RTC security
Newsletter
Curated VoIP and WebRTC security news, research and updates by Enable Security.
Subscribe
Highlights from the past year and various security fixes
Published on Dec 22, 2022
Welcome to the last RTCSec newsletter of 2022! In this edition, we cover: Looking back at the past year and best wishes for the New Year Jitsi gets verification for E2EE OSS-Fuzz now testing PJSIP Vulnerabilities fixed in Drachtio, BigBlueButton, Cisco IP Phones and more RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.…
Read more »DDoS simulation tutorial, WebRTC IP leak and vulnerable RTC libraries
Published on Nov 30, 2022
It is the end of November and with it, we bring some of our own publications and coverage of various advisories, papers and news items in the VoIP and WebRTC security world. In this edition, we cover: How to simulate DDoS attacks on your own Details about the new WebRTC IP leak issue Coverage of interesting talks at Blackhat and TADSummit Advisories concerning Sofia-SIP, Drachtio, PJSIP and more RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.…
Read more »Celebrations, presentations and new VoIP security tools
Published on Oct 31, 2022
Welcome to a jam-packed edition of RTCSec newsletter for October. What have we this month? In this edition, we cover: This very newsletter is one year old! We’re looking for freelance pentesters to join us This time, 12 years ago in VoIP security incidents (Sality botnet scanning) Upcoming and past presentations of interest at TADSummit, CTI-Summit, Blackhat & ClueCon WebRTC security news: the “most secure VoIP” award and censorship busting New VoIP security tools and workshop by Jose Luis Verdeguer (Pepelux) And various security advisories, and other reports of concern RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.…
Read more »DDoS workshop at TADSummit, toll fraud via MS Teams Direct Routing and WebRTC news
Published on Sep 30, 2022
This month brings us yet another crammed newsletter all about real-time communications security. So without further ado, welcome to the RTCSec newsletter for September 2022! In this edition, we cover: An upcoming open position at Enable Security and what we’re brewing for 2023 Our talk at TADSummit 2022 and the DDoS workshop Commentary about OpenSIPS Summit and Kamailio World Details about how MS Teams Direct Routing may lead to toll fraud Abuse of the exec modules in Kamailio and OpenSIPS WebRTC related news, about CVE-2022-2294, coturn, Scanbox malware and Cloudflare And much much more RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.…
Read more »SIP ALG exploit hits Realtek SDK, our Attack Platform and holidays
Published on Aug 31, 2022
In the summer time, the weather is hot … August is usually a slow month in our part of the world and a good time to take a holiday and relax a bit. We tried that for ourselves and found out that the rumors are true, holidays are not overrated. But, we didn’t stop for too long because, actually, we have news! In this edition, we cover: Our news about the Enable Security Attack Platform and Gasoline v2 Buffer overflow in Realtek’s SIP ALG affecting many many routers (CVE-2022-27255) More router exploitation leading to SIP credentials leakage (Arris / CVE-2022-31793) TLS ALPN identifier for SIP SELinux policies and Kamailio/OpenSIPS And more RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.…
Read more »WebRTC 0day, FreePBX not Asterisk attacks and talks at MCH2022
Published on Jul 29, 2022
It is the end of the week as well as July and the RTCSec newsletter is in your inbox eagerly waiting to give you all the educational entertainment you need throughout the weekend! In this edition, we cover: Our TADSummit talk and SIPVicious PRO details FreePBX exploitation and confusing reports Remote coverage of the talks at the Dutch hacker camp CVE-2022-2294 - the vulnerability in the WebRTC project Vulnerabilities in Matrix, BigBlueButton, JunOS and more Tweet of the month on VoIP phone hardware hacking RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.…
Read more »SIPVicious PRO out with 2 releases, ransomware and participation in the survey
Published on Jun 30, 2022
The sun is shining (at least on this part of the hemisphere), new exploits and builds are published and everything is good. Welcome to the June edition of RTCSec! In this edition, we cover: Our news: presenting at TADSummit in November and releasing two new SIPVicious PRO versions The Open-Source Telecom Software Survey which needs filling up Ransomware attacks using Mitel’s VoIP appliances as an entry-point Carrier related issues, including Syniverse compromise and call forwarding trick Vulnerabilities that were fixed in Sofia-SIP (FreeSWITCH), pjsip, Mitel phones and VitalPBX and much much more RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.…
Read more »OpenSIPS security audit report is out, Zoom and Wire RCEs and DTLS
Published on May 31, 2022
It is the end of May and we have, at the last minute, put together this month’s newsletter! Originally, we had doubts that we had much content for this month. Clearly we were underestimating the amount of last minute news in the RTC security world. In this edition, we cover: OpenSIPS security audit report publication Pentesting in Q4? and more Enable Security news Zoom vulnerability chain lead to an RCE XSS in Wire client leads to RCE Pion DTLS vulnerabilities fixed and some details Vulnerabilities in BIG-IP, Grandstream and Mitel Tweets of the month RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.…
Read more »We’re hiring, new SIPVicious PRO tools, advisories and blog post galore
Published on Apr 27, 2022
Welcome to the April edition of the RTCSec Newsletter. We have a lot this month, and this must be the most packed newsletter so far. In this edition, we cover: We’re hiring! Our blog post explaining how OpenSSL’s CVE-2022-0778 is a problem in WebRTC environments Latest SIPVicious PRO news Various blog and news posts: 3CX pre-auth RCE explanation Open SIP relay abuse ITW How LAPSUS$ probably abused VoIP OpenSIPS’ new TCP module versus DoS attacks Cisco Expressway and Telepresence VCS vulnerabilities A new tool to exploit STUN and TURN servers called stunner, from Firefart Advisories and vulnerabilities fixed (or not) in: FreePBX pjsip Asterisk PBX JunOS WebRTC Cisco Expressway and Telepresence VCS We bring back the Tweet of the month!…
Read more »OpenSSL DoS and DTLS, SIMBoxes, SIP-TLS and lots of advisories
Published on Mar 29, 2022
And a warm welcome to the March edition of RTCSec Newsletter! We have new content for this newsletter, in the form of a video demo of an OpenSSL DoS (CVE-2022-0778). We’ll publish more about this on our blog. In this edition, we cover: OpenSSL DoS (CVE-2022-0778) versus WebRTC infrastructure Usage of SIMBoxes to evade Ukrainian phone companies blocking external phone calls VoIP calls and TLS security instructions Vulnerability reports for PJSIP, Asterisk, Mitel, Pascom, VoIPmonitor, 3CX and Cisco equipment RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.…
Read more »