December 2024: Wrap-Up & Latest VoIP and WebRTC Security News

While others curl up with holiday classics, treat yourself to some light reading about security breaches, vulnerabilities, and cyber threats in our final RTCSec newsletter of 2024! 🎄

In this edition, we cover:

• A bit of bragging: our 2024 contributions and achievements in RTC security
• The best & worst of VoIP and WebRTC Security in 2024
• Report of the Grandstream Device Management System (GDMS) compromise
• Recently patched vulnerabilities in Mitel and Matrix systems
• TADSummit podcasts on cybersecurity and a brief overview of the Salt Typhoon phone company breach

The RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.

What is RTC security anyway? Real-time communications security determines if you can safely communicate in real time - whether it be with other humans or machines.

You may sign up to receive the RTCSec newsletter here. If you like what we’re doing, you’re most welcome to:

• Forward it to those who may find this newsletter particularly fruitful.
• Let us know if there are any RTC security news items we should cover.

To view past issues, please visit our website at https://www.enablesecurity.com/newsletter/.

Our news

So long and see you in 2025

This edition is coming out a bit earlier than usual to take a well-deserved break during the holidays.

Thank you for being a loyal reader. We take pride in creating this monthly newsletter. For me personally, it is an excuse to keep an open mind, learn and think deeper about what is happening in cybersecurity and IP communications. Your feedback tells us you value our analysis of security events, particularly in VoIP and WebRTC security.

The past 12 months have been successful for Enable Security, with a mix of penetration testing, security consulting, and contributions to the VoIP, WebRTC, and security communities. We conducted penetration testing on diverse client systems, including:

• Emergency service contact centers
• AI-powered audio products
• AI-powered customer service platforms
• Bank call centers and contact center platforms
• Session Border Controllers
• WebRTC gateways
• Traditional PBX systems

This work is made possible by our clients, who trust us to assess their systems’ security while letting us focus on our core expertise. To our clients: thank you for your continued trust.

We’ll be back with more of this in 2025. Wishing you all rest, relaxation, and renewal this holiday season!

Sandro Gauci

Contributions to the state of VoIP and WebRTC security

Our key publications for 2024 were the following:

1. OWASP Projects
   • New WebRTC chapter for Application Security Verification Standard v5
   • Global AppSec San Francisco 2024 presentation on WebRTC security: synopsis and slides
2. WebRTC Security Research
   • White paper: DTLS “ClientHello” Race Conditions in WebRTC Implementations
   • Accompanying technical blog post on DoS vulnerability
3. Industry Talks
   • TADSummit Podcast: RTC Security Review (with slides)

Slides for the OWASP WebRTC security talk

We posted the slides for the presentation given at the OWASP event in San Francisco earlier this year.

The presentation video is not yet available but I hope that the slides are useful for some who might be looking into the fascinating topic of WebRTC Security.

Synopsis:

WebRTC is indispensable when it comes to how we communicate in this day and age - whether through video calls, live streaming or for online gaming. But are we, as security professionals, overlooking critical vulnerabilities in this technology?

In our presentation given for OWASP 2024 Global AppSec San Francisco, we explored:

1. Introduction to WebRTC Security: Understanding WebRTC’s role in real-time communication and the need for specialized security approaches.
2. Key Security Features: Built-in protections like HTTPS enforcement, DTLS-SRTP encryption, and NAT traversal using STUN/TURN servers.
3. Common Vulnerabilities:

• TURN relay abuse
• Guessable meeting IDs
• Outdated dependencies
• RTP injection attacks (DoS/injected audio)
• Signaling flood DoS attacks
• Cryptographic failures

4. Real-World Case Studies: Insights from vulnerabilities identified in platforms like Slack, 8x8, and others.
5. How WebRTC Differs from Traditional Web/API Security: Unique attack surfaces and challenges with availability and latency.
6. Testing WebRTC Security: Practical tools and techniques, including gstreamer, Wireshark, and custom tools.
7. Practical Security Tips: White-box testing, architectural reviews, and integrating WebRTC security into OWASP ASVS.

Check out the slides: OWASP presentation - Web Security Experts: Are you overlooking WebRTC vulnerabilities?.

What’s happening?

The best & worst of VoIP and WebRTC Security in 2024

It is time to look back at the past year and figure out what went well and not so well for VoIP and WebRTC security. In terms of positives, we particularly enjoyed the increased focus on WebRTC security this year. Researchers like Cassidy Kim were regularly discovering and reporting vulnerabilities in the WebRTC project, leading to fixes and improvements in web browsers. There has been great interest from organizations such as OWASP in covering WebRTC security, including the introduction of a WebRTC chapter in the Application Security Verification Standard (ASVS). A number of presentations at notable conferences such as DEF CON also featured security research related to WebRTC.

On the vulnerabilities front, we noted that fixes for Denial of Service (DoS) vulnerabilities were made in various critical RTC systems, including Asterisk, FreeSWITCH, rtpengine, and Cisco Unified Communications Manager (CUCM) and CUCM Session Management Edition (SME). DoS attacks remained a significant concern in the realm of VoIP and WebRTC security due to their potential to cause substantial inconvenience and financial losses. After all, an unreliable realtime communications system is quite useless.

The most concerning security issues of 2024 centered around VoIP and Conferencing Platform vulnerabilities, with Cisco WebEx experiencing several security incidents earlier in 2024. A related concern was the numerous vulnerabilities found in VoIP phones, including issues with provisioning, encryption, and unauthorized access.

Of particular interest, and something we’re sure we’ll see more of in the coming year, is anything related to AI and Machine Learning exploiting real-time audio and possibly video. For example, research by IBM X-Force demonstrated the potential for AI and LLMs to exploit audio streams, such as banking calls, to steal sensitive information. Additionally, malware analysis revealed the use of the Agora SDK and deepfake technology in malicious campaigns targeting VoIP systems.

Looking ahead, while we’re encouraged by the increased focus on WebRTC security and vulnerability reporting, the combination of AI-based threats and ongoing platform security issues suggests an interesting year ahead. Organizations will need to stay alert, particularly as attack vectors become more sophisticated. The intersection of VoIP, WebRTC, and AI will definitely be an area to watch closely in the coming months.

Reports of Grandstream Device Management System (GDMS) compromise

A Reddit post revealed that Grandstream, an IP communications vendor, experienced a security incident in their device management system. A user in the comments reported unauthorized international calls made through compromised SIP accounts. VoIP blog Sinologic confirmed the incident and advised users to “update their GDMS credentials”.

A compromise of device management systems like GDMS can give attackers extensive control over various vendor devices, including:

• IP PBXs
• IP Video Conferencing Systems
• IP Intercom, Video Door Systems and Paging Devices
• IP Phones, DECT Phones, Wi-Fi Phones and Analog Telephone Adapters (ATAs)
• WiFi Devices including Access Points and Routers

While details about this incident remain limited, it’s worth noting that Grandstream’s security vulnerabilities have been featured in our newsletter before.

• Grandstream IP Phone Zero Day vulnerabilities by Pentraze
• SQL and command injection in Grandstream PBX
• Grandstream GXP2135 command injection vulnerability discovered by Cisco TALOS (CVE-2024-32937)
• Security researcher, Shawn Merdinger, posting about VoIP device found on the Internet

During our brief investigation, we discovered these additional reports from ATROPOS:

• GWN Cloud – An IDOR coming back from the dead
  • GWN is the cloud management platform for Grandstream networking products, including WiFi devices. The security researcher could add any network ID to his account which would make him an administrator on third-party networks. This sort of vulnerability seems close to what might have been exploited in the GDMS security incident here.
• Third Time’s a Charm: Identifying Another Critical Flaw in Grandstream’s Security
  • Similar issue to the above, but seems even closer to what might have been abused in the incident being described here. Might it be a variation of what is described in this blog post?

We contacted ATROPOS’s security researcher, who also suspects the exploit likely involved another Indirect Object Reference (IDOR) vulnerability. The full impact of this incident and Grandstream’s containment efforts remain unclear.

Note: Most device management and provisioning systems store SIP credentials unencrypted by design, making such breaches particularly concerning.

TADSummit podcasts on cyber-security, telco fraud and Mobile Ecosystem Forum

In the podcast hosted by Alan Quayle and Giovanni Tarone, they have been delving into several hot topics:

1. AIT (Artificially Inflated Traffic): how it is used to increase traffic artificially and generate revenue, and how it can be difficult to stop.
2. SIM boxes: how they are used to send SMS messages illegally, and how they can be difficult to detect and block.
3. Phishing: how it is used to steal personal information, and how it can be delivered through various channels, including SMS and email.
4. Cybersecurity: the importance of cybersecurity, the various threats that exist, and the steps that individuals and organisations can take to protect themselves.
5. State-sponsored hacking: how nation-states are using hacking to target other countries and organisations.
6. Social engineering: how it is used to trick people into giving up personal information, and how it can be difficult to protect against.
7. Zero-day exploits: how they are used to attack systems before they are patched, and how they can be difficult to defend against.
8. Botnets: how they are used to launch attacks, such as DDoS attacks, and how they can be difficult to stop.
9. Encrypted messaging apps: their use, such as Signal and WhatsApp, to protect privacy and security.
10. Open-source software: the risks and benefits of using open-source software, and the importance of supporting open-source projects.

The podcasts also discuss several concerns about the MEF (Mobile Ecosystem Forum), primarily focusing on the Director General of the MEF.

We’re still trying to decode everything in these last podcasts from TADSummit - Truth in Telecoms.

In the meantime, we’ll just link to the blog posts related:

• Podcast 99: TADSummit Innovators, Bohdan Hopanchuk, Ethical Hacker, Made in the UA. Part 1.
• Podcast 100: TADSummit Innovators, Bohdan Hopanchuk, Ethical Hacker, Made in the UA. Part 2.
• Podcast 101: TADSummit Innovators, Jeremy Turner, Aaron Birnbaum, Bohdan Hopanchuk
• Podcast 102: Truth in Telecoms, Don Dario

Bring the popcorn and enjoy!

All your phones are belong to Salt Typhoon

The Chinese APT group’s compromise of major US phone companies received widespread media coverage, including a Forbes article “FBI Warns iPhone, Android Users—Change WhatsApp, Facebook Messenger, Signal Apps”. Here are the key points we found interesting:

Affected companies:

• AT&T
• Verizon Communications
• Lumen Technologies (formerly CenturyLink)
• And potentially other major US telecommunications providers

The compromise:

1. Chinese state-sponsored hackers (Salt Typhoon group) gained access to lawful intercept systems - the very infrastructure designed to facilitate court-authorized surveillance
2. These systems were mandated by CALEA (Communications Assistance for Law Enforcement Act) which required telecom providers to build surveillance capabilities into their networks

Technical impact:

• The attackers gained access to systems that handle:
  • Legal wiretapping infrastructure
  • Court-authorized surveillance data
  • Network traffic monitoring systems
  • Communications metadata
  • Potentially real-time access to surveillance operations

For VoIP security professionals:

1. This breach highlights the inherent risks of mandatory backdoors in communications systems
2. The compromise affected both traditional telephony and likely VoIP infrastructure
3. The FBI’s subsequent recommendation to use end-to-end encrypted messaging is particularly notable, as it represents a shift from their historical opposition to strong encryption
4. The incident demonstrates how lawful intercept capabilities, while designed for legitimate law enforcement use, can become security vulnerabilities when compromised

Key security implications:

1. Mandatory surveillance capabilities can create systemic vulnerabilities
2. The compromise potentially exposed both metadata and content of communications
3. The breach may have impacted both criminal investigations and national security operations
4. The duration of unauthorized access remains unclear but is believed to be significant

This incident has led to broader discussions about the security implications of building mandatory surveillance capabilities into communications infrastructure.

Synapse, the Matrix server had some high severity security fixes

The Element HQ from the Matrix project have fixed a couple of high severity flaws this last month:

• Synapse can be forced to thumbnail unexpected file formats, invoking potentially untrustworthy decoders: This is a hardening patch, which is welcome in security-focused projects like Synapse.
• Malicious invites via federation can break a user’s sync: This is a denial of service vulnerability that exploits improper validation of federated invites.
• Unsupported content types can lead to memory exhaustion: Attackers can exploit multipart/form-data requests to trigger denial of service attacks.
• Denial of service through media disk space consumption: An unauthenticated adversary can force Synapse to download and cache unlimited amounts of remote media due to missing rate limits. While this security fix does not fully address the issue, it reduces exposure to the attack.

Additionally, the latest Synapse security update addresses two moderate-severity vulnerabilities, making server upgrades important.

Mitel MiCollab Vulnerabilities: CVE-2024-35286, CVE-2024-41713, and 0day

Sonny Macdonald from watchTowr discovered three vulnerabilities in Mitel’s MiCollab platform:

• A SQL injection vulnerability (CVE-2024-35286). The researcher was initially interested in reproducing this vulnerability after reading about it in a CVE description. While the CVE description stated that this vulnerability could only be exploited if a specific configuration was in place, the researcher discovered that this was not the case.
• An Authentication Bypass vulnerability (CVE-2024-41713). The researcher discovered this vulnerability while attempting to reproduce the SQL injection vulnerability. The researcher was able to exploit the vulnerability using the traversal technique '..;/' to gain access to a login page where they discovered the SQL injection vulnerability.
• A post-auth Arbitrary File Read vulnerability which remained unpatched as of 5 December 2024 but seems to be addressed in future updates and tracked as CVE-2024-55550. The researcher discovered this vulnerability while examining the contents of a .war file that was accessible after exploiting the Authentication Bypass vulnerability. The researcher was able to use the vulnerability to read the contents of the /etc/passwd file.

Mitel acknowledged the researcher’s discovery of all three vulnerabilities. However, they did not release a patch for the post-auth Arbitrary File Read vulnerability by 5 December 2024, despite stating that they planned to release one during the first week of December 2024. This vulnerability is considered mitigated through authentication bypass security fix.

Read the watchTowr blog post for the full details and check out the official advisory from Mitel.

Security Updates and Vulnerability News Round-Up

How The EU Cyber Resilience Act Will Change The Software Industry Forever - Olle E. Johansson

The EU Cyber Resilience Act (CRA), which came into force on December 10, 2024, is set to transform the software industry. Olle E. Johansson, renowned for his contributions to open-source VoIP projects like Kamailio and Asterisk, has been deeply involved in discussions surrounding the CRA and Software Bill of Materials (SBOMs). In his latest presentation at the OWASP BeNeLux Days conference, Olle shares his extensive knowledge, addressing the significant impact this legislation will have on the industry.

Original content here.

BlogGeek.me: Four years of WebRTC Insights

Over four years, Tsahi Levent-Levi and Philipp Hancke explored various WebRTC-related topics, with a particular focus on security. Their insights include discussions about key security concerns within the WebRTC project, such as the vulnerability in dav1d decoder tracked as CVE-2024-1580.

Original content here.

Telecom Giant BT Group Hit by Black Basta Ransomware

BT Group’s Conferencing division suffered a ransomware attack by the Black Basta group, prompting server shutdowns and raising concerns over potential data theft.

Original content here.

This newsletter was prepared by Sandro Gauci and the Enable Security team for RTCSec newsletter subscribers. If you have someone in mind who would benefit from our content, please share it.

To subscribe: here