We’re excited to announce the release of our latest white paper, “DTLS ‘ClientHello’ Race Conditions in WebRTC Implementations”. This comprehensive study delves into a critical vulnerability affecting various WebRTC implementations, with potential implications for real-time communication security.
Our research team at Enable Security conducted extensive testing on both open-source and proprietary WebRTC implementations, focusing on media servers and popular communication platforms. The study aimed to identify vulnerabilities related to the processing of DTLS ClientHello messages in WebRTC sessions.
Among the tested platforms, we found several implementations vulnerable to this issue:
- RTPEngine
- Asterisk
- FreeSWITCH
- Skype (PSTN)
In the case of the open-source software, this issue has been mitigated in the latest versions. Our testing encompassed a wide range of platforms, including but not limited to:
- Janus
- Discord Service Voice channel
- Dolby.io Live Broadcast
- Facebook Messenger web client
- Google Meet
- LiveKit Meet
- Webex Meetings
- Zoho Meeting
- Zoom personal room meeting
- Mediasoup
The white paper provides a detailed analysis of our methodology, findings, and the potential impact of this vulnerability. We discovered that the core issue lies in the failure to properly verify the origin of the DTLS “ClientHello” message, which could lead to denial of service attacks.
Importantly, our research highlights that while this behavior doesn’t necessarily indicate a bug in the WebRTC specification itself, it reveals a critical oversight that multiple implementors have failed to address.
We believe this research contributes significantly to the ongoing efforts to enhance WebRTC security across the industry. By sharing our findings, we aim to foster a more secure environment for real-time communication services.
To dive deeper into our methodology, results, and recommendations, we encourage you to read the full white paper. Feel free to reach out if you have any questions about our findings or methodology.