Our presentation at Bloomberg RTC Summit about VoIP and WebRTC attack surface
I gave a new presentation about the VoIP and WebRTC attack surface at a private conference at Bloomberg called RTC Summit. The presentation is meant to give an overview of the vulnerabilities that may affect real-time communications infrastructure. We also included a number of specific security vulnerability explanations and demonstrations by diving into the following security issues:
- OpenSSL Infinite Loop Vulnerability CVE-2022-0778 and how it affected WebRTC
- RTP proxy vulnerabilities which includes RTP Inject and RTP Bleed
- Attacks on media servers that record or do transcoding - RTP Flood
- TURN relay abuse and vulnerabilities in coturn that bypassed its security restrictions
- SIP INVITE flood for Websocket SIP servers
Thanks to Dhananjay Deshpande and his colleagues at Bloomberg's RTC team for the opportunity!
Pentesting in 2023? (advert)
If you're planning on using our services this year, please get in touch by responding to this newsletter or through our contact page. We still have some availability in Q3 but that will be gone very soon. If you need pentesting in Q4, now is an excellent time to start discussions!
Next OpenSIPIt'03 is being planned!
We will be participating in the next OpenSIPIt'03 event which will happen around mid-September 2023. We'll be doing (D)DoS testing and fuzzing as well as playing with anything new that comes along.
What is OpenSIPIt anyway?
OpenSIPIt is a community-driven interoperability testing event with the aim of ensuring various independent open-source SIP implementations are realizing new and emerging SIP-related RFCs correctly , while remaining fully and easily interoperable at the “basic SIP” level.
Cloudflare DDoS threat report Q2 mentions VoIP
The second Cloudflare threat report for 2023 was released in July. The following might be the most relevant notes for the audience of this newsletter :
- Mitel MiCollab phone systems are being abused for UDP amplification used in DDoS attacks (CVE-2022-26143)
- a 15% increase in HTTP DDoS attacks was observed including more sophisticated attacks simulating browser behavior
- some large VoIP provider was affected by the attacks of cyber-criminals; does anyone have any further information on this?
- Teamspeak, which is actually a proprietary VoIP service, was also mentioned because Cloudflare started seeing DDoS attacks abusing the TeamSpeak3 protocol
This month, Gavin Henry released SentryPeer which helps prevent VoIP attacks and toll fraud. It does this by providing APIs that allow users to query for phone numbers or IP addresses. Specifically, the APIs are able to tell if a phone number is considered fraudulent or if a source IP is a known attacker address. It does this by relying on the SentryPeer honeypots that are crowd-sourced and feed in this data.
The service has a business model and is also available for free for those that contributedata through their own SentryPeer honeypots. It is open source and quite an interesting initiative.
Similar note-worthy efforts that come to mind and are also part of the RTC security community are:
STIR/SHAKEN certificate compliance
A large number (almost half) of the leaf certificates used in the STIR/SHAKEN CA ecosystem actually seem to be expired. More interesting numbers and statistics are to be found in the website put up by Martini Security (who are in the business of certificate issuance).
Vishing with "Letscall" using VoIP and WebRTC
Threat Fabric released a report about Android malware targeting individuals from South Korea. What is interesting is that it acts as a voice traffic router by redirecting incoming and outgoing calls. Depending on how the malware is configured, it might redirect the calls to a call center controlled by the criminals. To do this, the mobile application makes use of VoIP and WebRTC and abuses the legitimate service ZEGOCLOUD.
Various WebRTC vulnerabilities fixed in Firefox and Chromium
Google Chrome, Microsoft Edge Chromium and everything in between fixed two user-after-free vulnerabilities in WebRTC. These are tracked as CVE-2023-3727 and CVE-2023-3728 and the reporters, Cassidy Kim and Zhenghang Xiao, were rewarded a 7000 USD bounty each for their work.
In the meantime, Mozilla Firefox also fixed a vulnerability with the title of Use-after-free in WebRTC certificate generation. It is tracked as CVE-2023-37201 and has been reported by Irvan Kurniawan.
The description from Mozilla says the following:
An attacker could have triggered a use-after-free condition when creating a WebRTC connection over HTTPS.
No further details were published as of yet and it is not clear if the vulnerabilities in Firefox and the ones in Chromium are related or not.
Short news and commentary
Hi @Sangoma @LorneGaetz - I've sent you several vulnerability-disclosure-related emails over the past couple months. Can someone reply please? Thanks!
More people replied to Charles' tweet saying that they had a similar experience with Sangoma. We're told that there will be public disclosure and a talk about this at Defcon in August. We'll probably be covering that.