Skip to main content

RTC security
Newsletter

Curated VoIP and WebRTC security news, research and updates by Enable Security.

Subscribe
a phone receiver being crushed by a hand

    April 2023: 3CX incident updates, WebRTC security and H264

    Published on Apr 28, 2023

    April brings with it conference announcements, updates to the 3CX incident and a very interesting paper about the most popular video codec. In this edition, we cover: New fuzzing of RTP codecs with SIPVicious PRO Details about our WebRTC security presentation for CommCon News about the 3CX compromise and much much more! RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.…

    Read more about April 2023: 3CX incident updates, WebRTC security and H264

    March 2023: Trojan 3CX Client, CRA talk, OpenSIPS audit report and much more

    Published on Mar 31, 2023

    Welcome to the end of March, and this month’s edition of the RTCSec Newsletter. A lot has accumulated in March on the VoIP and IP Communication security front. In fact, this one is packed! In this edition, we cover: Our news, involving CI/CD automation of VoIP security testing with SIPVicious PRO More news from us, including the OpenSIPS security audit report and a chat about the Cyber Resilience Act 3CX Phone Client turned into a trojan Critical vulnerabilities affecting Samsung and Pixel phones via VoLTE and 5G Silent fix in Kamailio gets a CVE, vulnerable door phones and various other security reports RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.…

    Read more about March 2023: Trojan 3CX Client, CRA talk, OpenSIPS audit report and much more

    WebRTC attacks, FOSDEM'23 and security fixes

    Published on Feb 28, 2023

    Welcome to the February 2023 edition of RTCSec newsletter. If you are reading this on your email client, you might notice slight formatting changes - the red color of the Communication Breakdown blog and the mascot on the side. Hope that this makes it more distinguishable. Do let me know if you have feedback, by replying to this email. In this edition, we cover: A chat with Arin Sime of WebRTC.…

    Read more about WebRTC attacks, FOSDEM'23 and security fixes

    Kamailio’s exec module, SIPVicious still ringing phones and many vulnerabilities

    Published on Jan 31, 2023

    This new year starts off with a number of RTC security related news and we have some original content to share with you too! In this edition, we cover: Our news: The dangers of using the Kamailio exec module and our pentesting schedule Our news: Updates to the awesome RTC hacking list The Threema weaknesses paper from ETH Zurich Presentations of interest from Blackhat and Nullcon Berlin Receiving calls on your deskphone from SIPVicious - still happening!…

    Read more about Kamailio's exec module, SIPVicious still ringing phones and many vulnerabilities

    Highlights from the past year and various security fixes

    Published on Dec 22, 2022

    Welcome to the last RTCSec newsletter of 2022! In this edition, we cover: Looking back at the past year and best wishes for the New Year Jitsi gets verification for E2EE OSS-Fuzz now testing PJSIP Vulnerabilities fixed in Drachtio, BigBlueButton, Cisco IP Phones and more RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.…

    Read more about Highlights from the past year and various security fixes

    DDoS simulation tutorial, WebRTC IP leak and vulnerable RTC libraries

    Published on Nov 30, 2022

    It is the end of November and with it, we bring some of our own publications and coverage of various advisories, papers and news items in the VoIP and WebRTC security world. In this edition, we cover: How to simulate DDoS attacks on your own Details about the new WebRTC IP leak issue Coverage of interesting talks at Blackhat and TADSummit Advisories concerning Sofia-SIP, Drachtio, PJSIP and more RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.…

    Read more about DDoS simulation tutorial, WebRTC IP leak and vulnerable RTC libraries

    Celebrations, presentations and new VoIP security tools

    Published on Oct 31, 2022

    Welcome to a jam-packed edition of RTCSec newsletter for October. What have we this month? In this edition, we cover: This very newsletter is one year old! We’re looking for freelance pentesters to join us This time, 12 years ago in VoIP security incidents (Sality botnet scanning) Upcoming and past presentations of interest at TADSummit, CTI-Summit, Blackhat & ClueCon WebRTC security news: the “most secure VoIP” award and censorship busting New VoIP security tools and workshop by Jose Luis Verdeguer (Pepelux) And various security advisories, and other reports of concern RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.…

    Read more about Celebrations, presentations and new VoIP security tools

    DDoS workshop at TADSummit, toll fraud via MS Teams Direct Routing and WebRTC news

    Published on Sep 30, 2022

    This month brings us yet another crammed newsletter all about real-time communications security. So without further ado, welcome to the RTCSec newsletter for September 2022! In this edition, we cover: An upcoming open position at Enable Security and what we’re brewing for 2023 Our talk at TADSummit 2022 and the DDoS workshop Commentary about OpenSIPS Summit and Kamailio World Details about how MS Teams Direct Routing may lead to toll fraud Abuse of the exec modules in Kamailio and OpenSIPS WebRTC related news, about CVE-2022-2294, coturn, Scanbox malware and Cloudflare And much much more RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.…

    Read more about DDoS workshop at TADSummit, toll fraud via MS Teams Direct Routing and WebRTC news

    SIP ALG exploit hits Realtek SDK, our Attack Platform and holidays

    Published on Aug 31, 2022

    In the summer time, the weather is hot … August is usually a slow month in our part of the world and a good time to take a holiday and relax a bit. We tried that for ourselves and found out that the rumors are true, holidays are not overrated. But, we didn’t stop for too long because, actually, we have news! In this edition, we cover: Our news about the Enable Security Attack Platform and Gasoline v2 Buffer overflow in Realtek’s SIP ALG affecting many many routers (CVE-2022-27255) More router exploitation leading to SIP credentials leakage (Arris / CVE-2022-31793) TLS ALPN identifier for SIP SELinux policies and Kamailio/OpenSIPS And more RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.…

    Read more about SIP ALG exploit hits Realtek SDK, our Attack Platform and holidays

    WebRTC 0day, FreePBX not Asterisk attacks and talks at MCH2022

    Published on Jul 29, 2022

    It is the end of the week as well as July and the RTCSec newsletter is in your inbox eagerly waiting to give you all the educational entertainment you need throughout the weekend! In this edition, we cover: Our TADSummit talk and SIPVicious PRO details FreePBX exploitation and confusing reports Remote coverage of the talks at the Dutch hacker camp CVE-2022-2294 - the vulnerability in the WebRTC project Vulnerabilities in Matrix, BigBlueButton, JunOS and more Tweet of the month on VoIP phone hardware hacking RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.…

    Read more about WebRTC 0day, FreePBX not Asterisk attacks and talks at MCH2022

    Subscribe

    Receive high-quality, low-volume RTC security research, news and occasional updates about what we're up to.

    Interested in our services? Let's collaborate.
    Get in touch

    We hate spam and are committed to protecting and respecting your privacy. You can unsubscribe from our communications at any time. By subscribing, you are agreeing to the Privacy Policy.