant reader will soon discover that an Asterisk server handles the voicemail and echo services. This is actually a fully functioning (real) VoIP system that’s ready to be attacked. Therefore, in combination, these software packages allow us to reproduce a number of common security vulnerabilities affecting VoIP and WebRTC systems.

    Read more about Attacking a real VoIP System with SIPVicious OSS

    SIPVicious PRO v6.0.0 alpha.5 available to our clients

    Published on Jun 3, 2020 in , ,

    With great pleasure, we announce the availability of the v6.0.0-alpha.5 version of SIPVicious PRO. This is a major update since most of the promised feature-set of the existent modules is now available. While you are encouraged to read the release notes, the main highlights are the following:

    • Target demo server (demo.sipvicious.pro) now implemented, used throughout the documentation for attack examples and training purposes
    • An extensive getting started page is now available, with instructions on how to use most of the modules
    • Exit codes! Yes, for automation, say, in your CI pipelines
    • All flags that were previously marked as TODO are now fully functional (with the exception of DTLS SRTP)
    • SDES SRTP supported throughout all modules
    • DTMF tone generation, because in RTP inject attacks, this is particularly useful
    • Lots of bug fixes and refactoring thanks to more consistent internal testing and the perseverance of our dear developers and internal testers

    If you already had access to SVPRO at the time, you should have received an email from us with further details. Today, SIPVicious PRO is not commercially available.

    Read more about SIPVicious PRO v6.0.0 alpha.5 available to our clients

    A gentle introduction to caller ID spoofing

    Published on May 7, 2020 in ,

    Introduction

    Phone and real-time communications systems in general make use of caller ID to indicate who is calling when a phone is ringing. Caller ID is that little number that shows up on your phone telling you that it is your boss calling. The number is often matched against your phone book to show an actual name. This feature is not only available on PSTN (public switched telephone network) but also in the VoIP systems that have been replacing it in the past dozen or so years. And it is ripe for abuse!

    Read more about A gentle introduction to caller ID spoofing

    Subscribe

    Receive high-quality, low-volume RTC security research, news and occasional updates about what we're up to.

    Interested in our services? Let's collaborate.
    Get in touch

    We hate spam and are committed to protecting and respecting your privacy. You can unsubscribe from our communications at any time. By subscribing, you are agreeing to the Privacy Policy.