Welcome to the July edition of your favorite VoIP and WebRTC security newsletter. While many are slowing down this time of year, we are ramping up our efforts.
In this edition, we cover:
- Much news from us, including a podcast, pentesting and OWASP ASVS
- WebRTC project vulnerabilities that were previously hidden
- Hardware phone security research and exploitation
- Low-latency VoIP Security Analytics and Anonymization challenges and Twilio troubles
The RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.
What is RTC security anyway? Real-time communications security determines if you can safely communicate in real time - whether it be with other humans or machines.
You may sign up to receive the RTCSec newsletter here. If you like what we’re doing, you’re most welcome to:
- Forward it to those who may find this newsletter particularly fruitful.
- Let us know if there are any RTC security news items we should cover.
To view past issues, please visit our website at https://www.enablesecurity.com/newsletter/.
Our news
OWASP ASVS: Adding WebRTC Security Requirements
We’re excited to share our recent involvement in a significant initiative to add WebRTC security requirements to the OWASP ASVS. For those unfamiliar, the OWASP Application Security Verification Standard (ASVS) project is a comprehensive framework that sets a standard for application security verification. It provides a basis for testing web application security controls and offers developers a list of requirements for secure development.
Our team has been actively contributing to a GitHub issue titled “Request for Addition of WebRTC Security Subcategory in ASVS.”
Recognizing the growing importance of WebRTC in modern web applications, we are adding relevant entries specific to WebRTC security. Our contributions are based on our extensive experience in penetration testing, security research, and bug bounties within the WebRTC security domain.
Some key areas we’re focusing on include:
- Robust signalling that withstands Denial of Service attacks
- Handling media attacks
- TURN server vulnerabilities
- Best practices for implementing WebRTC securely
This conversation is ongoing, and the work is still in progress. We are keen to ensure that the ASVS evolves to address the unique security challenges posed by WebRTC implementations.
We invite our readers with expertise or insights in WebRTC security to join the conversation. Your contributions could help shape the future of WebRTC security standards and practices. If you have any suggestions or would like to participate, please visit the GitHub issue and share your thoughts.
By collaborating on this initiative, we aim to enhance the overall security posture of WebRTC applications and contribute to a safer web ecosystem for all users.
TADSummit Innovators Podcast reviews the Last 6 Months of RTC Security Trends
Last week, I had the pleasure of joining Alan Quayle on the TADSummit Innovators Podcast to review the last six months of VoIP and WebRTC security news, which means that this very newsletter was the main feature of the episode. We delved into some of the most intriguing trends emerging in the RTC security space.
We covered the following RTC security trends for 2024 so far:
- Increasing focus on WebRTC vulnerabilities and security
- Growing concern over VoIP and conferencing platform security
- Emerging threats from AI and machine learning in audio manipulation
- Growing importance of resilience in communication systems
- SMS/Voice 2FA is hugely problematic
Here are the top 10 insights that emerged from our discussion:
- Specialized knowledge in WebRTC and VoIP security is crucial for addressing niche vulnerabilities.
- AI can scale attacks on VoIP systems, making them more dangerous.
- The resilience of communication technologies is critical for maintaining security during crises.
- Continuous improvement and adaptation are essential for cybersecurity in the face of evolving threats.
- Reliance on outdated security practices exposes modern communication systems to greater risks.
- The RTC Security Newsletter is essential reading for telecom and IP communications professionals.
- Denial of service attacks remain a major threat to real-time communications.
- Two-factor authentication via SMS and voice calls is insecure and outdated.
- The industry needs more security testers with expertise in VoIP and WebRTC.
- Regular pentesting is critical to identify and fix vulnerabilities in VoIP and WebRTC systems.
For more detailed insights, read Alan’s podcast episode summary on the TADSummit blog or watch and listen to the whole episode on YouTube.
Migrating the newsletter and content to EnableSecurity.com
As we had already announced, over the next few weeks and months, we will be transitioning all content, including this newsletter, from rtcsec.com to enablesecurity.com. Enable Security has always been the driving force behind RTCSec, a fact we’ve proudly shared. However, managing multiple websites has proven to be inefficient for various reasons. By consolidating our resources under one platform, we aim to enhance our efforts in bringing cybersecurity to VoIP and WebRTC domains. If you notice any glitches, please do not hesitate to let us know!
What’s happening?
Two New CVEs Published for WebRTC Vulnerabilities Fixed in the Past Two Years
Two new CVEs have been published for vulnerabilities in the WebRTC project that were fixed in the past two years.
The first vulnerability, tracked as CVE-2023-7010, is a dangling pointer issue discovered by Ned Williamson of Google Project Zero last year. The now-public bug report describes it as follows:
A dangling pointer vulnerability is present in WebRTC’s
PacketRouter
due to an SDP SIM group SSRC from one track (e.g., video) colliding with an existing SSRC from a different track (e.g., audio). This inconsistency between thesend_modules_map_
and thesend_modules_list_
can lead to a use after free.
The second vulnerability, tracked as CVE-2024-3170, was reported by an anonymous individual and verified using Google’s Clusterfuzz. It appears to have been discovered through new test cases added to an internal Chrome fuzzer (b0ring_webidl_fuzzer
), which is private.
Both security issues were fixed months ago, and patched versions should now be present in most web browsers. Notably, the Google Chrome Release blog posts were retrospectively updated to include the following:
- Chrome 121.0.6167.85 for Mac and Linux and 121.0.6167.85/.86 for Windows release blog post: [$9000][41488824] High CVE-2024-3170: Use after free in WebRTC. Reported by Anonymous on 2024-01-05
- Chrome 117.0.5938.62 (Linux and Mac), 117.0.5938.62/.63(Windows) release blog post: [N/A][40070891] High CVE-2023-7010: Use after free in WebRTC. Reported by Ned Williamson of Google Project Zero on 2023-08-30
Initially, it appeared these updates had been missed, but the Internet Archive shows that the details were only recently added:
Short news
- Firmware Security: Alcatel-Lucent ALE-DeskPhone by Moritz Abrell
- Moritz Abrell from SySS published a blog post detailing his analysis of Alcatel-Lucent desk phone firmware, which led to the discovery of two vulnerabilities. These were covered in the May edition of RTCSec news. The blog post explains the firmware file format, how the TOCTOU/race condition vulnerability in the updating process was found and operates, and the various techniques used. Apart from discovering two local vulnerabilities manually, AFL++ is used in QEMU mode to fuzz the firmware header parser. This slow process involves emulation, and the fuzzing is ongoing with no findings so far.
- Grandstream GXP2135 command injection vulnerability discovered by Cisco TALOS (CVE-2024-32937)
- The GXP2135 is a high-end VoIP phone by Grandstream that supports CWMP (CPE WAN Management Protocol) for remote management. A command injection vulnerability exists in the CWMP function
Device.Time.X_GRANDSTREAM_SelfDefinedTimeZone
, allowing remote code execution. This happens because there is no filtering or input validation, enabling user input to be injected into asystem()
call. An attacker would need to gain access to the Auto Configuration Server (ACS) or perform a man-in-the-middle attack to impersonate the ACS and insert malicious commands. We have conducted such attack simulations in past pentests, demonstrating that this is a very realistic attack scenario.
- The GXP2135 is a high-end VoIP phone by Grandstream that supports CWMP (CPE WAN Management Protocol) for remote management. A command injection vulnerability exists in the CWMP function
- Two vulnerabilities fixed in BigBlueButton (medium & low severity)
- BigBlueButton, an open source web conferencing system, has addressed two security vulnerabilities. The first allowed attackers to gain moderator access using manipulated join links, while the second involved incorrect file permissions for some
bbb-record-core
files. - The vulnerability was discovered by Matthew Bernath of Cisco Talos back in April and has been fixed by tthe vendor in June.
- BigBlueButton, an open source web conferencing system, has addressed two security vulnerabilities. The first allowed attackers to gain moderator access using manipulated join links, while the second involved incorrect file permissions for some
- Various BAS-IP intercom devices spit out SIP credentials
- BAS-IP fixed unauthenticated API vulnerabilities that allowed SIP and RTSP configuration details, including usernames and passwords, to be leaked.
- The vendor issued new firmware to patch various products.
- Ericsson and POST Luxembourg offer stronger signaling security
- Ericsson and POST Luxembourg have introduced the Telecom Intrusion Detection System (TIDS), a comprehensive signaling threat detection solution that offers real-time visibility and investigation of threats across multiple telecom protocols. TIDS supports SS7, Diameter, GTP, and 5G signaling protocols, covering all GSMA Categories for threat detection, and helps prevent espionage, phishing, and SMS frauds by ensuring firewalls are not bypassed by remote actors.
Anonymization Aspects of a Low-latency VoIP Security Analytics System by Jiri Kuthan
Jiri Kuthan of Intuitive Labs gave a presentation about the challenges of doing security analytics on call detail records (CDRs) and SIP events by making use of E2EE at large volumes and keeping up with low latency. This talk was given at PEPR (Privacy Engineering Practice and Respect) which is an event hosted by USENIX. Here’s the abstract:
We describe the privacy aspects of an alerting system we have designed for low-latency voice-over-IP (VoIP) security analytics. The application of end-to-end encryption to Privacy Identifiable Information (PII) reliably assures that neither analytics system administrators nor intruders can find out who has been calling whom. Only a client, represented by a traffic probe at the source and a GUI at the receiving end, can observe the data in plain text. At the same time, we aim to preserve the system’s analytic capabilities. The underlying system can ingest massive streams of events describing user and device behavior, analyze them, and provide low-latency automated responses to detected threats. Encryption of PII in ingested data poses a challenge to both analytical capabilities on the server side and CPU performance on the client side. We are thus using specific knowledge of the application’s data. We limit the encryption to PII such as SIP URIs, E.164 telephone numbers, and IP addresses. Further, we use prefix-preserving encryption techniques. Performance measurements and field validation have shown that we could still support typical security analytical cases, preserve PII privacy, and achieve reasonable processing latency for human system users and automated response facilities.
The presentation has been posted on Youtube and is just 15 minutes long but goes through many topics.
Twilio Authy API Vulnerabilities and Open AWS S3 Buckets
Recent news has highlighted incidents of information disclosure involving Twilio, as reported on Alan Quayle’s CXTech newsletter and blog. There were two main incidents:
Twilio Authy API Vulnerability (CVE-2024-39891):
- A vulnerability in Twilio’s Authy API was found, where an unauthenticated endpoint provided access to certain phone-number data. This issue affected Authy Android versions before 25.1.0 and Authy iOS versions before 26.1.0.
- Exploited in the wild in June 2024, this vulnerability allowed attackers to send a stream of requests containing phone numbers and receive information about whether each phone number was registered with Authy.
- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) included this vulnerability in its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation evidence.
- Twilio has addressed this issue and provided details in their Changelog.
Open AWS S3 Bucket Incident:
- Twilio notified customers about an incident where an AWS S3 bucket containing SMS-related data was publicly accessible. This bucket belonged to IdentifyMobile, a downstream carrier of Twilio’s backup carrier, iBasis.
- Twilio’s notice stated:
“You are receiving this email because Twilio has been notified that IdentifyMobile, a downstream carrier of our backup carrier iBasis, inadvertently exposed certain SMS-related data publicly on the internet. We conducted a thorough investigation in partnership with iBasis, and based on our findings, we believe that none of your messages containing personal data were exposed. While we have taken every measure to verify this, we cannot completely rule out the possibility of personal data exposure. Some non-personal data, such as message bodies without login tokens or marketing campaigns that don’t contain personal data, may have been exposed.”
This newsletter was prepared by Sandro Gauci and the Enable Security team for RTCSec newsletter subscribers. If you have someone in mind who would benefit from our content, please share it.
To subscribe: here