Enable Security

@[email protected]
66 Followers
236 Following
44 Posts
We talk about Offensive Real-Time Communications / VoIP and WebRTC Security
Websitehttps://www.enablesecurity.com
Bloghttps://www.rtcsec.com
RTCSec newshttps://www.enablesecurity.com/newsletter/
Enable SecurityJun 1

RE: https://fosstodon.org/@fredposner/116658650686615850

As @fredposner said it best ;-)

Enable SecurityApr 24

RE: https://fosstodon.org/@fredposner/116455229778114819

Indeed @fredposner .. it remains **not recommended** to this day :D

Enable SecurityMar 31
Fred PosnerMar 31

End of the month means it's time for me to say... **There are those who read what @sandrogauci / @enablesecurity writes, and those who wish they had.**

I'm sure you've used at least one of the products listed in this month's newsletter.

https://www.enablesecurity.com/newsletter/2026-03-rtcsec-news/

March 2026: DTLS-SRTP auth bypass, AI vuln research, DVRTC, WebRTC skimmer

19 of 33 WebRTC media servers fail DTLS-SRTP authentication. AI agents are finding hundreds of zero-days in C codebases. Enable Security launches DVRTC for VoIP security training. Plus a WebRTC payment skimmer, PJSIP advisories, FreePBX CVEs, and more.

Enable Security
Enable SecurityMar 27

Web application security has DVWA and WebGoat. VoIP and WebRTC security hasn't had anything like it ... until now.

We built DVRTC (Damn Vulnerable Real-Time Communications): a hands-on lab for learning VoIP/WebRTC attack techniques. Full dockerized stack with Kamailio, Asterisk, rtpengine, and coturn — each configured to exhibit specific vulnerable behaviors.

7 exercises covering SIP extension enumeration, RTP bleed, SIP digest leaks, credential cracking (online and offline), TURN relay abuse, and traffic analysis. There's a live instance at pbx1.dvrtc.net you can test against right now.

https://www.enablesecurity.com/blog/introducing-dvrtc-damn-vulnerable-real-time-communications/

GitHub: https://github.com/EnableSecurity/DVRTC/

#infosec #webrtc #voipsecurity #sipsecurity #penetrationtesting #training #TURN

Introducing DVRTC: a vulnerable lab for RTC security

DVRTC is a vulnerable VoIP and WebRTC lab for hands-on security training, with exercises covering SIP enumeration, RTP attacks, TURN abuse, and more.

Enable Security
Enable SecurityFeb 27

RE: https://fosstodon.org/@fredposner/116138154658246911

Thanks for the good work you do @fredposner !

Enable SecurityFeb 27
Fred PosnerFeb 26

Time for me to say... "There are those who read what @sandrogauci and @enablesecurity write and those who wish they had."

Also, very honored to have #APIBAN make the newsletter -- in a good way. ;)

#security #rtc #sip

https://www.enablesecurity.com/newsletter/2026-02-rtcsec-news/

February 2026: TURN security series, libvpx VP9 overflow, Grandstream RCE, coturn fixes

RTCSec newsletter for February 2026 covering Enable Security's TURN server security blog series, libvpx VP9 encoder heap overflow in Chrome and Firefox, Grandstream GXP1600 unauthenticated RCE with call interception, coturn 4.9.0 IPv4-mapped IPv6 ACL bypass, AISLE Research finding Firefox WebRTC and OpenSIPS vulnerabilities, APIBAN 2025 year in review, and more

Enable Security
Enable SecurityFeb 25

Two weeks ago we published our analysis of TURN security threats. Today: how to fix them.

New guides covering implementation-agnostic best practices (IP range blocking, protocol hardening, rate limiting, deployment patterns) and coturn-specific configuration with copy-paste templates at three security levels.

Best practices: https://www.enablesecurity.com/blog/turn-security-best-practices/
coturn guide: https://www.enablesecurity.com/blog/coturn-security-configuration-guide/
Config templates on GitHub: https://github.com/EnableSecurity/coturn-secure-config

coturn 4.9.0 dropped yesterday with fixes for CVE-2026-27624 (IPv4-mapped IPv6 bypass of deny rules) and an inverted web admin password check that had been broken since ~2019. The guides cover workarounds for older versions.

#infosec #webrtc #security #TURN #coturn #penetrationtesting #voip #serversecurity

TURN Server Security Best Practices

TURN server security guide for any implementation. Hardening checklist, IP range block lists, rate limiting, and deployment patterns for production WebRTC systems.

Enable Security
Enable SecurityFeb 12

TURN servers are meant to relay WebRTC media. To an attacker, they're just proxies.

We wrote up the threats we've been finding since 2017: relay abuse, DoS amplification, and software vulns.

https://www.enablesecurity.com/blog/turn-server-security-threats/

#infosec #webrtc #security #TURN #penetrationtesting #voip

TURN Security Threats: A Hacker's View

TURN servers are powerful proxies abused for internal network access, C2 operations, and DDoS attacks. Threat analysis from real-world research and pentesting.

Enable Security
Enable SecurityFeb 2

RE: https://fosstodon.org/@fredposner/115984882790920134

What @fredposner said is 100% correct :D

Enable SecurityDec 1, 2025
Fred PosnerNov 30, 2025

I know those of us in the US have had out minds focused on all things Turkey... but now it's time to remember that there are those that read what @sandrogauci / @enablesecurity writes, and those who wish they had. #security #rtc #voip

https://www.enablesecurity.com/newsletter/2025-11-rtcsec-news/

November 2025: VoIP and WebRTC vulnerability roundup

November 2025 RTCSec newsletter: Cisco UCCX critical RCE, FreePBX command injection, Firefox WebRTC use-after-free, Jitsi OAuth hijacking, PJSIP buffer overflow, AudioCodes EOL vulnerabilities, and Microsoft Teams spoofing