Tags › Webrtc Security

TURN Server Security Best Practices

Implementation-agnostic security reference for TURN server deployments. Covers network isolation, access control rules, protocol hardening, rate limiting, and monitoring with a complete checklist, IP range reference tables, and deployment patterns.…

Securing coturn: Configuration Guide

The coturn-specific companion to our TURN Server Security Best Practices guide. Copy-paste configuration blocks for access control, protocol hardening, rate limiting, and authentication, with three complete templates from minimal to high-security.…

TURN Security Threats: A Hacker’s View

TURN servers are meant to relay media traffic for WebRTC, but they’re also powerful proxies that hackers have been abusing since at least 2017. We break down three critical threat categories: relay abuse, Denial of Service, and software vulnerabilities, with real-world examples from our research and pentesting.…

VoIP Eavesdropping: How it Works, Threats & Defense Tactics

VoIP eavesdropping is a critical security threat that can expose sensitive business and personal information. This comprehensive guide explains how attackers exploit VoIP vulnerabilities through packet sniffing, MITM attacks, and RTP Bleed, and provides actionable defense tactics including transport encryption, authentication, security audits, and network segmentation to protect your organization.…

Rtpengine RTP Injection and Media Bleed Vulnerabilities (CVE-2025-53399)

We published a critical security advisory for rtpengine affecting versions mr13.3.1.4 and lower, allowing RTP injection and media redirection attacks. These vulnerabilities can be exploited without man-in-the-middle positioning and affect both plaintext RTP and encrypted SRTP sessions. Organizations should upgrade to mr13.4.1.1 and review configuration settings.…

New White Paper: DTLS “ClientHello” Race Conditions in WebRTC Implementations

Our white paper on DTLS ClientHello race conditions in WebRTC reveals vulnerabilities in RTPEngine, Asterisk, FreeSWITCH, and Skype. We tested platforms including Janus, Discord, Google Meet, and Zoom, and provide mitigation strategies for secure real-time communication.…

TADSummit Innovators Podcast reviews the Last 6 Months of RTC Security Trends with Sandro Gauci

This week, I had the pleasure of joining Alan Quayle on the TADSummit Innovators Podcast to review the last six months of VoIP and WebRTC security news. We delved into some of the most intriguing trends emerging in the RTC security space.

We covered the following RTC security trends for 2024 so far:

1. Increasing focus on WebRTC vulnerabilities and security
2. Growing concern over VoIP and conferencing platform security
3. Emerging threats from AI and machine learning in audio manipulation
4. Growing importance of resilience in communication systems
5. SMS/Voice 2FA is hugely problematic

Here are the top 10 insights that emerged from our discussion:

A Novel DoS Vulnerability affecting WebRTC Media Servers

Executive summary (TL;DR)

A critical denial-of-service (DoS) vulnerability has been identified in media servers that process WebRTC’s DTLS-SRTP, specifically in their handling of ClientHello messages. This vulnerability arises from a race condition between ICE and DTLS traffic and can be exploited to disrupt media sessions, compromising the availability of real-time communication services. Mitigations include filtering packets based on ICE-validated IP and port combinations. The article also indicates safe testing methods and strategies for detecting the attack.

Exploiting CVE-2022-0778, a bug in OpenSSL vis-à-vis WebRTC platforms

Executive summary (TL;DR)

Exploiting CVE-2022-0778 in a WebRTC context requires that you get a few things right first. But once that is sorted, DoS (in RTC) is the new RCE!

How I got social engineered into looking at CVE-2022-0778

A few days ago, Philipp Hancke, self-proclaimed purveyor of the dark side of WebRTC, messaged me privately with a very simple question: “are you offering a DTLS scanner by chance?”

He explained how in the context of WebRTC it would be a bit difficult since you need to get signaling right, ICE (that dance with STUN and other funny things) and finally, you get to do your DTLS scans. He added that he hopes that these difficulties raise the bar for exploiting latest OpenSSL CVE.

Details about CVE-2020-26262, bypass of Coturn’s default access control protection

Video demonstration

The following demonstration shows the security bypass of the default coturn configuration on IPv4:

Background: why does coturn have default access control rules in the first place?

TURN servers are an important part of many WebRTC infrastructures because they make it possible to relay the media even for hosts behind restrictive NAT. We wrote about this extensively in the post called How we abused Slack’s TURN servers to gain access to internal services. To summarize: from the perspective of a pentester, a TURN server is very similar to a proxy server, allowing relaying of TCP connections and UDP packets. One somewhat obvious problem is that attackers can abuse these TURN servers to connect to network services behind the firewall, such as those on the TURN server itself. To address this problem, coturn prevents connections to loopback IP addresses 127.0.0.1 on IPv4 and [::1] on IPv6. This default protection mechanism has been there since coturn version 4.5.1.0 ‘dan Eider’ which was released back in November 2018.