Enable Security

@[email protected]
59 Followers
236 Following
39 Posts
We talk about Offensive Real-Time Communications / VoIP and WebRTC Security
Websitehttps://www.enablesecurity.com
Bloghttps://www.rtcsec.com
RTCSec newshttps://www.enablesecurity.com/newsletter/
Enable SecurityFeb 27

RE: https://fosstodon.org/@fredposner/116138154658246911

Thanks for the good work you do @fredposner !

Enable SecurityFeb 27
Fred PosnerFeb 26

Time for me to say... "There are those who read what @sandrogauci and @enablesecurity write and those who wish they had."

Also, very honored to have #APIBAN make the newsletter -- in a good way. ;)

#security #rtc #sip

https://www.enablesecurity.com/newsletter/2026-02-rtcsec-news/

February 2026: TURN security series, libvpx VP9 overflow, Grandstream RCE, coturn fixes

RTCSec newsletter for February 2026 covering Enable Security's TURN server security blog series, libvpx VP9 encoder heap overflow in Chrome and Firefox, Grandstream GXP1600 unauthenticated RCE with call interception, coturn 4.9.0 IPv4-mapped IPv6 ACL bypass, AISLE Research finding Firefox WebRTC and OpenSIPS vulnerabilities, APIBAN 2025 year in review, and more

Enable Security
Enable SecurityFeb 25

Two weeks ago we published our analysis of TURN security threats. Today: how to fix them.

New guides covering implementation-agnostic best practices (IP range blocking, protocol hardening, rate limiting, deployment patterns) and coturn-specific configuration with copy-paste templates at three security levels.

Best practices: https://www.enablesecurity.com/blog/turn-security-best-practices/
coturn guide: https://www.enablesecurity.com/blog/coturn-security-configuration-guide/
Config templates on GitHub: https://github.com/EnableSecurity/coturn-secure-config

coturn 4.9.0 dropped yesterday with fixes for CVE-2026-27624 (IPv4-mapped IPv6 bypass of deny rules) and an inverted web admin password check that had been broken since ~2019. The guides cover workarounds for older versions.

#infosec #webrtc #security #TURN #coturn #penetrationtesting #voip #serversecurity

TURN Server Security Best Practices

TURN server security guide for any implementation. Hardening checklist, IP range block lists, rate limiting, and deployment patterns for production WebRTC systems.

Enable Security
Enable SecurityFeb 12

TURN servers are meant to relay WebRTC media. To an attacker, they're just proxies.

We wrote up the threats we've been finding since 2017: relay abuse, DoS amplification, and software vulns.

https://www.enablesecurity.com/blog/turn-server-security-threats/

#infosec #webrtc #security #TURN #penetrationtesting #voip

TURN Security Threats: A Hacker's View

TURN servers are powerful proxies abused for internal network access, C2 operations, and DDoS attacks. Threat analysis from real-world research and pentesting.

Enable Security
Enable SecurityFeb 2

RE: https://fosstodon.org/@fredposner/115984882790920134

What @fredposner said is 100% correct :D

Enable SecurityDec 1
Fred PosnerNov 30

I know those of us in the US have had out minds focused on all things Turkey... but now it's time to remember that there are those that read what @sandrogauci / @enablesecurity writes, and those who wish they had. #security #rtc #voip

https://www.enablesecurity.com/newsletter/2025-11-rtcsec-news/

November 2025: VoIP and WebRTC vulnerability roundup

November 2025 RTCSec newsletter: Cisco UCCX critical RCE, FreePBX command injection, Firefox WebRTC use-after-free, Jitsi OAuth hijacking, PJSIP buffer overflow, AudioCodes EOL vulnerabilities, and Microsoft Teams spoofing

Enable SecurityOct 1
Fred PosnerSep 30

End of the month which means it's time for me to link the @enablesecurity newsletter and say...

"There are those who read what @sandrogauci writes... and those who wish they had."

https://www.enablesecurity.com/newsletter/2025-09-rtcsec-news/

September 2025: more RTP, FreePBX and Voice AI vulnerabilities this time

September 2025 RTCSec newsletter: more RTP, FreePBX and Voice AI vulnerabilities this time

Enable SecurityJan 31, 2025
Fred PosnerJan 31, 2025

There are those that read what @sandrogauci / @enablesecurity writes, and those that wish they had.

https://www.enablesecurity.com/newsletter/2025-01-rtcsec-news/

January 2025: SIP, WebRTC and IoT security news, security fixes for Cisco, Asterisk, Samsung and more

January 2025 RTCSec newsletter: Fixes for Cisco BroadWorks DoS, WebRTC bugs, Asterisk path traversal. Also, Mitel & Samsung S24 issues and FCC's IoT 'Cyber Trust Mark' launch.

Enable SecurityDec 19, 2024
Fred PosnerDec 19, 2024

Last time for 2024...

There are those who read what @sandrogauci / @enablesecurity write, and those who wish they had.

https://www.enablesecurity.com/newsletter/2024-12-rtcsec-news/

#voip #webrtc

December 2024: Wrap-Up & Latest VoIP and WebRTC Security News

December 2024 RTCSec newsletter: Year-end review of VoIP & WebRTC security, featuring major breaches, vulnerability reports, and key achievements in RTC security.

Enable SecurityDec 2, 2024
Fred PosnerNov 29, 2024

As I say every issue… there are those who read what @enablesecurity / @sandrogauci write and those who wish they had.

https://www.enablesecurity.com/newsletter/2024-11-rtcsec-news/?utm_medium=email&_hsenc=p2ANqtz--Dm7VzxJmDQ-izmClmezAv11KPZ3J0jvEpr0PDAbOf1BQKgf45CrGR0dvWxytolaMOpFLoOqq-PJW7L38Id0-i7GNhHA&_hsmi=336230030&utm_content=336230030&utm_source=hs_email

#voip #rtc #webrtc #security

November 2024: Breaking VoIP & WebRTC – Exploits, Vulnerabilities, and Shodan Insights

November 2024 RTCSec newsletter: Uncover critical VoIP and WebRTC security insights, including Messenger exploits, vulnerabilities in Cisco phones and video codecs, and Shodan-revealed threats.