Our news
RTCSec Newsletter Turns 3: Celebrating Our Journey in VoIP and WebRTC Security
As we mark three years of the RTCSec newsletter, we’re thrilled to see how our mission of shining a light on VoIP and WebRTC security has resonated with our readership. In fact, our newsletter’s audience has grown significantly despite its niche focus. In the meantime, we’ve covered crucial topics like WebRTC vulnerabilities, VoIP and conferencing platform security, AI-driven audio manipulation threats, communication system resilience, and the challenges of SMS/Voice 2FA.
We’re grateful to everyone who’s contributed to this journey - from those reporting and fixing vulnerabilities to thought leaders, our Enable Security team and especially, you - our readers. Please share this newsletter with colleagues in cybersecurity, VoIP/WebRTC teams, telecommunications professionals, unified communications specialists, decision makers, and anyone interested in real-time communication security.
On a personal note, curating this newsletter has been incredibly rewarding, keeping me personally informed, inspired, and passionate about RTC security. Here’s to many more years of securing our real-time communications together!
New White Paper: DTLS “ClientHello” Race Conditions in WebRTC Implementations
This month we released our latest white paper, “DTLS ‘ClientHello’ Race Conditions in WebRTC Implementations”. This comprehensive study delves into a critical vulnerability affecting various WebRTC implementations, with potential implications for real-time communication security.
Our research team at Enable Security conducted extensive testing on both open-source and proprietary WebRTC implementations, focusing on media servers and popular communication platforms. The study aimed to identify vulnerabilities related to the processing of DTLS ClientHello messages in WebRTC sessions.
Among the tested platforms, we found several implementations vulnerable to this issue:
- RTPEngine
- Asterisk
- FreeSWITCH
- Skype (PSTN)
In the case of the open-source software, this issue has been mitigated in the latest versions. Our testing encompassed a wide range of platforms, including but not limited to:
- Janus
- Discord Service Voice channel
- Dolby.io Live Broadcast
- Facebook Messenger web client
- Google Meet
- LiveKit Meet
- Webex Meetings
- Zoho Meeting
- Zoom personal room meeting
- Mediasoup
The white paper provides a detailed analysis of our methodology, findings, and the potential impact of this vulnerability. We discovered that the core issue lies in the failure to properly verify the origin of the DTLS “ClientHello” message, which could lead to denial of service attacks.
Importantly, our research highlights that while this behavior doesn’t necessarily indicate a bug in the WebRTC specification itself, it reveals a critical oversight that multiple implementors have failed to address.
We believe this research contributes significantly to the ongoing efforts to enhance WebRTC security across the industry. By sharing our findings, we aim to foster a more secure environment for real-time communication services.
To dive deeper into our methodology, results, and recommendations, we encourage you to read the full white paper. Feel free to reach out if you have any questions about our findings or methodology.
What’s happening?
DEF CON 32 talks that mention WebRTC
In this talk, Justin Rhynorater Gardner discusses various bug bounty findings. We are most interested in bug #5, which involves snooping on other users’ meetings. Gardner investigated a video chat and collaboration app, setting himself the challenge of joining meetings unnoticed. He found that when a user joins a meeting, the browser (i.e., client-side) announces to the other participants. By modifying the clientside code to prevent this signal from being sent, he successfully snooped on meetings without broadcasting his presence. He identified this vulnerability by reviewing the project’s Github issues, uncovering it as a potential problem.
Original content here.
This talk explores an RCE (Remote Code Execution) attack chain on Quick Share, a wireless peer-to-peer data transfer utility used across Android, Windows, and ChromeOS. Quick Share supports various communication methods like WiFi, Bluetooth, and WebRTC. The researchers focused on the protocol behind the file transfer, which uses Protobuf and OfflineFrame structures. During their investigation, they uncovered ten vulnerabilities, all of which were later addressed and patched by Google. More details can be found in the associated blog post and code repository.
Original content here.
This talk highlights vulnerabilities within several Ecovacs products, including vacuum robots, lawnmowers, and air purifiers, which allow live audio and video streaming via mobile apps. The presentation covered a large number of interesting vulnerability topics but we’ll focus on the WebRTC (i.e. audio and video streaming) functionality here. The streaming feature leverages AWS Kinesis, a service for real-time data streaming. While connections to the stream are protected by a user-entered PIN, the mobile app verifies the PIN by querying the robot directly. The presenters discovered that by modifying the robot’s response to indicate a correct PIN, even when the wrong PIN is entered, they could bypass this validation. This manipulation grants unauthorized access to the Kinesis WebRTC session, exposing the audio and video feed. A demonstration revealed how easily this security measure could be overridden.
Original content here.
Inside the FBI’s Secret Encrypted Phone Company ‘Anom’ - Joseph Cox
Get your popcorn and watch the talk Joseph Cox gave at DEF CON 32. I still need to sit down and watch/listen to this properly but in the meantime, I thought I’d satisfy the curious inner-geek of how the FBI ran a phone company. So technically, they had the following components:
- XMPP/Jabber server for transporting all the chat communications
- Hardware consisted of Google Pixel phones (Pixel 2, 3A, 4A) and some Samsung Galaxy models
- Intel NUCs (Next Unit of Computing) as “black boxes” for loading the custom OS and app
- Custom operating system called Arcane OS, based on GrapheneOS
- Anom messaging app
- AWS (Amazon Web Services) for routing messages
- Various proxy, ingestion and transfer servers to hide any interception and ultimately deliver the data to the FBI
- Third-party country servers in Lithuania and in the UK
- FBI’s front-end system (HolaiBot)
- S3 bucket (likely for storing attachments like photos and videos)
- Mobile Device Management (MDM) systems - initially Mobile Iron, later switched to FieldX
Fascinating story.
SIP Security: Exploring URI Parser Vulnerabilities and taking inspiration from DEF CON 32
Gareth Heyes’ DEF CON 32 talk, “Splitting the email atom: exploiting parsers to bypass access controls”, explores the complex world of email address parsing. This research inspired me to consider similar applications in the realm of Session Initiation Protocol (SIP).
SIP RFC 3261, section 19.1, discusses SIP and SIPS Uniform Resource Indicators, referencing RFC 2396 as a guideline. Like email addresses, SIP addresses are complex and warrant further investigation. Key areas of interest include:
-
SIP URI parsing discrepancies:
- Differences across various SIP proxies, user-agent servers, and clients
- Potential for authentication or authorization bypasses
- Possible real-world consequences, such as toll fraud
-
Injection attacks via SIP URIs:
- Previously observed vulnerabilities leading to:
- Cross-site scripting
- SQL injection
- Command injection
-
Special header injection in SIP requests:
- Exploiting the ability to include headers in SIP URIs
- Example: sip:atlanta.com;method=REGISTER?to=alice%40atlanta.com
These areas of investigation could potentially reveal numerous other security implications in SIP systems.
Truth in Telecoms and CXTech Newsletter covering Artificially Inflated Traffic (AIT) Fraud
For those in the audience involved in the telecom industry, AIT may be of interest. Alan Quayle and the Truth in Telecoms / TAD Summit Podcast have covered this topic in two episodes:
If you prefer reading over watching videos or listening to podcasts, Alan’s newsletter provides coverage in CXTech Week 41 2024 News and Analysis.
Security Updates and Vulnerability News Round-Up
Cisco has addressed eight vulnerabilities in their ATA 190 Series Analog Telephone Adapter devices, impacting both the administrative web interface and the command line interface (CLI). The most severe include CVE-2024-20458, which allows unauthenticated attackers to change the configuration or firmware through HTTP endpoints, and CVE-2024-20459, where authenticated users could escalate privileges to execute commands as the root user. Other issues such as CVE-2024-20421 and CVE-2024-20460 involve cross-site vulnerabilities that require an attacker to redirect an administrator’s browser to malicious URLs. Additionally, vulnerabilities like CVE-2024-20462 expose sensitive information such as user passwords, while others—CVE-2024-20461, CVE-2024-20463, and CVE-2024-20420—permit command injection, denial of service, and privilege escalation.
Original content here.
In this article, Nick Galloway from the Google Project Zero team discusses discovering an integer overflow vulnerability in the dav1d AV1 video decoder, widely used in WebRTC. The vulnerability, tracked as CVE-2024-1580, was previously covered in the March edition and the April edition of the Enable Security newsletter. The article provides insight into the process of discovering the vulnerability and explains why the initial oss-fuzz fuzzer failed to catch the bug.
Original content here.
This Google blog post discusses the proactive measures implemented in the latest Pixel phones to enhance baseband security. The baseband, which manages cellular communications like LTE, 4G, and 5G, has been a focus of prior exploration, especially in relation to VoLTE and VoWiFi signaling. Handling protocols such as SDP and RTCP at the baseband level presents considerable risks, as demonstrated by previous findings from Google’s Project Zero, including vulnerabilities in the Shannon baseband and Samsung Exynos chipsets. Pixel phones now feature advanced baseband security measures like Bounds Sanitizer, Integer Overflow Sanitizer, Stack Canaries, Control Flow Integrity, and Auto-Initialize Stack Variables, reinforcing protection against these threats.
Original content here.
VICIdial, a web-based platform for managing inbound and outbound communications, is vulnerable to two critical security issues: an unauthenticated SQL injection (KL-001-2024-011) and an authenticated remote code execution vulnerability (KL-001-2024-012). These flaws allow attackers to first use SQL injection to gain access to plaintext credentials, then log in and execute arbitrary shell commands on the server. This sequence of attacks can swiftly escalate to remote code execution as the root user, posing a severe security risk. The “Proof of Concept” sections in the advisories demonstrate the full extent of the vulnerabilities.
Original content here.
A vulnerability, tracked as CVE-2024-49215, was found in Asterisk versions 18.20.0, 19.x,20.x through 20.5.0, 21.x through 21.0.0, and Certified Asterisk through 18.9-cert5. The latest Asterisk versions, such as 22.0.0, 21.5.0, 20.10.0, 18.25.0, and Certified Asterisk 20.7-cert3, are unaffected by this issue. This flaw potentially enables a directory traversal attack through the Asterisk Management Interface (AMI), allowing arbitrary file read disclosure. However, it’s important to note that this issue has not been validated, and the Asterisk team has not released an official advisory regarding it.
Original content here.
matrix-react-sdk versions prior to 3.102.0 contain a vulnerability that allows a malicious homeserver to potentially steal message keys when a user invites another to a room. This issue arises because older versions of the software would share historical message keys during the invite process, making it possible for a homeserver-controlled malicious device to exploit the situation. Additionally, the matrix-react-sdk project was archived as of September 11, 2024, and has since been consolidated into the element-web repository following its merger.
Original content here.
This article tells the story of Shane McCausland, who is now a member of Yahoo’s cybersecurity team, The Paranoids. McCausland’s introduction to the field of cybersecurity came when he built a VoIP phone system based on the Asterisk server, which was subsequently compromised by a series of brute force attacks from a suspicious origin. This incident ultimately inspired him to pursue a career in cybersecurity.
Original content here.
Mitel has addressed several critical and high-severity vulnerabilities in its MiCollab unified communications platform. The vulnerabilities, including path traversal (CVE-2024-41713) and SQL injection flaws (CVE-2024-47223 and CVE-2024-47189), were published on October 9, 2024. An authentication bypass vulnerability (CVE-2024-47912) was also fixed. Mitel recommends users update to mitigate these issues, as they could lead to critical security compromises such as unauthorized access or data exfiltration.
Original content here.
