Sandro Gauci, CEO of Enable Security, is a TADSummit regular, here are a few of his presentations.
- 2022. How to bring down your own RTC platform. Running DDoS simulations on your own. Slides and Video.
- 2021. The worst of enemies – let’s talk about DDoS and RTC
- 2020. Getting offensive: a different approach to RTC security.
I’m a regular reader of his monthly RTC Security newsletter, I consider it required reading for the industry. The breadth and depth of analysis are great, whether you’re after a quick review of the top RTC security issues this month, or to delve into the details of what is happening on the ground. The newsletter has you covered.
Enable Security provides cyber-security penetration testing across VoIP and WebRTC, as well as testing tools (SIPVicious), general consulting, and RTC security research.
For the bulk of the discussion Sandro reviewed 5 trends over the past 6 months, and covered in these slides.
The top 10 trends were:
- 1. Increasing focus on WebRTC vulnerabilities and security
- 2. Growing concern over VoIP and conferencing platform security
- 3. Rising importance of end-to-end encryption in communication
- platforms
- 4. Emerging threats from AI and machine learning in audio
- manipulation
- 5. Continued vulnerabilities in VoIP hardware and firmware
- 6. Increasing attention to STIR/SHAKEN implementation and its
- privacy implications
- 7. Growing importance of resilience in communication systems
- 8. Rising concerns about open relays and misconfigured SIP servers
- 9. Increasing focus on security in open-source VoIP and WebRTC
- projects
- 10. Growing importance of fuzzing and automated testing in RTC
- security
Sandro focused on 5 of them, well the last one is coming up in the July newsletter, as Sandro knew its on the topic I care about.
1. Increasing focus on WebRTC vulnerabilities and security. This means all browsers, so its reach is uniquely broad, the project is generally control by Google, so exposure of the vulnerabilities tends to be rather controlled.
Sandro did highlight some of their research work on “A Novel DoS Vulnerability affecting WebRTC Media Servers“. A critical denial-of-service (DoS) vulnerability has been identified in media servers that process WebRTC’s DTLS-SRTP, specifically in their handling of ClientHello
messages. This vulnerability arises from a race condition between ICE and DTLS traffic and can be exploited to disrupt media sessions, compromising the availability of real-time communication services. Mitigations include filtering packets based on ICE-validated IP and port combinations. The article also indicates safe testing methods and strategies for detecting the attack.
2. Growing concern over VoIP and conferencing platform security. In one case the PSTN leg of a military conference was compromised. In another again using the PSTN leg pressing the # key enabled entry into a conference call. Likely # was an old operator call, but with everything now automated, it ended up being placed into a conference call.
There have also been multiple vulnerabilities in various VoIP phones and systems such as Mitel, Alcatel Lucent Enterprise, and Yealink. As the UCaaS market consolidates, the risks from all these VoIP phones will grow. Enterprises with a high exposure risk, e.g. banks or government, will likely need to act first.
3. Emerging threats from AI and machine learning in audio manipulation. Including Audio Jacking – using generative AI on live audio conversations; and Goldfactory/GoldKefu mobile Trojan makes use of the Agora SDK for voice and video calls. The risk with these is the ability to scale, its not limited by the number of bad actors, rather the reach of the trojan.
4, Growing importance of resilience in communication systems. An article from Bert Hubert, a well respected thinker in this area. It can be a cyber war, that can impact the economy of a country(ies). Like we just experiences with CrowdStrike. Bert reviews how fragile many emergency communications systems have become because of all the layers added. This reminded me of the TADSummit Keynote we had on Mindful Connections, from Sami Mäkeläinen .
5. We finished on Voice / SMS 2FA is hugely problematic, reviewing SMS and VoIP logs from Cisco Duo compromised, and Twilio’s Authy Incident.
Please remember to sign up to Sandro’s monthly RTC Security newsletter.
2 thoughts on “Podcast 80: TADSummit Innovators, Sandro Gauci, Enable Security”