On February 15, 2023, Arin welcomed Sandro Gauci to WebRTC Live to talk about the WebRTC attack surface. Sandro is the Chief Mischief Officer, Founder, and CEO at RTC security audit and penetration testing experts, Enable Security. To the real-time communications community, he is also known as the original developer of SIPVicious OSS, the open-source security suite for auditing SIP-based VoIP systems.

WebRTC uses encryption in the video, audio and data channels, and so it has some aspects of secure design built in. But there are still things that can go wrong. Sandro advises to design your applications and infrastructure with security in mind. Security gets more and more expensive the later you do it! 

Watch Episode #76!

Mindmap: WebRTC infrastructure attack surface

Sandro shared a mind map detailing the WebRTC infrastructure attack surface and discussed the areas that they’ve tested. 

1. Signaling (Authentication, authorization, quality of service, transport security, message processing, intrusion detection/prevention services)
   1. SIP
   2. XMPP
   3. Custom Protocols
2. Media (Message processing, confidentiality & integrity, recording systems, transcoding)
   1. RTP
   2. SRTP
   3. DTLS
3. NAT Transversal
   1. TURN
   2. STUN
   3. ICE
4. Gateway (Protocol conversion, message processing)
   1. PSTN
   2. VoIP

Sandro focused on one particular feature that can be a major choke point in your signaling services and their dependencies if attacked: quality of service and specifically, resource exhaustion. He gave a demo using the SIPVicious PRO Demo Server. 

Links!

• The Awesome Real-time Communications hacking & pentesting resources (Covers VoIP, WebRTC and VoLTE security related topics: 
• RTC Security Newsletter
• TURN relay abuse references:
  • https://www.rtcsec.com/article/slack-webrtc-turn-compromise-and-bug-bounty/
  • https://hackerone.com/reports/333419
  • https://www.rtcsec.com/post/2020/06/03-bug-bounty-bout-0x01-webrtc-edition/
  • https://www.rtcsec.com/article/cve-2020-26262-bypass-of-coturns-access-control-protection/
  • https://firefart.at/post/multiple_vulnerabilities_cisco_expressway/
• Bug bounty report for Slack DTLS Certificate with well-known private key
• And of course, enablesecurity.com 

Watch Episode #76!

UP NEXT! WebRTC Live #77 with Vonage Developer Advocate, Diana Pham

Wednesday, March 15 at 12:30 pm Eastern. Register today!

Do you have a topic that you would like to see discussed on WebRTC Live? Let us know by emailing news@webrtc.ventures.

Never miss an episode of WebRTC Live, our webinar series hosted by WebRTC.ventures Founder and CEO, Arin Sime. We feature the latest use cases and technical updates to this increasingly popular coding standard for live video. Watch past episodes on our WebRTC Live page, our YouTube channel, and on our blog. Better yet, use the form in the sidebar to join our mailing list and be among the first to hear about upcoming episodes and the latest news in WebRTC!