Welcome to this 3rd anniversary edition of the RTCSec newsletter!
In this edition, we cover:
- our news, including 3 years of newsletter and a new white paper about a WebRTC implementation vulnerability
- coverage of DEF CON 32 talks that mention WebRTC, a fake FBI-run phone company and SIP URI parsing vulnerabilities
- various vulnerabilities fixed in Cisco ATA devices, Mitel, VICIDial, and more
The RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.
What is RTC security anyway? Real-time communications security determines if you can safely communicate in real time - whether it be with other humans or machines.
You may sign up to receive the RTCSec newsletter here. If you like what we’re doing, you’re most welcome to:
- Forward it to those who may find this newsletter particularly fruitful.
- Let us know if there are any RTC security news items we should cover.
To view past issues, please visit our website at https://www.enablesecurity.com/newsletter/.
Our news
RTCSec Newsletter Turns 3: Celebrating Our Journey in VoIP and WebRTC Security
As we mark three years of the RTCSec newsletter, we’re thrilled to see how our mission of shining a light on VoIP and WebRTC security has resonated with our readership. In fact, our newsletter’s audience has grown significantly despite its niche focus. In the meantime, we’ve covered crucial topics like WebRTC vulnerabilities, VoIP and conferencing platform security, AI-driven audio manipulation threats, communication system resilience, and the challenges of SMS/Voice 2FA.
We’re grateful to everyone who’s contributed to this journey - from those reporting and fixing vulnerabilities to thought leaders, our Enable Security team and especially, you - our readers. Please share this newsletter with colleagues in cybersecurity, VoIP/WebRTC teams, telecommunications professionals, unified communications specialists, decision makers, and anyone interested in real-time communication security.
On a personal note, curating this newsletter has been incredibly rewarding, keeping me personally informed, inspired, and passionate about RTC security. Here’s to many more years of securing our real-time communications together!
New White Paper: DTLS “ClientHello” Race Conditions in WebRTC Implementations
This month we released our latest white paper, “DTLS ‘ClientHello’ Race Conditions in WebRTC Implementations”. This comprehensive study delves into a critical vulnerability affecting various WebRTC implementations, with potential implications for real-time communication security.
Our research team at Enable Security conducted extensive testing on both open-source and proprietary WebRTC implementations, focusing on media servers and popular communication platforms. The study aimed to identify vulnerabilities related to the processing of DTLS ClientHello messages in WebRTC sessions.
Among the tested platforms, we found several implementations vulnerable to this issue:
- RTPEngine
- Asterisk
- FreeSWITCH
- Skype (PSTN)
In the case of the open-source software, this issue has been mitigated in the latest versions. Our testing encompassed a wide range of platforms, including but not limited to:
- Janus
- Discord Service Voice channel
- Dolby.io Live Broadcast
- Facebook Messenger web client
- Google Meet
- LiveKit Meet
- Webex Meetings
- Zoho Meeting
- Zoom personal room meeting
- Mediasoup
The white paper provides a detailed analysis of our methodology, findings, and the potential impact of this vulnerability. We discovered that the core issue lies in the failure to properly verify the origin of the DTLS “ClientHello” message, which could lead to denial of service attacks.
Importantly, our research highlights that while this behavior doesn’t necessarily indicate a bug in the WebRTC specification itself, it reveals a critical oversight that multiple implementors have failed to address.
We believe this research contributes significantly to the ongoing efforts to enhance WebRTC security across the industry. By sharing our findings, we aim to foster a more secure environment for real-time communication services.
To dive deeper into our methodology, results, and recommendations, we encourage you to read the full white paper. Feel free to reach out if you have any questions about our findings or methodology.
What’s happening?
DEF CON 32 talks that mention WebRTC
Top War Stories from a TryHard Bug Bounty Hunter -Justin Rhynorater Gardner
In this talk, Justin Rhynorater Gardner discusses various bug bounty findings. We are most interested in bug #5, which involves snooping on other users’ meetings. Gardner investigated a video chat and collaboration app, setting himself the challenge of joining meetings unnoticed. He found that when a user joins a meeting, the browser (i.e., client-side) announces to the other participants. By modifying the clientside code to prevent this signal from being sent, he successfully snooped on meetings without broadcasting his presence. He identified this vulnerability by reviewing the project’s Github issues, uncovering it as a potential problem.
QuickShell Sharing is caring abt RCE attack chain on QuickShare - Or Yair, Shmuel Cohen
This talk explores an RCE (Remote Code Execution) attack chain on Quick Share, a wireless peer-to-peer data transfer utility used across Android, Windows, and ChromeOS. Quick Share supports various communication methods like WiFi, Bluetooth, and WebRTC. The researchers focused on the protocol behind the file transfer, which uses Protobuf and OfflineFrame structures. During their investigation, they uncovered ten vulnerabilities, all of which were later addressed and patched by Google. More details can be found in the associated blog post and code repository.
Reverse engineering and hacking Ecovacs robots - Dennis Giese, Braelynn Hacker
This talk highlights vulnerabilities within several Ecovacs products, including vacuum robots, lawnmowers, and air purifiers, which allow live audio and video streaming via mobile apps. The presentation covered a large number of interesting vulnerability topics but we’ll focus on the WebRTC (i.e. audio and video streaming) functionality here. The streaming feature leverages AWS Kinesis, a service for real-time data streaming. While connections to the stream are protected by a user-entered PIN, the mobile app verifies the PIN by querying the robot directly. The presenters discovered that by modifying the robot’s response to indicate a correct PIN, even when the wrong PIN is entered, they could bypass this validation. This manipulation grants unauthorized access to the Kinesis WebRTC session, exposing the audio and video feed. A demonstration revealed how easily this security measure could be overridden.
Inside the FBI’s Secret Encrypted Phone Company ‘Anom’ - Joseph Cox
Get your popcorn and watch the talk Joseph Cox gave at DEF CON 32. I still need to sit down and watch/listen to this properly but in the meantime, I thought I’d satisfy the curious inner-geek of how the FBI ran a phone company. So technically, they had the following components:
- XMPP/Jabber server for transporting all the chat communications
- Hardware consisted of Google Pixel phones (Pixel 2, 3A, 4A) and some Samsung Galaxy models
- Intel NUCs (Next Unit of Computing) as “black boxes” for loading the custom OS and app
- Custom operating system called Arcane OS, based on GrapheneOS
- Anom messaging app
- AWS (Amazon Web Services) for routing messages
- Various proxy, ingestion and transfer servers to hide any interception and ultimately deliver the data to the FBI
- Third-party country servers in Lithuania and in the UK
- FBI’s front-end system (HolaiBot)
- S3 bucket (likely for storing attachments like photos and videos)
- Mobile Device Management (MDM) systems - initially Mobile Iron, later switched to FieldX
Fascinating story.
SIP Security: Exploring URI Parser Vulnerabilities and taking inspiration from DEF CON 32
Gareth Heyes’ DEF CON 32 talk, “Splitting the email atom: exploiting parsers to bypass access controls”, explores the complex world of email address parsing. This research inspired me to consider similar applications in the realm of Session Initiation Protocol (SIP).
SIP RFC 3261, section 19.1, discusses SIP and SIPS Uniform Resource Indicators, referencing RFC 2396 as a guideline. Like email addresses, SIP addresses are complex and warrant further investigation. Key areas of interest include:
SIP URI parsing discrepancies:
- Differences across various SIP proxies, user-agent servers, and clients
- Potential for authentication or authorization bypasses
- Possible real-world consequences, such as toll fraud
Injection attacks via SIP URIs:
- Previously observed vulnerabilities leading to:
- Cross-site scripting
- SQL injection
- Command injection
- Previously observed vulnerabilities leading to:
Special header injection in SIP requests:
- Exploiting the ability to include headers in SIP URIs
- Example:
sip:atlanta.com;method=REGISTER?to=alice%40atlanta.com
These areas of investigation could potentially reveal numerous other security implications in SIP systems.
Truth in Telecoms and CXTech Newsletter covering Artificially Inflated Traffic (AIT) Fraud
For those in the audience involved in the telecom industry, AIT may be of interest. Alan Quayle and the Truth in Telecoms / TAD Summit Podcast have covered this topic in two episodes:
- Podcast 93: Truth in Telecoms, AIT, Kevin Graham and Daniel Gill
- Podcast 94: Truth in Telecoms, What to do about AIT, Kevin Graham and Daniel Gill
If you prefer reading over watching videos or listening to podcasts, Alan’s newsletter provides coverage in CXTech Week 41 2024 News and Analysis.
Security Updates and Vulnerability News Round-Up
Cisco ATA 190 Series Analog Telephone Adapter Firmware Vulnerabilities
Cisco has addressed eight vulnerabilities in their ATA 190 Series Analog Telephone Adapter devices, impacting both the administrative web interface and the command line interface (CLI). The most severe include CVE-2024-20458, which allows unauthenticated attackers to change the configuration or firmware through HTTP endpoints, and CVE-2024-20459, where authenticated users could escalate privileges to execute commands as the root user. Other issues such as CVE-2024-20421 and CVE-2024-20460 involve cross-site vulnerabilities that require an attacker to redirect an administrator’s browser to malicious URLs. Additionally, vulnerabilities like CVE-2024-20462 expose sensitive information such as user passwords, while others—CVE-2024-20461, CVE-2024-20463, and CVE-2024-20420—permit command injection, denial of service, and privilege escalation.
Effective Fuzzing: A Dav1d Case Study
In this article, Nick Galloway from the Google Project Zero team discusses discovering an integer overflow vulnerability in the dav1d AV1 video decoder, widely used in WebRTC. The vulnerability, tracked as CVE-2024-1580, was previously covered in the March edition and the April edition of the Enable Security newsletter. The article provides insight into the process of discovering the vulnerability and explains why the initial oss-fuzz fuzzer failed to catch the bug.
Pixel’s Proactive Approach to Security: Addressing Vulnerabilities in Cellular Modems
This Google blog post discusses the proactive measures implemented in the latest Pixel phones to enhance baseband security. The baseband, which manages cellular communications like LTE, 4G, and 5G, has been a focus of prior exploration, especially in relation to VoLTE and VoWiFi signaling. Handling protocols such as SDP and RTCP at the baseband level presents considerable risks, as demonstrated by previous findings from Google’s Project Zero, including vulnerabilities in the Shannon baseband and Samsung Exynos chipsets. Pixel phones now feature advanced baseband security measures like Bounds Sanitizer, Integer Overflow Sanitizer, Stack Canaries, Control Flow Integrity, and Auto-Initialize Stack Variables, reinforcing protection against these threats.
VICIdial Authenticated Remote Code Execution and Unauthenticated SQL Injection
VICIdial, a web-based platform for managing inbound and outbound communications, is vulnerable to two critical security issues: an unauthenticated SQL injection (KL-001-2024-011) and an authenticated remote code execution vulnerability (KL-001-2024-012). These flaws allow attackers to first use SQL injection to gain access to plaintext credentials, then log in and execute arbitrary shell commands on the server. This sequence of attacks can swiftly escalate to remote code execution as the root user, posing a severe security risk. The “Proof of Concept” sections in the advisories demonstrate the full extent of the vulnerabilities.
CVE-2024-49215 vulnerability in old versions of Asterisk’s Management Interface
A vulnerability, tracked as CVE-2024-49215, was found in Asterisk versions 18.20.0, 19.x, 20.x through 20.5.0, 21.x through 21.0.0, and Certified Asterisk through 18.9-cert5. The latest Asterisk versions, such as 22.0.0, 21.5.0, 20.10.0, 18.25.0, and Certified Asterisk 20.7-cert3, are unaffected by this issue. This flaw potentially enables a directory traversal attack through the Asterisk Management Interface (AMI), allowing arbitrary file read disclosure. However, it’s important to note that this issue has not been validated, and the Asterisk team has not released an official advisory regarding it.
Malicious homeservers can steal message keys when the matrix-react-sdk user invites another user to a room
matrix-react-sdk versions prior to 3.102.0 contain a vulnerability that allows a malicious homeserver to potentially steal message keys when a user invites another to a room. This issue arises because older versions of the software would share historical message keys during the invite process, making it possible for a homeserver-controlled malicious device to exploit the situation. Additionally, the matrix-react-sdk project was archived as of September 11, 2024, and has since been consolidated into the element-web repository following its merger.
How a cyberattack inspired this security engineer’s career
This article tells the story of Shane McCausland, who is now a member of Yahoo’s cybersecurity team, The Paranoids. McCausland’s introduction to the field of cybersecurity came when he built a VoIP phone system based on the Asterisk server, which was subsequently compromised by a series of brute force attacks from a suspicious origin. This incident ultimately inspired him to pursue a career in cybersecurity.
Various critical and high severity vulnerabilities fixed in Mitel’s MiCollab, Unified Communications Platform
Mitel has addressed several critical and high-severity vulnerabilities in its MiCollab unified communications platform. The vulnerabilities, including path traversal (CVE-2024-41713) and SQL injection flaws (CVE-2024-47223 and CVE-2024-47189), were published on October 9, 2024. An authentication bypass vulnerability (CVE-2024-47912) was also fixed. Mitel recommends users update to mitigate these issues, as they could lead to critical security compromises such as unauthorized access or data exfiltration.
This newsletter was prepared by Sandro Gauci and the Enable Security team for RTCSec newsletter subscribers. If you have someone in mind who would benefit from our content, please share it.
To subscribe: here