Enable Security

#OpenSIPSSummit, Day #3 Sandro Gauci @ @enablesecurity Securing Damn Vulnerable #RTC #sip #voip #telecom #security #opensource

#OpenSIPSSummit 2026, Day 1 Sandro Gauci @ @enablesecurity talking about #Vulnerable Real-Time #Communications #sip #voip #rtc #telecom #opensource

5/ Plus short news: Chrome WebRTC UAF, FreePBX GraphQL command injection (no vendor advisory yet), Mitel MiCollab CVSS 9.8 SQLi, Neko privilege escalation, ZLMediaKit VP9 heap overflow, and Grandstream mandatory MFA. Read it all: enablesecurity.com/newsletter/202… #VoIP #WebRTC #InfoSec

4/ I'll be presenting DVRTC at @opensips Summit (Bucharest, Apr 28), Kamailio World (Berlin, May 8), and CommCon (Dusseldorf, June 9-11). Three conferences, three different VoIP/WebRTC attack scenarios.

1/ April RTCSec newsletter is out. AI-assisted vulnerability research is accelerating fast across the RTC ecosystem. enablesecurity.com/newsletter/202…

Live instance: pbx2.dvrtc.net Self-host: github.com/EnableSecurity…

That last one is especially fun: the injection point is the called SIP URI itself. We'll cover it in a dedicated post with a video demo soon.

DVRTC, our intentionally vulnerable VoIP/WebRTC lab, now has a second scenario. v0.2.0 adds pbx2: OpenSIPS, FreeSWITCH, and rtpproxy. It joins pbx1 (Kamailio, Asterisk, rtpengine, coturn), so DVRTC now covers two different VoIP stacks to practice against. enablesecurity.com/blog/dvrtc-v0-…

DVRTC has 7 more exercises beyond this: RTP bleed, TURN abuse, SIP digest leak, offline cracking, and more. github.com/EnableSecurity…

svcrack cracks SIP passwords online. The default range (100-999) wasn't enough, but --enabledefaults found the password in under a second.

svmap identifies Kamailio 6.1.1 as the SIP proxy. Target a specific extension and the User-Agent changes to Asterisk — the routing reveals what's behind the proxy.

Updated SIPVicious OSS tutorial, now using DVRTC as the target. Covers svmap, svwar, and svcrack against pbx1.dvrtc.net — scan SIP devices, enumerate extensions, crack passwords. All tested with v0.3.7. enablesecurity.com/blog/sipviciou…

We also wrote honestly about where this leaves human security researchers. The answer is uncomfortable but worth reading. enablesecurity.com/blog/ai-coming…

The bottleneck has already shifted from finding vulnerabilities to handling them. Carlini has several hundred unvalidated Linux kernel crashes. Most RTC projects are not ready for this volume of valid, reproducible findings.

Nicholas Carlini at Anthropic showed the methodology: loop Claude through each source file, prompt it like a CTF. 500+ high-severity findings, 22 Firefox vulnerabilities in two weeks, a Linux kernel bug from 2003 that required two cooperating adversarial clients.