Our news

May 2025: Kamailio World and then OpenSIPS Summit presentations

Next month, I’m scheduled to give two presentations:

• Kamailio Configuration Security: From Real-World Vulnerabilities To Proactive Defense
• OpenSIPS Configuration Security: We called for trouble, and it answered with 200 OK!

The presentations share a primary topic - configuration security - but will feature different approaches to keep content fresh and engaging for those attending both. I look forward to meeting newsletter subscribers at either event!

Expect demonstrations, stories, and some food for thought.

OWASP ASVS 5.0 Release Candidate includes WebRTC security

OWASP is set to release ASVS (Application Security Verification Standard) 5.0, featuring significant updates to modernize the security verification framework and improve usability. The new version will include a dedicated WebRTC security chapter with specific requirements that we contributed to the project. This update will provide clearer guidance for security professionals assessing application security across various domains. OWASP invites community feedback on this upcoming release. Check out their blog post about the RC1.

What’s happening?

Hacking the Call Records of Millions of Americans

Imagine if anyone could punch in a phone number from the largest U.S. cell carrier and instantly retrieve a list of its recent incoming calls—complete with timestamps—without compromising the device, guessing a password, or alerting the user.

Now imagine that number belongs to a journalist, a police officer, a politician, or someone fleeing an abuser.

This capability wasn’t a hypothetical.

This is how Evan Connelly’s blog post begins. In it, he described a security vulnerability he discovered in the Verizon Call Filter iOS app, which leaks customers’ call history logs (also known as call detail records or CDRs). The vulnerable API that served the Call Filter app users did not perform any access control validation. As a result, anyone could access anyone else’s call history.

Read the blog post with the full technical details.

Phone hacking (phreaking) on Where Warlocks Stay Up Late

A new interview series dedicated to documenting cybersecurity (ahem, hacking) history has emerged in recent months. It’s called “Where Warlocks Stay Up Late” and is available on Youtube. I’d like to highlight some of its gems related to early phreaking:

Digital Jesus / Matthew Harrigan spoke about war dialing, dial-ups with X.25 access, conference calls that were not billed (loops), “toning”, rerouting 800 numbers to their conference line, exploiting phone switch functionality to control / take over phone lines remotely and the eventual FBI involvement.

Kingpin / Joe Grand on making free phone calls using 6 digit codes when calling an 800 number and then just calling whatever destination number - typically to call a board bulletin system (BBS).

Skyper / Eduart Steiner spoke about making free phone calls from telephone booths in Germany using “hook flashing” (something I can relate to back as a kid in Malta ;)), blue boxing and bypassing blue box frequency filters; or abusing toll-free “home country direct” numbers to other countries by using blue boxing techniques on foreign switches.

This series is a blast from the past. If you’re interested in phone phreaking history, it will bring back fond memories.

Check out the series here.

Is Your Phone Spying on You? Presentation about vulnerabilities in Cisco VoIP Phones

Balazs Bucsay from Mantra Information Security is presenting his research on Cisco VoIP phone vulnerabilities that he had previously reported to Cisco who issued security fixes. We had briefly covered these security issues in last year’s April edition of this newsletter. He has presented at Bsides Exeter and will soon present at BSides Birmingham.

Although we have not attended this presentation and it is not available yet online, we had a quick chat with Balazs. He explained that the presentation’s highlight is an on-stage demo. After compromising his vulnerable Cisco phone, he has an audience member answer a call, then demonstrates how the call was intercepted and replays the recorded conversation.

Here’s the announcement of his next presentation on X.

Cross-Site WebSocket Hijacking (CSWSH) Vulnerability and WebRTC

WebRTC signaling traffic typically flows through WebSocket servers, and the security of WebRTC communications depends heavily on secure signaling. When we discovered Include Security’s new blog post about a WebSocket vulnerability, it immediately caught our attention.

Their technical post describes a vulnerability called Cross-Site WebSocket Hijacking (CSWSH), which depends on two properties:

1. WebSocket security is not protected by the Same Origin Policy (SOP) thus any malicious site can start a WebSocket connection to a third-party site.
2. When malicious code on an attacker’s website attempts to open a WebSocket connection, the user’s browser automatically sends cookies that authenticate to the target site.

The article explains how modern browsers’ default security features mitigate this vulnerability. However, it also explores specific scenarios where the vulnerability persists and can still be exploited under certain conditions.

So how does one protect against this vulnerability?

1. Validate the Origin of WebSocket handshake requests. Maintaining a strict allowlist of permitted Origin values is the definitive way to mitigate CSWSH.
2. Use alternative authentication methods instead of relying on cookies for WebSocket connections.
3. Avoid setting the cookie’s SameSite attribute to ‘None’.

Getting back to how this affects WebRTC security. When SIP is used for signaling, authentication typically occurs at the SIP application level rather than through cookies. In our experience, this has not been a problem. However, when using a custom signaling protocol, this could become an issue if the WebSocket client relies on cookie-based authentication without Origin validation—a relatively common practice.

In summary, WebRTC application developers should always validate the Origin header in WebSocket handshake requests.

Read the blog post.

Apple plugs zero-day holes used in targeted iPhone attacks (Ω, CVE-2025-31201)

Apple recently patched a serious vulnerability, CVE-2025-31200, in its CoreAudio framework, which powers audio processing across iOS, macOS, and other Apple devices. Discovered in April 2025, this flaw allows attackers to execute remote code by tricking a device into processing a malicious audio stream, primarily within crafted media files. However, because CoreAudio also handles real-time audio, there’s a potential risk to VoIP and WebRTC communications.

What’s interesting is that CVE-2025-31200 was discovered by Apple and the Google Threat Analysis Group (TAG), which uncovers and investigates state-sponsored attacks and other advanced persistent threats. CVE-2025-31201 was flagged by Apple.

While the vulnerability’s main target appears to be media files, a malicious live audio stream - such as those used in VoIP calls or WebRTC sessions - could, in theory, exploit this flaw if processed similarly. We don’t know that this is the case. A successful attack could compromise a user’s device, making this a notable concern for secure communications. Apple has released patches (e.g., iOS 18.4.1, macOS 15.4.1) to address this issue.

CVE-2025-31201 is an issue in RPAC (Return Pointer Authentication Code), a security feature that aims to thwart return-oriented programming attacks and similar code reuse exploits. Thus we assume that this second vulnerability was used to bypass protection mechanisms that would have stopped exploitation of the CoreAudio vulnerability that was fixed.

More details at the HelpNetSecurity article.

SIP NAT types: network connectivity explained and security vulnerabilities

A new training resource on YouTube from Flavio Goncalves provides an exploration of four primary NAT types (Full Cone, Restricted Cone, Port Restricted Cone, and Symmetric NAT), offering insights into how network address translation mechanisms affect SIP communication protocols.

We often talk about Network Address Translation at the RTCSec newsletter because NAT is the reason for a number of potential security vulnerabilities in VoIP security, including:

• RTP Bleed and RTP Inject, which often are associated with IP:port learning features in media servers; a feature that exists due to NAT
• SIP ALG modules in various network security devices, that are often the cause of buffer overflows and Denial of Service vulnerabilities
• TURN servers were designed due to NAT; thus creating the TURN open relay abuse vulnerability that we found across various different providers
• One reason for multiplexing WebRTC media over one port, including DTLS, SRTP, SRTCP and STUN is NAT which, in part, led to the DTLS HelloClient DoS vulnerability

So if you’re exploring these vulnerabilities, it makes sense to learn the basics through Flavio’s resources.

Watch the video.

CVE-2024-45552: RTCP Packet Buffer Over-read Vulnerability in Qualcomm’s chipsets

Qualcomm’s April security bulletin issued a security fix for their chipsets that caught my eye: CVE-2024-45552 - “Buffer Over-read in Data Network Stack & Connectivity” with the following description:

“Information disclosure may occur during a video call if a device resets due to a non-conforming RTCP packet that doesn’t adhere to RFC standards.”

The CVSS rating of 8.2 indicates high impact on video call confidentiality, low impact on availability, and no impact on integrity. This issue should affect VoLTE video calls, though the advisory provides limited information.

Does anyone know what effects these non-conforming RTCP packets might have on ongoing calls?

How does a device reset lead to information disclosure? ¯\(ツ)/¯

Advisory here.

Junos OS SIP ALG DoS Vulnerability (CVE-2025-30656)

Juniper recently released an advisory and security fixes for a high severity DoS vulnerability in the SIP ALG that affects their routers and networking security devices running Junos OS. This vulnerability, tracked as CVE-2025-30656, allows unauthenticated attackers to crash devices and disrupt network services by sending specially formatted SIP invite packets over the network.

What is SIP ALG anyway? SIP ALG stands for Session Initiation Protocol Application Layer Gateway. It’s a feature found in many firewalls and routers that is intended to help manage and inspect SIP-based VoIP traffic as it passes through NAT (Network Address Translation) devices.

Since 2023, our RTCSec newsletter has covered similar SIP ALG vulnerabilities on network devices at least six times. We recommend disabling SIP ALG unless it’s absolutely necessary for your operations.

Kamailio SIP Server Multiple Vulnerabilities fixed in Ubuntu official packages

Security updates for Ubuntu 20.04 LTS, 18.04 ESM, and 16.04 ESM now fix Kamailio vulnerabilities originally addressed between 2016 and 2020. For users of Ubuntu-packaged Kamailio who are constrained to these Ubuntu versions, this situation is suboptimal. The following were fixed in this update:

• CVE-2020-28361: Header Removal Protection Bypass via Whitespace in textops Module
• CVE-2016-2385: Heap-Based Buffer Overflow in SEAS Module’s encode_msg Function
• CVE-2018-14767: Segmentation Fault via Crafted SIP Message with Double ‘To’ Header

If you value the security of your Kamailio servers, and anything behind them, do yourself a favor and stick with the official tagged release versions by compiling from source code or using the official Kamailio Debian repositories.

Upgrading to newer Ubuntu versions provides more recent Kamailio packages by default. However, this approach reduces both flexibility and the likelihood of receiving prompt security updates.

• Ubuntu update: https://ubuntu.com/security/notices/USN-7416-1
• Kamailio Debian/Ubuntu packages: https://deb.kamailio.org/
• Kamailio tagged releases: https://github.com/kamailio/kamailio/tags
• RPM packages from Kamailio: https://rpm.kamailio.org/

Security Updates and Vulnerability News Round-Up

ELUSIVE COMET Cryptocurrency Theft via Zoom Remote Control

The “ELUSIVE COMET” campaign is a sophisticated cryptocurrency theft operation that exploits Zoom’s Remote Control feature through elaborate social engineering. Attackers disguise themselves as “Zoom” within the interface to appear legitimate, tricking victims into granting remote access during meetings. Once access is granted, they swiftly drain crypto assets. One notable case involved Jake Gallen, CEO of NFT platform Emblem Vault, who lost approximately $100,000. The Trail of Bits post, whose CEO was also targeted, dives into the technical mechanics and mitigation strategies for this threat.

Original content here.

Oracle Patches 180 Vulnerabilities With April 2025 CPU

Oracle’s April 2025 Critical Patch Update addressed 378 vulnerabilities across its broad product portfolio. Oracle Communications products were most heavily affected, receiving 103 patches, including 82 flaws that could be exploited remotely without authentication. Over 40 of the patched vulnerabilities were rated critical, particularly impacting vital systems such as Session Border Controllers and other core network infrastructure.

Original content here.

5 Best Decentralized Zoom Alternatives for Secure Video Conferencing

The article highlights five decentralized alternatives to Zoom, presenting them as inherently more secure due to their decentralized architecture—though this assumption may be misleading without further scrutiny. Nonetheless, the list is compelling, especially with innovative features like AI-powered tools and token-based reward systems found in apps such as dMeet. These platforms offer fresh takes on video conferencing and appeal to users seeking privacy and cutting-edge functionalities.

Original content here.