September 2024: OWASP in San Francisco, WebRTC, Telco security and much more

Writing this one from San Francisco, instead of our usual head quarters in Bavaria, Germany - right after the OWASP and ThreatModCon conferences.

In this edition, we cover:

• Our news about the conferences, talks and OWASP getting into WebRTC security
• Telco security: VoLTE vulnerabilities as well as SS7 hacking
• Vulnerabilities in Asterisk, Cisco, Mitel and much more

The RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.

What is RTC security anyway? Real-time communications security determines if you can safely communicate in real time - whether it be with other humans or machines.

You may sign up to receive the RTCSec newsletter here. If you like what we’re doing, you’re most welcome to:

• Forward it to those who may find this newsletter particularly fruitful.
• Let us know if there are any RTC security news items we should cover.

To view past issues, please visit our website at https://www.enablesecurity.com/newsletter/.

Our news

Our WebRTC security talk for OWASP Global AppSec attendees

I presented at the OWASP 2024 Global AppSec San Francisco conference with a session titled Web Security Experts: Are you overlooking WebRTC vulnerabilities?. My talk covered the basics of WebRTC, its associated security principles, potential vulnerabilities, and key areas for application security professionals to focus on. Here’s a brief synopsis:

This presentation aims to bridge the knowledge gap between traditional web/API security and the specialized realm of WebRTC. Designed for OWASP attendees ranging from novice to advanced practitioners, it will provide a comprehensive overview of WebRTC security concepts, common vulnerabilities, and practical testing methodologies.

We’ll post the YouTube recording here as soon as it becomes publicly available.

Contribution to OWASP Application Security Verification Standard (ASVS): Version 5.0 to Feature a New WebRTC Chapter!

We’re excited to announce that after several months of work, we’ve collaborated with the OWASP ASVS project to introduce a new chapter focused on WebRTC security in the upcoming ASVS Version 5.0.

So, what is ASVS?

The OWASP Application Security Verification Standard (ASVS) is a comprehensive framework designed to set a standard for verifying the security of web applications. It provides developers with a structured list of security requirements, making it easier to test and develop secure applications.

By contributing a WebRTC section to ASVS 5.0, our goal is to provide a clear and essential set of security guidelines aimed at Product Developers, CPaaS Providers, and Service Providers building WebRTC-based applications. The new chapter will offer fundamental security checks to help ensure that WebRTC services are secure from a wide range of potential vulnerabilities.

Notable Highlights of the WebRTC Chapter:

• TURN Server Validation: Ensuring TURN servers are restricted to non-reserved IP addresses.
• Private Key Security: Ensuring the private keys used for DTLS certificates remain secure and aren’t leaked.
• Race Condition Mitigation: Protecting against the WebRTC DTLS ClientHello Race Condition vulnerability.
• SRTP Authentication: Implementing checks to prevent RTP injection by enforcing SRTP authentication.
• DTLS Certificate Fingerprints: Verifying that the DTLS certificate fingerprint matches the SDP fingerprint attribute.

You can explore the new OWASP ASVS WebRTC chapter on GitHub.

A special thanks to Josh Grossman, Elar Lang, Iman Sharaf, and the OWASP ASVS community for their support and collaboration in making this contribution possible!

“Finally, a comprehensive description and clear set of security requirements for WebRTC!”
— Olle E Johansson

Brief Recap: OWASP 2024 Global AppSec and ThreatModCon in San Francisco

After three intense days of conferences and related activities, I wanted to take a moment to share a quick overview of the two events I had the pleasure of attending.

The OWASP 2024 Global AppSec San Francisco conference spanned two days, on September 26th and 27th. Both days were packed with inspiring and insightful talks. Aside from our own presentation, there wasn’t much focus on real-time communications security, but the event provided an excellent opportunity to meet others working in related areas and immerse ourselves in the efforts of this thriving community.

One topic that particularly caught my attention was the Application Security Verification Standard (ASVS), which we plan to contribute to more actively in the future—potentially alongside other OWASP projects. Shanni Prutchi and Ryan Armstrong gave a standout presentation introducing the upcoming ASVS Version 5, which was both informative and forward-thinking.

Following the OWASP conference, I attended ThreatModCon, a conference dedicated to threat modeling. Despite frequently repeating phrases like “What’s your threat model?” or “It depends on your threat model,” I had limited experience in formal threat modeling practices. This event was eye-opening, as it introduced me to a wealth of guides and documentation I wasn’t familiar with. A particular highlight was learning about the Threat Modeling Manifesto, which simplifies the process with four key questions:

1. What are we working on?
2. What can go wrong?
3. What are we going to do about it?
4. Did we do a good enough job?

We had thought-provoking discussions surrounding when to conduct threat modeling and how to integrate it into existing workflows, plus some explorations into the role of AI in these processes.

In summary, the OWASP event stood out for its vibrant, large community, which continues to expand into areas broadly related to application security. It’s a great starting point for anyone looking to dive in and contribute. The ThreatModCon, though smaller and more intimate, was equally valuable. Many attendees already knew each other, but the community is clearly growing and emphasizing the importance of making threat modeling accessible to anyone working on systems that require security (which, arguably, is everything). Both events were highly relevant and insightful for anyone in this space.

What’s happening?

VoLTE Roaming: Vulnerabilities and Critical Protection Strategies

SecurityGen has released a new white paper detailing key security issues they’ve identified in VoLTE (Voice over LTE) roaming environments. The paper highlights several critical concerns, including:

• VoLTE Subscriber Attack Vectors
• SIP Protocol Vulnerabilities in VoLTE

VoLTE Subscriber Attack Vectors

The primary security risks here revolve around unauthorized access to the IMS (IP Multimedia Subsystem) core network. Historically, core networks were treated like a “walled garden”—protected from unauthorized external access while being relatively open internally. However, a closer look reveals flaws in these assumptions.

When using a mobile phone with VoLTE, the device establishes multiple connections. The first is for general Internet access, and a second—dedicated to voice traffic—connects to the IMS core. This is the defining feature of VoLTE: voice communications over LTE infrastructure.

While most mobile operators assume that automatic configuration limits subscriber access solely to voice services, attackers can bypass these safeguards. A simple configuration change, such as switching from the standard Internet APN (Access Point Name) to the IMS APN, can give unauthorized users (even subscribers) direct access to IMS core elements. This kind of access opens a variety of potential attack vectors, allowing malicious actors to connect directly to services like SIP proxies, SBCs (Session Border Controllers), and even potentially other subscribers. Alarmingly, internal network services, like SSH or administrative interfaces, could become accessible if left improperly secured.

This situation isn’t necessarily a flaw but more a consequence of how VoLTE is designed: mobile devices need IP access to IMS core elements to process voice communication. In theory, it might be possible to restrict access from unauthorized devices, but implementing such restrictions in practice might be more challenging than it seems. Additionally, the paper highlights that some networks even allow IP spoofing, further broadening the attack surface.

To mitigate these risks, mobile providers must:

• Limit network traffic to only the essential services (SIP, RTP, IPsec).
• Prevent direct communication between subscribers on the network.
• Implement egress traffic filtering to block IP spoofing.

SIP Protocol Vulnerabilities in VoLTE

The white paper also addresses several vulnerabilities related to the SIP (Session Initiation Protocol) used in VoLTE environments:

• Sensitive Information Leaks: Misconfigured SIP proxies may reveal sensitive details like the International Mobile Equipment Identity (IMEI), device information, subscriber location (e.g., internal identifiers like cell-ID), and other private data.
• Flawed Anonymous Calling Features: Weak implementations of anonymous calling can inadvertently de-anonymize calls when analyzing SIP message headers.
• SIP Flooding and Denial of Service (DoS) Attacks: Lack of protection against SIP flooding attacks can lead to service disruptions, overwhelming the VoLTE network and causing mobile phones to malfunction.

The last point, in particular, poses a serious threat, as it could severely affect essential services that rely on uninterrupted call handling. At Enable Security, we’ve observed additional vulnerabilities and resilience issues, especially concerning media servers, which often remain inadequately protected.

Conclusion

The white paper offers a comprehensive overview of VoLTE vulnerabilities and covers more intricate details and attack vectors not discussed here. If you’re interested in learning more, the full content is well worth a read. You can access it here, and a related webinar can be viewed on YouTube.

Exposing the Flaws in Our Phone System: SS7 Hacking

Earlier this month, a well-produced and insightful video about SS7 hacking surfaced on YouTube. Created by Veritasium, it’s both entertaining and highly educational, providing excellent context about the vulnerabilities within the Signaling System No. 7 (SS7) — a protocol used in telecom networks worldwide. Kudos to the various cybersecurity experts who contributed their knowledge in making this video possible!

For those seeking deeper technical insights, one of the standout resources is the 2015 presentation by Karsten Nohl and Luca Melette titled “Advanced Interconnect Attacks”. Although unrelated to VoIP or SIP, this talk dives into how SS7 is being exploited to intercept and manipulate telecommunications in dangerous ways.

If you’re curious about the vulnerabilities within global telecom infrastructures, both the video and the presentation are must-watch resources!

Security Updates and Vulnerability News Round-Up

Using WebRTC (and more) to Bypass Secure Web Gateways

At DEF-CON 32, Vivek Ramachandran and Jeswin Mathai from SquareX demonstrated numerous methods for bypassing Secure Web Gateways (SWGs) to deliver malware to web browsers. One notable demonstration involved leveraging WebRTC: using a WebSocket connection for signaling, they triggered the WebRTC API to establish a data channel, which then downloaded malicious files. This is just one of the thirty bypass techniques they showcased, revealing the limitations of SWGs in filtering modern web traffic, which goes far beyond traditional HTTP/1.1 patterns.

APIBAN Summer 2024 Stats

For those unfamiliar with APIBAN, this API provides network administrators with a list of IP addresses identified as sources of malicious traffic. Initially focused on SIP traffic, APIBAN now also covers malicious HTTP traffic. Fred Posner, APIBAN’s lead developer, recently shared some summer 2024 statistics, revealing what the system’s honeypots have been catching. It’s an insightful look at emerging malicious behavior trends.

Discord’s New End-to-End Encryption for Audio & Video

Discord has rolled out end-to-end encryption (E2EE) for audio and video communications on their supported clients, unveiling the DAVE protocol. They’ve made the whitepaper for the protocol (discord/dave-protocol) available and published the libraries they use (discord/libdave). Additionally, they conducted security assessments with Trail of Bits, publishing both the design review and implementation review. A fascinating read for those interested in secure communications.

AudioCodes Updated Security Guidelines Published

If your organization uses AudioCodes equipment, you’ll want to check out their newly updated security guidelines, which cover best practices for securing gateways and SBCs (Session Border Controllers). These updates touch on all key topics related to protecting and hardening your communications infrastructure.

Asterisk Fixed a SIP Crash Upon Malformed Contact - Record-Route URI (CVE-2024-42491)

Asterisk has patched a vulnerability that could lead to a SIP crash when receiving a malformed Contact or Record-Route URI. Exploiting this vulnerability requires several specific conditions to be met, such as res_resolver_unbound being loaded and rewrite_contact set to false, making this a low-severity issue overall.

Mitel Fixed Two CVEs in Their SIP Phones and Conference Units

Mitel has addressed two vulnerabilities affecting their 6800 Series, 6900 Series, and 6970 Conference Unit SIP Phones:

• CVE-2024-41710: Command injection in the boot process (Medium severity).
• CVE-2024-41711: Command injection (High severity).
  Despite sounding similar, each vulnerability was reported by different researchers and has distinct severity ratings.

Cisco Fixed a High-Severity DoS in Cisco Unified CM and Cisco Unified CM SME (CVE-2024-20375)

In a high-profile fix reported by the NSA, Cisco resolved a Denial of Service vulnerability affecting Cisco Unified CM and Cisco Unified CM SME. The vulnerability stems from improper parsing of SIP messages. By sending crafted SIP messages, an attacker could force the device to reload, leading to a DoS condition that disrupts communications for voice and video devices. This vulnerability has received considerable news coverage due to its origin being reported by the NSA.

Cisco Unified Communications Manager Cross-Site Scripting Vulnerability Fixed

Cisco also addressed a cross-site scripting (XSS) issue tracked as CVE-2024-20488, with a CVSS score of 6.1. While XSS vulnerabilities often have higher severity, this specific case involves a reflected XSS attack where the attacker would have to convince a logged-in victim to visit a malicious URL, making it somewhat less critical than other XSS scenarios.

FUZZING24 Keynote: Reasons for the Unreasonable Success of Fuzzing by Thomas Dullien

In this keynote from FUZZING24, Thomas Dullien (aka Halvar Flake) traces the evolution of fuzzing—a bug discovery technique that was originally underappreciated by the hacker culture of the ’90s and 2000s, but has since become essential in vulnerability research. He recounts the discovery of several important vulnerabilities through fuzzing and provides insightful reflection on the technique’s rise to mainstream success. Definitely worth checking out for those interested in security research!

This newsletter was prepared by Sandro Gauci and the Enable Security team for RTCSec newsletter subscribers. If you have someone in mind who would benefit from our content, please share it.

To subscribe: here