WebRTC is often considered to be secure by default - with most security concerns being around IP address leakage which is more of a privacy issue than anything. Well, I have news for you - the applications and infrastructure that handles WebRTC can be attacked. It may indeed have various types of security vulnerabilities which are often overlooked. This presentation is based on experiences gained through security testing of WebRTC applications with anecdotal stories to illustrate the dangers. We will also take a peek at Video Delivery mechanisms such as RIST and SRT and discuss what could possibly go wrong there too!
Zach Shelby, Chief Nerd and co-founder of Sensinode, gives a high-level tutorial of the new OMA Lightweight M2M standard for Device Management, Network Mangement and Application Data for the Internet of Things. This new CoAP and DTLS based standard provides a complete system interface solution for M2M devices and services.
Nephio is an open source project that allows companies to manage their networking applications on scale. This year, the community has worked hard to release its first Release which offers a new alternative to be considered.
Zach Shelby, Chief Nerd and co-founder of Sensinode, gives a high-level tutorial of the new OMA Lightweight M2M standard for Device Management, Network Mangement and Application Data for the Internet of Things. This new CoAP and DTLS based standard provides a complete system interface solution for M2M devices and services.
Nephio is an open source project that allows companies to manage their networking applications on scale. This year, the community has worked hard to release its first Release which offers a new alternative to be considered.
More than a decade ago, Cisco introduced wireless solutions that addressed challenges associated with address mobility, seamless authentication and comprehensive backend accounting.
In the last few years, the industry has transformed to offer an immense range of Smart Devices. This unprecedented growth in mobile traffic demands a change to scale to the new reality of any–to-any connectivity. This is a technical deep dive presentation on BNG Deployments and Mobile Offload techniques
The top two attack vectors for malware are email and web browsers. Watering-hole attacks conceal malware on member-based sites and phishing scams can target individuals with personal details. This PPT describes a different security approach to protect against these threats while achieving business growth, efficiency and lowered expenses. The presentation features Cisco Email, Web and Cloud Web Security and covers basic features, offers, benefits, newest features and product integrations. Watch the webinar: http://cs.co/9004BGqvy
Overview of the SSH protocol.
SSH (Secure SHell) is a secure replacement for TELNET, rcp, rlogin, rsh (for login, remote execution of
commands, file transfer).
Security-wise SSH provides confidentiality (nobody can read the message content), integrity (guarantee that data is unaltered in transit) and authentication (of client and server). This provides protection against many of the possible attack vectors like IP spoofing, DNS spoofing, Password interception and eavesdropping.
SSH exists in 2 versions. SSH-2 fixes some of the shortcomings of SSH-1 so it should be used in place of SSH-1.
SSH also comes with features that in itself raise security concerns like tunneling and port forwarding.
Cisco Ironport WSA- Introduction and Guide in ShortPriyank Sharma
This is a presentation made by me for IRONPORT users, admins or new users who want to understand the terminology of Cisco IRONPORT and its usage. However this is not very elaborate but yes will give you a nice and clear understanding of IRONPORT.
Key Policy Considerations When Implementing Next-Generation FirewallsAlgoSec
This presentation examines next-generation firewalls, and provides practical advice on how to effectively and efficiently manage policies in a multi-product and even multi-vendor, defense-in-depth architecture.
By watching this webcast you will learn answers to the following questions:
-What constitutes a next-generation firewall and what problems does it solve?
What are the deployment options for next-generation firewalls?
What do policies in a defense-in-depth architecture look like?
How can you efficiently manage next-generation firewalls AND traditional firewall policies?
And much more
ONVIF, or Open Networking Video Interface Forum, is an industry forum designed to provide and promote standardized interfaces for video surveillance/physical security IP (Internet Protocol) products can more effectively communicate with other connected products.
ONVIF states that the benefits of an open standard include:
Interoperability – products from different manufacturers can be used together in a single system and still communicate data effectively
Flexibility – end-users and integrators are not stuck with a single solution based on technology choices of individual manufacturers
Future-proof – standards ensure that there are connectable products on the market at any given time, regardless of individual companies and products
Quality – when a product conforms to a standard, the market knows what to expect from that product
More than a decade ago, Cisco introduced wireless solutions that addressed challenges associated with address mobility, seamless authentication and comprehensive backend accounting.
In the last few years, the industry has transformed to offer an immense range of Smart Devices. This unprecedented growth in mobile traffic demands a change to scale to the new reality of any–to-any connectivity. This is a technical deep dive presentation on BNG Deployments and Mobile Offload techniques
The top two attack vectors for malware are email and web browsers. Watering-hole attacks conceal malware on member-based sites and phishing scams can target individuals with personal details. This PPT describes a different security approach to protect against these threats while achieving business growth, efficiency and lowered expenses. The presentation features Cisco Email, Web and Cloud Web Security and covers basic features, offers, benefits, newest features and product integrations. Watch the webinar: http://cs.co/9004BGqvy
Overview of the SSH protocol.
SSH (Secure SHell) is a secure replacement for TELNET, rcp, rlogin, rsh (for login, remote execution of
commands, file transfer).
Security-wise SSH provides confidentiality (nobody can read the message content), integrity (guarantee that data is unaltered in transit) and authentication (of client and server). This provides protection against many of the possible attack vectors like IP spoofing, DNS spoofing, Password interception and eavesdropping.
SSH exists in 2 versions. SSH-2 fixes some of the shortcomings of SSH-1 so it should be used in place of SSH-1.
SSH also comes with features that in itself raise security concerns like tunneling and port forwarding.
Cisco Ironport WSA- Introduction and Guide in ShortPriyank Sharma
This is a presentation made by me for IRONPORT users, admins or new users who want to understand the terminology of Cisco IRONPORT and its usage. However this is not very elaborate but yes will give you a nice and clear understanding of IRONPORT.
Key Policy Considerations When Implementing Next-Generation FirewallsAlgoSec
This presentation examines next-generation firewalls, and provides practical advice on how to effectively and efficiently manage policies in a multi-product and even multi-vendor, defense-in-depth architecture.
By watching this webcast you will learn answers to the following questions:
-What constitutes a next-generation firewall and what problems does it solve?
What are the deployment options for next-generation firewalls?
What do policies in a defense-in-depth architecture look like?
How can you efficiently manage next-generation firewalls AND traditional firewall policies?
And much more
ONVIF, or Open Networking Video Interface Forum, is an industry forum designed to provide and promote standardized interfaces for video surveillance/physical security IP (Internet Protocol) products can more effectively communicate with other connected products.
ONVIF states that the benefits of an open standard include:
Interoperability – products from different manufacturers can be used together in a single system and still communicate data effectively
Flexibility – end-users and integrators are not stuck with a single solution based on technology choices of individual manufacturers
Future-proof – standards ensure that there are connectable products on the market at any given time, regardless of individual companies and products
Quality – when a product conforms to a standard, the market knows what to expect from that product
- VoIP attacks Denial of service. Fraud. Illegal interception. Illegal control.
- Adhoc WebRTC attacks: malicious HTML code. Webservers. Forced DoS. Cam/mic control. Etc.
- Protection: Role of border elements (SBC, media gateways,...). WebRTC Portal and web servers. Browser mechanisms
- Identity Management: Anonymous calls. OpenID and third parties. Telco identity. Real implementations
Future Internet Week - IPv6 the way forward: IPv6 and security from a user’s ...ir. Carmelo Zaccone
This workshop will start with a presentation of results of a study that was conducted for the European Commission on IPv6 and security. This will be followed by presentations from a technology provider who will focus on the security issues related to IPv6. The last presentation will be done by an organisation that has implemented IPv6 and it will share its experiences with the focus on security. At the end of the session, there is a Q&A.
http://ipv6-ghent.fi-week.eu/ipv6-security/
Conferencia de Santiago Troncoso expuesta en la última edición de VoIP2DAY en la que nos explica cómo WebRTC hereda todas las amenazas de los servicios VoIP tradicionales junto con los ataques web existentes y nos da algunas claves sobre cómo mantener la seguridad de los servicios.
VOIP2DAY 2015: "WebRTC security concerns, a real problem?"Quobis
WebRTC inherits all the threats of traditional VoIP services together with existing web attacks. In this session Antón Román will explain this together with ad-hoc WebRTC attacks and ways to deal with Identity and keep the services secure.
- VoIP attacks Denial of service. Fraud. Illegal interception. Illegal control.
- Adhoc WebRTC attacks: malicious HTML code. Webservers. Forced DoS. Cam/mic control. Etc.
- Protection: Role of border elements (SBC, media gateways,...). WebRTC Portal and web servers. Browser mechanisms
- Identity Management: Anonymous calls. OpenID and third parties. Telco identity. Real implementations
Tools for Offensive RTC security. Introducing SIPVicious PRO and the demo ser...Alan Quayle
Tools for Offensive RTC security. Introducing SIPVicious PRO and the demo server.
Sandro Gauci, CEO / Senior Penetration Tester / Chief mischief officer at Enable Security GmbH
In Sandro’s previous talk for TADSummit EMEA Americas 2020, he spoke about why it is critical to take an offensive approach when dealing with SIP security.
In this presentation, he shows how tools can help in testing RTC security as well as in learning more about offensive security for RTC.
After a general overview of the landscape, he will focus on the work that his team has done on SIPVicious PRO and the target demo server that helps learn and show vulnerabilities in a lab environment.
Tools for offensive RTC Security: introducing SIPVicious PRO and the demo serverSandro Gauci
In his previous talk for TADSummit, Sandro spoke about why it is critical to take an offensive approach when dealing with SIP security. In this one, he shows how tools can help in testing RTC security as well as in learning more about offensive security for RTC. After a general overview of the landscape, he will focus on the work that his team has done on SIPVicious PRO and the target demo server that helps learn and show vulnerabilities in a lab environment.
Securing Servers in Public and Hybrid CloudsRightScale
RightScale Webinar: Security and compliance remain major challenges to adoption of public cloud infrastructure hosting. Technical differences in public cloud environments render many established security models and controls inoperable. Understanding these differences and the options available to you are key to running a secure cloud environment.
Join Carson Sweet, co-founder and CEO of CloudPassage and Uri Budnik, Director, ISV Partner Program of RightScale for a free webinar where industry experts discuss why security and compliance are different in the cloud, outline a model for securing cloud-based hosting environments, and explain best practices for implementing a secure cloud infrastructure.
We will discuss:
- What's different about security in the cloud
- Shared responsibility
- Architectural challenges
- Key features to secure your cloud servers
- Secure deployment via RightScripts
Don't miss out on this opportunity to find out about all you need to secure your cloud servers!
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...JPCERT Coordination Center
Recently we’ve seen many vulnerabilities related to improper certificate validation. Those vulnerabilities come from developers’ ignorance or misunderstanding of basic knowledge of certificate validation or insufficient testing of validation code. This presentation starts with the basics of the certificate validation process, surveys several vulnerabilities in the real world, and concludes with lessons learned from real-world vulnerabilities.
This is presented on JavaOne2015.
TADSummit 2022 - How to bring your own RTC platform downSandro Gauci
Running DDoS simulations on your own.
Why would you want to do such a thing?
Preparing for destruction
Running the tests – best practices
What happens after the fact
Moving forward towards more robust RTC
If you have been following news from the OpenSIPS community, you probably heard of the OpenSIPS security audit. Why is this a useful exercise and how will it be done? In this talk, Sandro will try to answer these questions, give some background and details on what will be tested and his team's penetration testing methodology as it applies to the OpenSIPS project.
The various ways your RTC may be crushedSandro Gauci
A presentation about Denial of Service on Real-time Communications systems. This presentation covers the following:
The presentation, in parts:
- DoS on Signalling, including SIP Flood, TCP and TLS Flooding, TLS certificate flooding and a WebRTC proprietary signalling protocol attacked via malformed message
- DoS on the Media, including RTP Bleed and Invalid DTLS certificate
- DoS on RTC monitoring tools including DoS on Recording systems, on PCAP monitoring and Flooding the firewall
- DoS on callbacks including random input and Slowloris attack
- DoS on security protection including IP spoofing to block trusted peers and flooding the intrusion prevention system
- Tips on evasion of security protection, on rate limiting, distributing attacks and slowing down attacks
- Discussion on solutions and mitigation, on rate limiting again, increasing resources, and various other techniques
If you'd rather watch this presentation: https://www.youtube.com/playlist?list=PLfoovPTqAipVGa__xPSatN9qKC22nTKl7
A presentation describing two different approaches that we took when making use of fuzzing to discover vulnerabilities in VoIP or Real-time communications software and libraries.
We describe our failures and also our successful findings when using AFL and also our custom fuzzer, gasoline against Asterisk, Kamailio, PJSIP, RTP proxy and other solutions.
Presentation can be found at https://www.youtube.com/watch?v=CuxKD5zljVI
Web Application Firewalls Detection, Bypassing And ExploitationSandro Gauci
A presentation and demonstration of issues that apply to Web application firewalls. Talks about how easy it is to fingerprint some web application firewalls, how bypassing them is possible. Finally it talks about how they can be used against your organization if they get compromised.
Most research and publications talk about layer 2 issues when it comes to VoIP. Over here we talk about VoIP security flaws that can be exploited without having physical access to the target network, i.e. attacks that can be, and are being launched through the Internet.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
Instagram has become one of the most popular social media platforms, allowing people to share photos, videos, and stories with their followers. Sometimes, though, you might want to view someone's story without them knowing.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
CommCon 2023 - WebRTC & Video Delivery application security - what could possibly go wrong?
1. WebRTC & Video Delivery
what could possibly go
wrong?
An Application Security talk at CommCon 2023
by Sandro Gauci, Enable Security
2. Welcome!
Purpose: convince you that WebRTC + Video Delivery infra/apps
need security testing
Yes .. even if the technology is said to be secure
3. On WebRTC security
WebRTC, unlike VoIP, comes with modern security features
Signaling has to happen on a secure transport layer (i.e. HTTPS)
media is encrypted using SRTP
keys exchanged over DTLS
4. On Video Delivery
Fragmented so hard to make blanket statements
SRT = Secure Reliable Transport
WISH (WHIP) is built on top of WebRTC, thus inherits its security
features
5. After this talk
using secure technology is a great starting point
secure communications require more than just using secure
technologies
... or having Secure in the protocol's name
6. Who am I to talk about this?
Sandro Gauci, from Malta 🇲🇹
- living in Bavaria 🇩🇪
accused of releasing SIPVicious OSS on weak VoIP systems on the
intertubes
leading Enable Security
We specialize on RTC security, focused on security testing
7. How do we figure out what
we need to worry about?
14. still WIP as we learn more about each component
not extremely complex but complex enough
split into 4 areas:
Media - SRTP / DTLS (and data channels)
NAT traversal - ICE / STUN / TURN
Signalling - no standard signalling so hard to nail
Gateway
17. Message processing
Media servers need to process each incoming message
includes SRTP, SRTCP, DTLS and STUN
each protocol is complex, especially DTLS
third-party libraries required especially for DTLS e.g. OpenSSL
comes with a history of vulnerabilities; some of which apply
18. CVE-2022-0778
Denial of Service vulnerability in OpenSSL
exploited through a specially crafted X.509 certificate
when parsed, causes an infinite loop while parsing an elliptic curve
key
in WebRTC client certificates are parsed by the media server to
check the fingerprint presented in the SDP
to prevent man-in-the-middle attacks
it is an important security feature but also an attack vector
19.
20.
21.
22.
23. Further explanation
Blog post and video demonstration against a WebRTC demo -
RTPEngine with vulnerable OpenSSL:
https://www.rtcsec.com/article/exploiting-cve-2022-0778-in-openssl-vs-
webrtc-platforms/
24.
25. RTP Proxy vulnerabilities
In some cases, the WebRTC media server is also an RTP proxy
used in VoIP environments
This means that some VoIP media vulnerabilities are also found in
WebRTC environments
We describe two vulnerabilities: RTP Inject and RTP Bleed
30. RTP Inject versus SRTP
streams
the media server might behave in an undefined way when receiving
RTP or SRTP on an ongoing stream
surprisingly, we saw instances where malicious unencrypted RTP
streams get encrypted by the media server
thus an attacker can send unencrypted RTP which is delivered, in
full security to the other party
either way, when vulnerable, this almost always (at least) leads to
denial of service
36. Attacking
Confidentiality/Integrity of
DTLS/SRTP
private key (which was published) reuse as in the case of Slack
usage of weak ciphers - typical vulnerabilities associated with TLS
interesting research area for cryptographers (professionals and
amateurs alike!)
37. RTP Flood
and yes, SRTP too
not to be confused with RTP Inject/Bleed!
both recording and transcoding systems may be affected
what is RTP Flood?
38.
39.
40. Why is RTP flood dangerous
Attackers can send packets at high rates, large RTP payloads
Some recording systems will happily store that media filling up
storage space (disk, buckets etc)
We have seen gigabytes being stored in a few seconds
Some transcoding systems might not cope with the data, taking
precious resources
44. Background on TURN relay abuse
TURN servers are meant to relay data - often SRTP between parties
that cannot reach each other directly
Seems obvious that attackers may abuse TURN servers to reach
anything else including
internal network IP addresses
local services (i.e. on 127.0.0.1 or ::1)
external services
Sometimes, these internal services require no authentication and
assume trust based on IP
e.g. AWS instance metadata service (169.254.169.254)
45. Background on TURN relay abuse
We developed a toolset called stunner to abuse this behavior
(and more)
Allowed us to discover this vulnerability in various WebRTC
platforms:
Slack
8x8
Vendor X
Signal's infrastructure
our customers
46. Introduction to the TURN relay abuse demo
We have configured the web server to block Internet access to
/secret
Only internal IP addresses are allowed to view this location
The TURN server is also configured to block any internal IP
addresses, including localhost
If one uses the TURN server as a relay for their web browser
(stunner supports this) to access 127.0.0.1/secret, the
TURN server blocks that
49. Brief note on Gateway attacks
Sometimes - from a WebRTC platform - you can call out or in
through the traditional phone system
e.g. Google Meet / Jitsi might have this functionality for a web
conference
That interaction between the WebRTC platform and external
systems might open up security vulnerabilities
Examples that come to mind:
toll fraud
injection of special SIP headers
Interesting attack vector but too specific to cover in this talk
Not to be forgotten!
50. Attacking Signalling
This is how you initiate calls, tear them down and various other
important functionality outside of media
WebRTC does not define a signalling protocol (other than the use
of SDP)
SIP or XMPP over HTTP or Websocket is somewhat common
In such cases, the systems might inherit security vulnerabilities
from SIP/XMPP/etc
A lot of proprietary protocols reinvent the wheel - thus some
vulnerabilities are also reinvented
The equivalent of the SIP INVITE flood DoS vulnerability can often
be found in other signalling protocols
53. What about Video Delivery?
We started looking at SRT - Secure Reliable Transport
Too complex to learn, let alone build a proper attack surface
mindmap for this talk
Also not very related to WebRTC
Something else is much more related ...
54. Hello WHIP! or is it WISH?
WISH = WebRTC Ingest Signaling over HTTPS
WHIP = WebRTC-HTTP ingestion protocol
We focused on WISH/WHIP which is still very new but is/will be a
standard signalling protocol for WebRTC signalling just for media
ingestion
How does its attack surface look like?
55.
56. Attack surface for
WISH/WHIP
Inherits all the WebRTC potential security issues
Removed the gateway element; seems irrelevant
All the previous generic attack surface for signalling still mostly
applies
Also identified a few potential and specific attacks
57.
58. Limited attack surface
The draft for WISH explains that certain things that are normally
allowed in WebRTC are not allowed in WISH
Examples
no SDP renegotiation is supported = DoS on reneg will not be
relevant
SDP offer - sendonly
SDP answer - recvonly
and some other restrictions
Great for security because they reduce the attack surface
SDP is still there, still complex
Complexity is the enemy of security
60. Warning
The above is theoretical because we did not properly test any
implementations
61. Potential issues in WISH
implementations
access control issues (or IDOR) on the resource location
DoS with ICE restarts
POST flooding
traditional HTTP-style attacks; since it is HTTP specific
62. Access control issues on the resource location
POST /whip/endpoint HTTP/1.1
Host: whip.example.com
Content-Type: application/sdp
Content-Length: 1326
v=0
...
HTTP/1.1 201 Created
ETag: "xyzzy"
Content-Type: application/sdp
Content-Length: 1400
Location: https://whip.example.com/resource/id
v=0
...
63. Resource location security
if there is no authentication and proper authorization ..
if attackers can guess the resource location ...
then they may send DELETE requests to all ongoing sessions and
tear them down
68. Gratitude
Alfred Farrugia who assisted greatly with the contents and
resources
Dan Jenkins and the CommCon team for organising this event
Our customers who keep it interesting for us 😄
Anyone who is contributing to RTC security!
69. Key take aways
Even if WebRTC is considered the most secure VoIP, there are
attack vectors
This also includes the web attack surface which is very familiar to
many security professionals
But also
RTC specific vulnerabilities (more interesting to us)
Vulnerabilities inherited from older applications/protocols
70. What to do?
Stay informed - we do our bit at
At various stages of developing WebRTC and Video Delivery
solutions ...
Test Test Test!
https://rtcsec.com/subscribe
https://www.rtcsec.com/tags/webrtc-security/