Special day today, being a leap year! In other news, this month brought quite a bit of written content of interest to the VoIP and WebRTC security community, which we’re covering here:
- Generative AI on live audio conversations (sorry!)
- Vulnerabilities affecting Yealink, WebRTC and OpenScape
- Hardening WhatsApp’s VoIP library and new mobile malware using CPaaS
- WebRTC related security content courtesy of Staex, Mozilla and Fonoster
- FCC rules affecting VoIP providers and telcos
RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.
What is RTC security anyway? Real-time communications security is what determines if you can safely communicate in real time - whether it be with other humans or machines.
You may sign up to receive the RTCSec newsletter here. If you like what we’re doing, you’re most welcome to:
- forward to those that may find this newsletter particularly fruitful.
- let us know if we should include or cover any RTC security news.
To view past issues, please visit our website at https://www.rtcsec.com/newsletter.
Our news
Is your product or service critical to your users?
Are you responsible for IP communications products or services that you or your customers rely on? Chances are you have put a significant effort into making sure that it is secure. To have us test its security and resilience through pentesting and DDoS attack simulation get in touch!
Physical conferences of interest for this year
I’ll (Sandro) be visiting the following conferences this year:
If any reader is around, I’d be delighted to say hello!
Other conferences of interest that have been announced and might be worth a visit:
What’s happening?
Audio-jacking - using generative AI on live audio conversations
IBM Security’s blog Security Intelligence published a 7 minute read about the possibility of using large language models (LLM) on a live conversation to manipulate the audio output and hijack the conversation. What they did in their research was to get the LLM to listen for the keyword “bank account” and to replace the legitimate bank account number with a fake.
The reality is that to carry out such an attack, the adversary would need to have malware installed on either the endpoints (usually the victim’s phone) or have compromised the VoIP servers in use. There are other possibilities, such as RTP Bleed and RTP Inject, or simply man-in-the-middle attacks on the audio stream (media). Therefore the article is not about some new vulnerability affecting audio, as the call would need to be compromised in some way. Instead the write up is about the use of LLM in facilitating exploitation of a compromised live audio transaction.
In fact, such an exploitation method could scale greatly and be easy to automate, compared to the traditional alternative - where an actual person with voice changing software might need to handle such a call or have prepared the attack before it happening. The security researchers at IBM also provide pseudo-code, clear examples of how to instruct the LLM to do the attacker’s bidding and how the hijacked audio would sound. It seems like a very realistic attack.
Initially this blog post felt like FUD - especially since it is about AI and security. However, it is certainly fascinating work and a great write up. Give it a read at the Security Intelligence blog.
CVE-2024-24681 Insecure AES key in Yealink Configuration Encrypt Tool
Provisioning devices, especially VoIP phones, is hard to do securely. One reason is that before they are configured, such devices do not have any way to authenticate against a provisioning server. Thus, vendors tend to come up with solutions that seem secure but actually are a typical case of security through obscurity.
In this case, Yealink was found to be making use of a static AES key to encrypt the configuration files for provisioning all their equipment. Although they had introduced a different version which instead relies on RSA (thus no longer needing a static key), the old AES key was still functional.
What does this mean? Encrypted configurations that are somehow compromised, can be decrypted using the AES key that is hardcoded in the Yealink Configuration Encrypt Tool.
For more details, see the advisory and the encryption/decryption tools by Gitaware.
Fedora issues a fix for an old vulnerability in Sofia SIP
Sofia-SIP fixed a number of security issues last year, one of which was CVE-2023-32307. The security fixes by the FreeSWITCH team were made available back in May 2023. This month, Fedora updated their sofia-sip package on Fedora 38 so that it includes this security fix. Better late than never!
CVE-2024-1059 Use after free in WebRTC
There is a new fix for a use-after-free bug in WebRTC that’s fixed in the Chromium browsers. Google paid out $3000 for the bug bounty to Cassidy Kim. Congratulations to this researcher who keeps finding new security issues in the WebRTC stack!
No technical details are published yet.
Multiple vulnerabilities affecting Atos Unify OpenScape Voice Trace Manager (CVE-2023-40262, CVE-2023-40263, CVE-2023-40264)
The advisory by Unify reads as follows:
Multiple vulnerabilities have been identified in Atos Unify OpenScape Voice Trace Manager. The combination of the vulnerabilities may allow an unauthenticated attacker to get full administrative access to the system. User interaction is required for successfully exploiting the vulnerability. Refer to the Details section for additional information.
The severity is rated critical.
Customers are advised to update the systems with the available hotfixes as quickly as possible. We’d like to thank milCERT AT for disclosing and supporting us to remediate the issues.
Short news and commentary
- Decentralized and private calls using WebRTC - blog post by Staex
- Interesting project that includes buzz words like decentralized, blockchain and IoT. This seems like a proof of concept to get WebRTC to work without a signalling server, never exchange real IP addresses and still get a WebRTC call through. They use the Staex public network for all of this. No mention of latency and reliability.
- WhatsApp: VoIP memory isolation
- The Threat Report from Meta just came out covering Q4 2023. It is a fascinating read on the whole but we’re covering it because it highlights that Meta recently enabled a new memory allocator for the WhatsApp VoIP calling library. This makes exploitation of buffer overflows and memory corruption vulnerabilities harder. This was enabled for both Android and iOS versions of WhatsApp.
- Goldfactory/GoldKefu mobile Trojan makes use of the Agora SDK for voice and video calls
- A malware analysis post by Group-IB looks into GoldPickaxe.iOS that features some advanced activity, including the creation of deepfakes to access the victim’s banking account. We’re covering this analysis because this malware integrates the Agora Software Development Kit that is used to perform voice and video calls. This is used so that victims are tricked into calling a fake bank customer service. It is an interesting choice to leverage a CPaaS like Agora for its operations. Additionally, the Command and Control infrastructure (C2) was found to host the Simple Realtime Server (SRS) which is a realtime video server that we came across when researching WHIP security.
- Mozilla blog post: End-to-end-encrypt WebRTC in all browsers!
- The Mozilla Advancing WebRTC blog is back (after a few years) with a post about achieving cross-browser E2EE.
- Simplify SIP.jS security with short-lived tokens
- Pedro Sanders / Fonoster Inc posted about how to use Routr to authenticate SIP (over Websocket, for WebRTC) using JWT tokens instead of digest authentication.
- AI-generated voices in robocalls are illegal, rules FCC
- And now, two news items regarding FCC rules! First one is quite obvious and offhand seems common sense.
- FCC Requires Telecom & VoIP Providers to Report PII Breaches
- The second one details an update to the breach rules as they affect telecom and VoIP providers. Previously customer notifications were only required when customer proprietary network information was compromised. The new rules also cover personally identifiable information which expands the scope quite a bit. Let’s see if there will be an increase in such reports in the coming years.
This newsletter was prepared by Sandro Gauci and the Enable Security team for the RTCSec newsletter subscribers. If you have someone in mind who would benefit from our content, please do share.
To subscribe: here