VoIP and WebRTC
Security Articles and News
Articles and security news about vulnerabilities and attacks affecting VoIP and WebRTC by Enable Security.
Subscribe
TURN Server Security Best Practices
Published on Feb 25, 2026 in TURN security, server hardening, webrtc security
Implementation-agnostic security reference for TURN server deployments. Covers network isolation, access control rules, protocol hardening, rate limiting, and monitoring with a complete checklist, IP range reference tables, and deployment patterns.…
Securing coturn: Configuration Guide
Published on Feb 25, 2026 in TURN security, coturn, server hardening, webrtc security
The coturn-specific companion to our TURN Server Security Best Practices guide. Copy-paste configuration blocks for access control, protocol hardening, rate limiting, and authentication, with three complete templates from minimal to high-security.…
TURN Security Threats: A Hacker’s View
Published on Feb 12, 2026 ยท Updated on Feb 25, 2026 in TURN security, webrtc security, server hardening
TURN servers are meant to relay media traffic for WebRTC, but they’re also powerful proxies that hackers have been abusing since at least 2017. We break down three critical threat categories: relay abuse, Denial of Service, and software vulnerabilities, with real-world examples from our research and pentesting.…
VoIP Eavesdropping: How it Works, Threats & Defense Tactics
Published on Oct 9, 2025 in voip security, sip security, webrtc security
VoIP eavesdropping is a critical security threat that can expose sensitive business and personal information. This comprehensive guide explains how attackers exploit VoIP vulnerabilities through packet sniffing, MITM attacks, and RTP Bleed, and provides actionable defense tactics including transport encryption, authentication, security audits, and network segmentation to protect your organization.…
Sandro talks RTC Security with Safety Detectives
Published on Aug 6, 2025 in voip security, denial of service
Our CEO discusses why generic security tools fail for voice protocols, how ESAP addresses RTC-specific vulnerabilities, and emerging AI threats in real-time communications.…
Rtpengine RTP Injection and Media Bleed Vulnerabilities (CVE-2025-53399)
Published on Jul 31, 2025 in voip security, research, rtpengine, denial of service, webrtc security, sip security
We published a critical security advisory for rtpengine affecting versions mr13.3.1.4 and lower, allowing RTP injection and media redirection attacks. These vulnerabilities can be exploited without man-in-the-middle positioning and affect both plaintext RTP and encrypted SRTP sessions. Organizations should upgrade to mr13.4.1.1 and review configuration settings.…
New White Paper: DTLS “ClientHello” Race Conditions in WebRTC Implementations
Published on Oct 15, 2024 in denial of service, freeswitch, webrtc security, asterisk
Our white paper on DTLS ClientHello race conditions in WebRTC reveals vulnerabilities in RTPEngine, Asterisk, FreeSWITCH, and Skype. We tested platforms including Janus, Discord, Google Meet, and Zoom, and provide mitigation strategies for secure real-time communication.…
TADSummit Innovators Podcast reviews the Last 6 Months of RTC Security Trends with Sandro Gauci
Published on Jul 26, 2024 in voip security, webrtc security
This week, I had the pleasure of joining Alan Quayle on the TADSummit Innovators Podcast to review the last six months of VoIP and WebRTC security news. We delved into some of the most intriguing trends emerging in the RTC security space.
We covered the following RTC security trends for 2024 so far:
- Increasing focus on WebRTC vulnerabilities and security
- Growing concern over VoIP and conferencing platform security
- Emerging threats from AI and machine learning in audio manipulation
- Growing importance of resilience in communication systems
- SMS/Voice 2FA is hugely problematic
Here are the top 10 insights that emerged from our discussion:
…A Novel DoS Vulnerability affecting WebRTC Media Servers
Published on Jun 25, 2024 in denial of service, freeswitch, webrtc security, asterisk
Executive summary (TL;DR)
A critical denial-of-service (DoS) vulnerability has been identified in media servers that process WebRTC’s DTLS-SRTP, specifically in their handling of ClientHello messages. This vulnerability arises from a race condition between ICE and DTLS traffic and can be exploited to disrupt media sessions, compromising the availability of real-time communication services. Mitigations include filtering packets based on ICE-validated IP and port combinations. The article also indicates safe testing methods and strategies for detecting the attack.
OpenSIPS Security Audit Report is fully disclosed and out there
Published on Mar 17, 2023 in sip security, sip security testing, security tools, opensips, kamailio, fuzzing, denial of service, research
It’s almost a year since the OpenSIPS project published a minimized version of our security audit report from 2022. Now, the full version has been published, with all the information intact on how to reproduce the vulnerabilities and extra details in an 80+ page report.
The OpenSIPS security audit report can be found here.
What is the OpenSIPS security audit?
OpenSIPS is a SIP server that often has a critical security function within an IP communications system. Thus, it makes absolute sense to perform a thorough security audit for such software. We had been dealing with OpenSIPS servers from time to time in our work so we were rather familiar with the software and the project itself. Then back in January 2021, the lead developer for OpenSIPS, Bogdan-Andrei Iancu, asked us if we would be interested in doing some proper security work. Naturally, our answer was yes please!
…