Welcome to the first RTCSEC newsletter! Please do reply and tell me what you think - this will help us make future editions better.
In this edition, we cover:
- The OpenSIPS security audit
- The DDoS attacks on VoIP providers
- My upcoming talk at ClueCon 2021
- Fred Posner’s talk from Kamailio World 2021
- Two presentations of interest from OpenSIPS Summit 2021
- Short news and commentary
RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.
What is RTC security anyway? Real-time communications security is what determines if you can communicate in real time in a safe way - whether it be with other humans or, often, machines.
You may sign up to receive the RTCSec newsletter here. Do:
- forward this to that person who may find this newsletter particularly fruitful.
- let me know if we should include or cover any RTC security news.
To view past issues, please visit our website at https://www.enablesecurity.com/newsletter/.
Our news
The OpenSIPS security audit
Following fundraising by the OpenSIPS community, we are right now busy with the security audit on OpenSIPS. We did discover various security issues already but are not yet done. Some fixes are already in the codebase and we look forward to publishing the findings when the time is right.
Further reading:
- The OpenSIPS blog about the topic: The OpenSIPS Security Audit is happening.
- My presentation at the OpenSIPS Summit on Youtube.
- The slides are also available on Slideshare.
- The OpenSIPS security audit page.
The fund raising of this project was overfunded. The best comment we saw about this implied that someone discovered an integer overflow in the payment system.
DDoS attacks on VoIP providers in relationship to pentesting
I wrote about the distributed denial of service attacks happening on VoIP providers and how this relates to what we see during our DDoS simulation tests. The first post spoke about VoIP.ms and the UK providers and how the attacks appeared to be primarily volumetric. Then I highlighted how application-level DDoS is also a huge problem for SIP servers and explained how we test for this and possible mitigation.
The second post focused on the volumetric nature of the attacks and how during application DDoS testing, we often hit bandwidth limits. I tried to explain how this vulnerability is really widespread and the importance that providers give it the attention that it deserves.
The two posts can be read in their entirety here:
- Massive DDoS attacks on VoIP Providers and simulated DDoS testing.
- Why volumetric DDoS cripples VoIP providers and what we see during pentesting.
DDoS simulation (advert)
As part of our security audit and pentest services, we simulate DDoS attacks on RTC applications and infrastructure. Ask us to learn more or reply to this email.
ClueCon: Killing bugs … one vulnerability report at a time
On Thursday, October 28th, Sandro Gauci will give a talk (virtually) at the ClueCon conference. The conference is happening virtually and online. The talk is called Killing bugs … one vulnerability report at a time with the following synopsis:
Sandro tells the story of how he and his security team came across vulnerabilities in FreeSWITCH, verified the security issues in lab environment, reported them upstream and finally worked with the FreeSWITCH developers to get them fixed. We will explore where security testing has value, how software can greatly benefit from this process of vulnerability reporting, fixing, etc., and also talk a bit about the process, and help you to better understand the impact of such vulnerabilities.
Kamailio World and OpenSIPS Summit 2021
SIP Attack Handling by Fred Posner
Fred gave a great presentation about SIP based attacks and how to handle them with Kamailio.
His recommendations:
- use the Pike module
- use the secfilter module, which is a relatively new module
- a combination of other modules, e.g. htable, dmq and various others
The talk is practical and has useful examples of how to configure Kamailio to protect against various common attacks that any SIP server on the Internet will be facing.
Also, Fred picks on fail2ban - which earns him extra marks in my book. Instead, he recommends a new project of his called iptables-api together with APIBAN.
References:
- The slides are at pgpx.io/kw2021
- The presentation can be seen on Youtube.
- iptables-api: https://github.com/palner/iptables-api
- APIBAN: https://apiban.org/
Two presentations at OpenSIPS Summit 2021 that cover some security topics
- OpenSIPS summit 2021 - Alan Quayle - Key Notes - Open Source Telecom Survey 2021 Results & Discussion
- https://www.youtube.com/watch?v=JZ1hFDWlcFs&t=330s
- Alan’s survey covers a large number of topics, but most interestingly for us is the coverage of security vis a vis RTC developers and providers. Some insightful results there, mainly indicating that more effort is needed in this area. It is clear that we have a lot to do.
- OpenSIPS summit 2021 - Maksym Sobolyev - OpenSIPIt - Bringing InterOp Testing to the Heart of the Community
- https://www.youtube.com/watch?v=kyu_wDcO0S4&t=300s
- This is a presentation about OpenSIPIt which is an interop testing event. We have participated at this event and helped test implementations of new features such as STIR/SHAKEN and RFC8760. Thanks to OpenSIPIt, we discovered vulnerabilities in some open-source implementations of these new features before they could make it to production.
RTC security consultancy (advert)
We have been doing RTC security consultancy for years, but it took rebranding to put a page advertising the fact that yes, indeed we do consultancy. It’s mostly in the area of security testing which is where we excel, as well as advice when it comes to security architecture. We think that many developers and security officers would benefit from getting a second opinion when making critical security decisions. If that sounds useful, let me know.
Check out our consultancy page here: https://www.enablesecurity.com/consultancy/, or get in touch by replying.
Short news and commentary
May I ask who’s calling, please? A recent rise in VoIP DDoS attacks
- https://blog.cloudflare.com/attacks-on-voip-providers/
- Cloudflare’s first blog post about VoIP DDoS.
Update on recent VoIP attacks: What should I do if I’m attacked?
- https://blog.cloudflare.com/update-on-voip-attacks/
- Cloudflare’s second post with practical advice.
Real-Time Communications at Scale
- https://blog.cloudflare.com/announcing-our-real-time-communications-platform/
- Incidentally, Cloudflare announced (or are testing) their distributed TURN servers service. Now, enough about Cloudflare!
webrtcH4cKS: ~ How does WebRTC End-to-End Encryption work? Matrix.org example (Dave Baker)
Company That Routes Billions of Text Messages Quietly Says It Was Hacked
StateAFL: A Coverage-Driven (Greybox) Fuzzer for Stateful Network Protocols
- https://github.com/stateafl/stateafl
- A fork of AFL with some interesting features, also supporting SIP fuzzing. We did not yet test this but it certainly is interesting work. The author Robert Natella’s paper is at https://export.arxiv.org/pdf/2110.06253v1.
- The same author had previously reported a crash in Kamailio at https://github.com/kamailio/kamailio/issues/2503.
webrtcH4cKS: ~ Apple’s not so private relay fails with WebRTC
- https://webrtchacks.com/apples-not-so-private-relay-fails-with-webrtc/
- IP leakage is a problem if you’re using a VPN/proxy for privacy reasons. Thanks to WebRTC, IP leakage is a feature. This post goes quite deep into the topic with regards to iCloud Private Relay.
Handling Non-SIP Attacks With Kamailio
- https://www.fredposner.com/handling-non-sip-kamailio/
- Related to the DDoS attacks happening on VoIP servers, Fred Posner wrote about how to detect and block non-SIP traffic coming to Kamailio.
Handling SIP Flood Attacks Using Kamailio
- https://www.fredposner.com/2367/handling-sip-flood-attacks-using-kamailio/
- A great post about using Pike module in Kamailio together with iptables-api to block SIP flood attacks.
Hide From Shodan
- https://www.kwancro.com/post/hide-from-shodan/
- Ivan wrote about how to hide your Kamailio SIP server from Shodan by not responding to Shodan’s SIP scans. The pattern for Shodan’s scans is actually the same as that generated by nmap, so this will also make you invisible to that tool.
This newsletter was prepared by Sandro Gauci and the Enable Security team for the RTCSec newsletter subscribers. If you have someone in mind who would benefit from our content, please do share.
To subscribe: here