Tags › Voip Security
SIPVicious tutorial: testing VoIP security with DVRTC
Published on Apr 13, 2026 in sipvicious oss, security tools, sip security, voip security, DVRTC, demo server, kamailio, asterisk, training
A hands-on tutorial showing how to use SIPVicious OSS to scan, enumerate, and crack SIP credentials on our DVRTC vulnerable lab at pbx1.dvrtc.net. This is an updated version of our 2020 tutorial that used the now-retired demo.sipvicious.pro server.…
AI is coming for your C code and it does not need coffee
Published on Apr 3, 2026 in research, voip security, webrtc security
Thomas Ptacek argued last week that AI has fundamentally changed the economics of vulnerability research. We’ve run our own experiments and seen similar results. Here’s what this means specifically for RTC codebases - and for the humans who secure them.…
Introducing DVRTC: a vulnerable lab for RTC security
Published on Mar 27, 2026 in webrtc security, voip security, training, sip security, kamailio, asterisk, coturn, rtpengine, demo server, TURN security, DVRTC
We’re releasing DVRTC (Damn Vulnerable Real-Time Communications), an intentionally vulnerable VoIP/WebRTC lab environment for security training and research. It comes with 7 hands-on exercises covering 12 attack paths, a live deployment at pbx1.dvrtc.net, and everything you need to start practicing RTC security testing.…
VoIP Eavesdropping: How it Works, Threats & Defense Tactics
Published on Oct 9, 2025 in voip security, sip security, webrtc security
VoIP eavesdropping is a critical security threat that can expose sensitive business and personal information. This comprehensive guide explains how attackers exploit VoIP vulnerabilities through packet sniffing, MITM attacks, and RTP Bleed, and provides actionable defense tactics including transport encryption, authentication, security audits, and network segmentation to protect your organization.…
Sandro talks RTC Security with Safety Detectives
Published on Aug 6, 2025 in voip security, denial of service
Our CEO discusses why generic security tools fail for voice protocols, how ESAP addresses RTC-specific vulnerabilities, and emerging AI threats in real-time communications.…
Rtpengine RTP Injection and Media Bleed Vulnerabilities (CVE-2025-53399)
Published on Jul 31, 2025 in voip security, research, rtpengine, denial of service, webrtc security, sip security
We published a critical security advisory for rtpengine affecting versions mr13.3.1.4 and lower, allowing RTP injection and media redirection attacks. These vulnerabilities can be exploited without man-in-the-middle positioning and affect both plaintext RTP and encrypted SRTP sessions. Organizations should upgrade to mr13.4.1.1 and review configuration settings.…
TADSummit Innovators Podcast reviews the Last 6 Months of RTC Security Trends with Sandro Gauci
Published on Jul 26, 2024 in voip security, webrtc security
This week, I had the pleasure of joining Alan Quayle on the TADSummit Innovators Podcast to review the last six months of VoIP and WebRTC security news. We delved into some of the most intriguing trends emerging in the RTC security space.
We covered the following RTC security trends for 2024 so far:
- Increasing focus on WebRTC vulnerabilities and security
- Growing concern over VoIP and conferencing platform security
- Emerging threats from AI and machine learning in audio manipulation
- Growing importance of resilience in communication systems
- SMS/Voice 2FA is hugely problematic
Here are the top 10 insights that emerged from our discussion:
…How to perform a DDoS attack simulation
Published on Nov 29, 2022 in denial of service, voip security
TL;DR
A DDoS simulation is a practical exercise that various organisations are capable of doing. Understand the reasons why you would want to do this, then combine custom with off-the-shelf attack tools. Follow the best practices, apply solutions and mitigation; and you can finally answer: what if we got attacked?
Introduction
In this post, we give an overview of how you too can perform your own distributed denial of service (DDoS) simulation exercises. We focus on attacking real-time communications systems because this is an area where DoS attacks can really cause damage. But the instructions and ideas outlined in this text will apply to any system in general that you might need to test. Even if in this article we do not really focus on the defensive side of protecting against DoS, ultimately the goal is to design and implement solutions that actually work for the systems and applications that need to be protected.
…Killing bugs … one vulnerability report at a time
Published on Oct 29, 2021 in freeswitch, voip security, conferences, denial of service
The story behind our FreeSWITCH advisories and how one sleepless night led to 4 vulnerabilities that needed reporting, plus one more found due to a bug in our own software. We explain how these flaws were discovered, reported, fixed and what we ultimately learned.…
ClueCon: FreeSWITCH Security Advisories
Published on Oct 25, 2021 in freeswitch, voip security, conferences, denial of service
The FreeSWITCH team has just published version v1.10.7 which fixes a number of security issues that we reported. If you use FreeSWITCH, please do upgrade to get these security updates.
To learn about the background work that went into getting these security bugs squashed, follow Sandro’s talk called Killing bugs … one vulnerability report at a time. This will be presented at at ClueCon on Thursday, October 28th.
Here are the titles of each advisory and a very short summary:
…