Skip to main content

RTC security audits
and penetration testing

We’ll find the cracks in your real-time communications security so that they can be addressed or mitigated.

Illustration of a hand holding a blue-box device

Are you building VoIP / WebRTC infrastructure or applications?

Most pentests target webapp and network infrastructure while missing the vulnerabilities that matter most. Focus on RTC security is critical when testing such systems. For this, we have developed dedicated tools, security testing methodology and expertise.

Penetration
testing

Testing for security issues which involves manual and semi-automated processes; black box, white box and even blue box

Code and config analysis

An open book approach, when possible, gives us super-powers - whether it be C, Go, Python to Erlang and beyond

Denial of service
simulation

We do specialise in application-level DoS attacks and may distribute such attacks to simulate botnets

Fuzz
testing

Targeting various protocols and applications to find memory bugs and logic security issues

If you are looking for excellence when testing critical RTC systems:
work with us

We understand that our work requires mutual trust. Since getting established in 2008, we have contributed to organisations large and small by performing hundreds of pentests and security audits. Not only is it important to provide valuable and quality results, it is equally essential to maintain communication and transparency before, during and after our engagements.

In the course of our work, we have tested various IP PBXs, presence systems, telecom infrastructure and WebRTC servers together with related applications and network infrastructure.

Our customers

While we do not make a habit of publicly naming customers to respect their confidentiality, the following are some of our typical customers.

  1. Service providers, telecoms and mobile operators
  2. VoIP/IMS and WebRTC vendors
  3. Communications platform as a service (CPaaS)
  4. Video conferencing platforms
  5. Contact center platforms

Some of the
things we’ve broken

Session Border
Controllers (SBCs)

Kamailio, OpenSIPS,
Audiocodes, Sonus SBC

IP PBX servers

Asterisk, FreeSWITCH, Avaya Aura,
Cisco Unified Communications

Media servers

RTPEngine,
Proprietary solutions

Mobile softphones

Cisco (Broadsoft) Communicator,
Custom solutions

IM/Presence
systems, XMPP servers

Ejabberd, OpenFire, Prosody

Telecom solutions and
Unified Communications systems

Broadworks (Cisco)

Customer
premises equipment (CPE)

DSL, Cable modems, SIP gateways

Hardware phones and
conference call equipment

Proprietary solutions

WebRTC media gateways

Janus, Proprietary solutions

TURN servers

Coturn

SMPP servers

OpenSMPP, Kannel, Cloudhopper

Wide range of RTC
protocols and test coverage

While we frequently tailor our security audit methodology and tools to suit
specific requirements, we cover a wide variety of RTC protocols and test cases as standard

SIP

RFC 3261, 3264, 3265,
3665, 4568, 5621, 8760

  1. Call relaying / dialplan security bypass
  2. INVITE flood (INVITE of death) / REGISTER flooding Denial of Service (DoS)
  3. SIP extension enumeration
  4. SIP digest leak attacks on vulnerable SIP endpoints and SIP proxies
  5. SIP routing vulnerabilities
  6. SIP header injection / smuggling tests
  7. Caller-ID spoofing
  8. SIP online cracking / password bruteforce
  9. Injection tests, for SQL injection / other injection vectors introduced through SIP
  10. Authentication bypass testing
  11. Show 7 more

STUN, TURN

RFC 5389, 7350,
8489, 5766, 8656, 6062

  1. TURN proxy abuse testing
  2. SIP TLS (RFC 3261, 5630)
  3. SIP TLS configuration review to identify TLS related weaknesses
  4. ICE (RFC 8445)
  5. Private IP leak

RTP

RFC 3550, 3711, 5761

  1. RTP Flooding Denial of Service (DoS), especially targeting recording systems
  2. Media encryption tests, especially targeting SRTP, SDES and DTLS
  3. RTP bleed and RTP injection attacks
  4. Call interception, eavesdropping due to lack of media or signalling encryption

DTLS

RFC 6347, 5763, 5764

  1. DTLS Denial of Service (DoS)
  2. Certificate handling
  3. Weak ciphers
  4. Information disclosure vulnerabilities

SMPP

version 3.4

  1. Fuzzing
  2. Reconnaissance
  3. Caller-ID spoofing
  4. Denial of Service tests

XMPP

RFC 6120, 6121

  1. Attacks against XMPP servers
  2. Attacks against XEPs (XMPP protocol extensions)

Software-specific tests

  1. Asterisk/Kamailio/OpenSIPS security configuration review
  2. Known and unknown vulnerabilities affecting target products / software packages
  3. Dialplan injection attacks and other attacks specific to the platform’s dialplan handling
  4. Provisioning security tests on TFTP, FTP, and HTTP protocols
  5. Show 2 more

Standard security tests

  1. In the case of local network infrastructure, VLAN hopping may be required
  2. Web application security tests
  3. OWASP Top 10 vulnerabilities
  4. SQL injection, LDAP injection, blind cross-site scripting (XSS) and other types of injection
  5. API security testing
  6. Show 2 more