Skip to main content

VoIP and WebRTC
Security Articles and News

Articles and security news about vulnerabilities and attacks affecting VoIP and WebRTC by Enable Security.

Subscribe
a phone receiver being crushed by a hand

    VoIP Eavesdropping: How it Works, Threats & Defense Tactics

    Published on Oct 9, 2025 in , , , ,

    VoIP eavesdropping is a critical security threat that can expose sensitive business and personal information. This comprehensive guide explains how attackers exploit VoIP vulnerabilities through packet sniffing, MITM attacks, and RTP Bleed, and provides actionable defense tactics including transport encryption, authentication, security audits, and network segmentation to protect your organization.…

    Read more about VoIP Eavesdropping: How it Works, Threats & Defense Tactics

    Sandro talks RTC Security with Safety Detectives

    Published on Aug 6, 2025 in , ,

    Our CEO discusses why generic security tools fail for voice protocols, how ESAP addresses RTC-specific vulnerabilities, and emerging AI threats in real-time communications.…

    Read more about Sandro talks RTC Security with Safety Detectives

    Rtpengine RTP Injection and Media Bleed Vulnerabilities (CVE-2025-53399)

    Published on Jul 31, 2025 in , , , , ,

    We published a critical security advisory for rtpengine affecting versions mr13.3.1.4 and lower, allowing RTP injection and media redirection attacks. These vulnerabilities can be exploited without man-in-the-middle positioning and affect both plaintext RTP and encrypted SRTP sessions. Organizations should upgrade to mr13.4.1.1 and review configuration settings.…

    Read more about Rtpengine RTP Injection and Media Bleed Vulnerabilities (CVE-2025-53399)

    New White Paper: DTLS “ClientHello” Race Conditions in WebRTC Implementations

    Published on Oct 15, 2024 in , , ,

    We’re excited to announce the release of our latest white paper, “DTLS ‘ClientHello’ Race Conditions in WebRTC Implementations”. This comprehensive study delves into a critical vulnerability affecting various WebRTC implementations, with potential implications for real-time communication security.

    Our research team at Enable Security conducted extensive testing on both open-source and proprietary WebRTC implementations, focusing on media servers and popular communication platforms. The study aimed to identify vulnerabilities related to the processing of DTLS ClientHello messages in WebRTC sessions.

    Read more about New White Paper: DTLS "ClientHello" Race Conditions in WebRTC Implementations

    TADSummit Innovators Podcast reviews the Last 6 Months of RTC Security Trends with Sandro Gauci

    Published on Jul 26, 2024 in ,

    This week, I had the pleasure of joining Alan Quayle on the TADSummit Innovators Podcast to review the last six months of VoIP and WebRTC security news. We delved into some of the most intriguing trends emerging in the RTC security space.

    We covered the following RTC security trends for 2024 so far:

    1. Increasing focus on WebRTC vulnerabilities and security
    2. Growing concern over VoIP and conferencing platform security
    3. Emerging threats from AI and machine learning in audio manipulation
    4. Growing importance of resilience in communication systems
    5. SMS/Voice 2FA is hugely problematic

    Here are the top 10 insights that emerged from our discussion:

    Read more about TADSummit Innovators Podcast reviews the Last 6 Months of RTC Security Trends with Sandro Gauci

    A Novel DoS Vulnerability affecting WebRTC Media Servers

    Published on Jun 25, 2024 in , , ,

    Executive summary (TL;DR)

    A critical denial-of-service (DoS) vulnerability has been identified in media servers that process WebRTC’s DTLS-SRTP, specifically in their handling of ClientHello messages. This vulnerability arises from a race condition between ICE and DTLS traffic and can be exploited to disrupt media sessions, compromising the availability of real-time communication services. Mitigations include filtering packets based on ICE-validated IP and port combinations. The article also indicates safe testing methods and strategies for detecting the attack.

    Read more about A Novel DoS Vulnerability affecting WebRTC Media Servers

    OpenSIPS Security Audit Report is fully disclosed and out there

    Published on Mar 17, 2023 in , , , , , , , ,

    It’s almost a year since the OpenSIPS project published a minimized version of our security audit report from 2022. Now, the full version has been published, with all the information intact on how to reproduce the vulnerabilities and extra details in an 80+ page report.

    The OpenSIPS security audit report can be found here.

    OpenSIPS security audit report front page

    What is the OpenSIPS security audit?

    OpenSIPS is a SIP server that often has a critical security function within an IP communications system. Thus, it makes absolute sense to perform a thorough security audit for such software. We had been dealing with OpenSIPS servers from time to time in our work so we were rather familiar with the software and the project itself. Then back in January 2021, the lead developer for OpenSIPS, Bogdan-Andrei Iancu, asked us if we would be interested in doing some proper security work. Naturally, our answer was yes please!

    Read more about OpenSIPS Security Audit Report is fully disclosed and out there

    SIPVicious PRO incremental update - and Gitlab CI/CD examples

    Published on Mar 7, 2023 in , , , , ,

    We just pushed out a new SIPVicious PRO update to our subscribing members! This version does not include any new major features. Instead, it fixes various bugs and brings missing but necessary features to various SIPVicious PRO tools. We have the following highlights in this update:

    • Documentation now includes realistic Gitlab CI/CD examples
    • The RTP fuzzer in the experimental version now supports SRTP
    • Support for new SIP DoS flood request methods
    • The RTP inject tool can now specify the RTP’s SSRC and payload ID
    • The SIP password cracking tool now supports closing the connection upon each attempt
    • The SIP ping utility supports INVITE

    For the boring details, including a list of bug fixes, do read the release notes for v6.0.0-experimental.6 and v6.0.0-beta.6.

    Read more about SIPVicious PRO incremental update - and Gitlab CI/CD examples

    Kamailio’s exec module considered harmful

    Published on Jan 26, 2023 in ,

    Executive summary (TL;DR)

    • The combination of pseudo-variables and Kamailio’s exec can be risky and may result in code injection.
    • By using special SIP headers and environment variables, it becomes effortless to exploit a vulnerable configuration.
    • We have created a Docker environment to assist readers in reproducing this vulnerability and testing solutions.
    • Protection is tricky and the official documentation may have previously misled developers - we aim to fix that by updating the module’s official documentation.
    • Kamailio configurations should use a strict allow list or avoid the module altogether.

    Introduction to Kamailio’s exec module and its capabilities

    The Kamailio SIP server ships with a module for executing external commands from within a Kamailio configuration. The topic of this article is how the exec module may be misused to lead to remote code execution vulnerabilities. The default Kamailio configuration, which is used as a starting point for many live installations, does not make use of this module. On the other hand, we have seen this module being used in various production environments and have, in the past, found some of these installations to be vulnerable.

    Read more about Kamailio's exec module considered harmful

    How to perform a DDoS attack simulation

    Published on Nov 29, 2022 in ,

    TL;DR

    A DDoS simulation is a practical exercise that various organisations are capable of doing. Understand the reasons why you would want to do this, then combine custom with off-the-shelf attack tools. Follow the best practices, apply solutions and mitigation; and you can finally answer: what if we got attacked?

    Introduction

    In this post, we give an overview of how you too can perform your own distributed denial of service (DDoS) simulation exercises. We focus on attacking real-time communications systems because this is an area where DoS attacks can really cause damage. But the instructions and ideas outlined in this text will apply to any system in general that you might need to test. Even if in this article we do not really focus on the defensive side of protecting against DoS, ultimately the goal is to design and implement solutions that actually work for the systems and applications that need to be protected.

    Read more about How to perform a DDoS attack simulation

    Subscribe

    Receive high-quality, low-volume RTC security research, news and occasional updates about what we're up to.

    Interested in our services? Let's collaborate.
    Get in touch

    We hate spam and are committed to protecting and respecting your privacy. You can unsubscribe from our communications at any time. By subscribing, you are agreeing to the Privacy Policy.