Skip to main content
RTC Security Newsletter

Curated VoIP and WebRTC security news, research and updates by Enable Security.


September 2023: Security advisories, SIP & DTLS-SRTP interoperability and 5G infra attacks

Published on Sep 29, 2023

Welcome to the September edition of the VoIP and WebRTC security newsletter, RTCSec news!

In this edition, we cover:

  • our news, including the WebRTC & Video Delivery presentation we gave at CommCon, OpenSIPIt and our Attack Platform
  • security fixes in FreeSWITCH, OpenScape, Stormshield and DLINK phones
  • GPRS Tunneling Protocol user-plane (GTP-U) abuse, Signal upgraded for quantum computing and SBOMs

RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.

What is RTC security anyway? Real-time communications security is what determines if you can communicate in real time in a safe way - whether it be with other humans or machines.

You may sign up to receive the RTCSec newsletter here. Do:

  • forward to that person who may find this newsletter particularly fruitful.
  • let us know if we should include or cover any RTC security news.

To view past issues, please visit our website at

Our news

WebRTC & Video Delivery application security - what could possibly go wrong?

Our presentation for CommCon 2023 is finally public! Here’s the synopsis:

WebRTC is often considered to be secure by default - with most security concerns being around IP address leakage which is more of a privacy issue than anything. Well, I have news for you - the applications and infrastructure that handles WebRTC can be attacked. It may indeed have various types of security vulnerabilities which are often overlooked. This presentation is based on experiences gained through security testing of WebRTC applications with anecdotal stories to illustrate the dangers. We will also take a peek at Video Delivery mechanisms such as RIST and SRT and discuss what could possibly go wrong there too!

With regards to video delivery, we actually took a look at the WISH/WHIP protocol which resulted in some interesting potential vulnerabilities which we described back in June.

Give it a watch at

Security consultancy for your RTC projects

If you are using open-source software such as OpenSIPS, Kamailio, FreeSWITCH or Asterisk to build custom solutions, you may need security consultancy. Or you may need help with security testing of some VoIP or WebRTC features or components. That is why we offer consultancy services.

OpenSIPIt'03 covered SIPREC, STIR/SHAKEN, DTLS, performance and security

OpenSIPIt'03, the interoperability testing event, happened during the week of 18th September and the attending opensource developers were very engaged. In fact some of the tests went beyond the initial 3 days that were originally planned for the event.

On the initial day, there were some presentations about what was planned by each attendee which can be seen on the Youtube stream. You’ll find the following:

  • STIR/SHAKEN by Liviu
  • SIPREC by Razvan
  • Performance by Flavio
  • DTLS/SRTP by Maxim

We also had a presentation which starts after 1h and 40 minutes which can be seen on the stream at 5990s. We discussed:

  • what we can test which included some basic standard fuzzing tests to do with RTP, including fuzzing of various codecs and SIP fuzzing
  • gave some ideas of ad-hoc tests that we could do covering SIPREC, DTLS DoS and STIR/SHAKEN fuzzing or security testing
  • introduced our Attack Platform and gave the developers access for the first time (next topic)

The OpenSIPIt event is always a valuable opportunity to learn from others and to improve and expand our security coverage, even if we could not participate as much as we wanted this time. We are excited for the next one!

Attack Platform sneak preview at OpenSIPIt

During OpenSIPIt'03 we described the Attack Platform and gave the attending developers access so that they could run some tests on their software. We explained that often we need to share security tests with others (our clients) and allow them to consistently do the same tests over and over again. Additionally, we often need to distribute certain security tests - especially for DDoS resilience testing of course. And finally, it is valuable to be able to run tests automatically, on schedule, or manually by our clients.

The Attack Platform is our answer to all of these problems. It can be summarized as infrastructure and security tools prepared by Enable Security. If you’d like to watch the talk and demos with the Attack Platform, it is all on the Youtube stream at 6381s.

What’s happening?

Two FreeSWITCH security fixes

The FreeSWITCH project has addressed two security vulnerabilities this month. Both security reports are credited to Andrey Volk, while Giacomo Vacca is also credited for one of the vulnerabilities. Both developers are working at SignalWire, the main sponsor of FreeSWITCH.

What was fixed?

  1. FreeSWITCH allows authorized users to cause a denial of service attack by sending re-INVITE with SDP containing duplicate codec names - CVE-2023-40019
  2. FreeSWITCH allows remote users to trigger out of bounds write by offering an ICE candidate with unknown component ID - CVE-2023-40018

Both are listed as potentially leading to memory/stack corruption, which results in undefined behavior, or a crash.

It is great to see open source developers discovering and self-reporting vulnerabilities in this way, with excellent advisory content and prompt security fixes. Congratulations to the FreeSWITCH team!

Pentesting in 2024? (advert)

We would love to hear from you if you are interested in our services for the next year. You can reach us by replying to this newsletter or by visiting our contact page. Since we have no availability left for Q4, this is a great opportunity to start a conversation!

Other vulnerabilities

  • Authenticated Remote Code Execution and Missing Authentication in Atos Unify OpenScape
  • Crashes in Stormshield Network Security when parsing specially crafted SIP (CVE-2023-26095)
  • DLINK DPH-400SE VoIP Phone advisory

Short news and commentary

This newsletter was prepared by Sandro Gauci and the Enable Security team for the RTCSec newsletter subscribers. If you have someone in mind who would benefit from our content, please do share.

To subscribe: here