RSS Atom

Free Real-Time Communications (RTC) Planet

June 30, 2024

• François Marier Upgrading from chan_sip to res_pjsip in Asterisk 18

  After upgrading to Ubuntu Jammy and Asterisk 18.10, I saw the following messages in my logs:

  WARNING[360166]: loader.c:2487 in load_modules: Module 'chan_sip' has been loaded but was deprecated in Asterisk version 17 and will be removed in Asterisk version 21.
  WARNING[360174]: chan_sip.c:35468 in deprecation_notice: chan_sip has no official maintainer and is deprecated.  Migration to
  WARNING[360174]: chan_sip.c:35469 in deprecation_notice: chan_pjsip is recommended.  See guides at the Asterisk Wiki:
  WARNING[360174]: chan_sip.c:35470 in deprecation_notice: https://wiki.asterisk.org/wiki/display/AST/Migrating+from+chan_sip+to+res_pjsip
  WARNING[360174]: chan_sip.c:35471 in deprecation_notice: https://wiki.asterisk.org/wiki/display/AST/Configuring+res_pjsip
  

  and so I decided it was time to stop postponing the overdue migration of my working setup from chan_sip to res_pjsip.

  It turns out that it was not as painful as I expected, though the conversion script bundled with Asterisk didn't work for me out of the box.

  Debugging

  Before you start, one very important thing to note is that the SIP debug information you used to see when running this in the asterisk console (asterisk -r):

  sip set debug on
  

  now lives behind this command:

  pjsip set logger on
  

  SIP phones

  The first thing I migrated was the config for my two SIP phones (Snom 300 and Snom D715).

  The original config for them in sip.conf was:

  [2000]
  ; Snom 300
  type=friend
  qualify=yes
  secret=password123
  encryption=no
  context=full
  host=dynamic
  nat=no
  directmedia=no
  mailbox=10@internal
  vmexten=707
  dtmfmode=rfc2833
  call-limit=2
  disallow=all
  allow=g722
  allow=ulaw
  
  [2001]
  ; Snom D715
  type=friend
  qualify=yes
  secret=password456
  encryption=no
  context=full
  host=dynamic
  nat=no
  directmedia=yes
  mailbox=10@internal
  vmexten=707
  dtmfmode=rfc2833
  call-limit=2
  disallow=all
  allow=g722
  allow=ulaw
  

  and that became the following in pjsip.conf:

  [transport-udp]
  type = transport
  protocol = udp
  bind = 0.0.0.0
  external_media_address = myasterisk.dyn.example.com
  external_signaling_address = myasterisk.dyn.example.com
  local_net = 192.168.0.0/255.255.0.0
  
  [2000]
  type = aor
  max_contacts = 1
  
  [2000]
  type = auth
  username = 2000
  password = password123
  
  [2000]
  type = endpoint
  context = full
  dtmf_mode = rfc4733
  disallow = all
  allow = g722
  allow = ulaw
  direct_media = no
  mailboxes = 10@internal
  auth = 2000
  outbound_auth = 2000
  aors = 2000
  
  [2001]
  type = aor
  max_contacts = 1
  
  [2001]
  type = auth
  username = 2001
  password = password456
  
  [2001]
  type = endpoint
  context = full
  dtmf_mode = rfc4733
  disallow = all
  allow = g722
  allow = ulaw
  direct_media = yes
  mailboxes = 10@internal
  auth = 2001
  outbound_auth = 2001
  aors = 2001
  

  The different direct_media line between the two phones has to do with how they each connect to my Asterisk server and whether or not they have access to the Internet.

  Internal calls

  For some reason, my internal calls (from one SIP phone to the other) didn't work when using "aliases". I fixed it by changing this blurb in extensions.conf from:

  [speeddial]
  exten => 1000,1,Dial(SIP/2000,20)
  exten => 1001,1,Dial(SIP/2001,20)
  

  to:

  [speeddial]
  exten => 1000,1,Dial(${PJSIP_DIAL_CONTACTS(2000)},20)
  exten => 1001,1,Dial(${PJSIP_DIAL_CONTACTS(2001)},20)
  

  I have not yet dug into what this changes or why it's necessary and so feel free to leave a comment if you know more here.

  PSTN trunk

  Once I had the internal phones working, I moved to making and receiving phone calls over the PSTN, for which I use VoIP.ms with encryption.

  I had to change the following in my sip.conf:

  [general]
  register => tls://555123_myasterisk:password789@vancouver2.voip.ms
  externhost=myasterisk.dyn.example.com
  localnet=192.168.0.0/255.255.0.0
  tcpenable=yes
  tlsenable=yes
  tlscertfile=/etc/asterisk/asterisk.cert
  tlsprivatekey=/etc/asterisk/asterisk.key
  tlscapath=/etc/ssl/certs/
  
  [voipms]
  type=peer
  host=vancouver2.voip.ms
  secret=password789
  defaultuser=555123_myasterisk
  context=from-voipms
  disallow=all
  allow=ulaw
  allow=g729
  insecure=port,invite
  canreinvite=no
  trustrpid=yes
  sendrpid=yes
  transport=tls
  encryption=yes
  

  to the following in pjsip.conf:

  [transport-tls]
  type = transport
  protocol = tls
  bind = 0.0.0.0
  external_media_address = myasterisk.dyn.example.com
  external_signaling_address = myasterisk.dyn.example.com
  local_net = 192.168.0.0/255.255.0.0
  cert_file = /etc/asterisk/asterisk.cert
  priv_key_file = /etc/asterisk/asterisk.key
  ca_list_path = /etc/ssl/certs/
  method = tlsv1_2
  
  [voipms]
  type = registration
  transport = transport-tls
  outbound_auth = voipms
  client_uri = sip:555123_myasterisk@vancouver2.voip.ms
  server_uri = sip:vancouver2.voip.ms
  
  [voipms]
  type = auth
  password = password789
  username = 555123_myasterisk
  
  [voipms]
  type = aor
  contact = sip:555123_myasterisk@vancouver2.voip.ms
  
  [voipms]
  type = identify
  endpoint = voipms
  match = vancouver2.voip.ms
  
  [voipms]
  type = endpoint
  context = from-voipms
  disallow = all
  allow = ulaw
  allow = g729
  from_user = 555123_myasterisk
  trust_id_inbound = yes
  media_encryption = sdes
  auth = voipms
  outbound_auth = voipms
  aors = voipms
  rtp_symmetric = yes
  rewrite_contact = yes
  send_rpid = yes
  timers = no
  dtmf_mode = rfc4733
  

  The TLS method line is needed since the default in Debian OpenSSL is too strict. The timers line is to prevent outbound calls from getting dropped after 15 minutes.

  Finally, I changed the Dial() lines in these extensions.conf blurbs from:

  [from-voipms]
  exten => 5551231000,1,Goto(2000,1)
  exten => 2000,1,Dial(SIP/2000&SIP/2001,20)
  exten => 2000,n,Goto(in2000-${DIALSTATUS},1)
  exten => 2000,n,Hangup
  exten => in2000-BUSY,1,VoiceMail(10@internal,su)
  exten => in2000-BUSY,n,Hangup
  exten => in2000-CONGESTION,1,VoiceMail(10@internal,su)
  exten => in2000-CONGESTION,n,Hangup
  exten => in2000-CHANUNAVAIL,1,VoiceMail(10@internal,su)
  exten => in2000-CHANUNAVAIL,n,Hangup
  exten => in2000-NOANSWER,1,VoiceMail(10@internal,su)
  exten => in2000-NOANSWER,n,Hangup
  exten => _in2000-.,1,Hangup(16)
  
  [pstn-voipms]
  exten => _1NXXNXXXXXX,1,Set(CALLERID(all)=Francois Marier <5551231000>)
  exten => _1NXXNXXXXXX,n,Dial(SIP/voipms/${EXTEN})
  exten => _1NXXNXXXXXX,n,Hangup()
  exten => _NXXNXXXXXX,1,Set(CALLERID(all)=Francois Marier <5551231000>)
  exten => _NXXNXXXXXX,n,Dial(SIP/voipms/1${EXTEN})
  exten => _NXXNXXXXXX,n,Hangup()
  exten => _011X.,1,Set(CALLERID(all)=Francois Marier <5551231000>)
  exten => _011X.,n,Authenticate(1234)
  exten => _011X.,n,Dial(SIP/voipms/${EXTEN})
  exten => _011X.,n,Hangup()
  exten => _00X.,1,Set(CALLERID(all)=Francois Marier <5551231000>)
  exten => _00X.,n,Authenticate(1234)
  exten => _00X.,n,Dial(SIP/voipms/${EXTEN})
  exten => _00X.,n,Hangup()
  

  to:

  [from-voipms]
  exten => 5551231000,1,Goto(2000,1)
  exten => 2000,1,Dial(PJSIP/2000&PJSIP/2001,20)
  exten => 2000,n,Goto(in2000-${DIALSTATUS},1)
  exten => 2000,n,Hangup
  exten => in2000-BUSY,1,VoiceMail(10@internal,su)
  exten => in2000-BUSY,n,Hangup
  exten => in2000-CONGESTION,1,VoiceMail(10@internal,su)
  exten => in2000-CONGESTION,n,Hangup
  exten => in2000-CHANUNAVAIL,1,VoiceMail(10@internal,su)
  exten => in2000-CHANUNAVAIL,n,Hangup
  exten => in2000-NOANSWER,1,VoiceMail(10@internal,su)
  exten => in2000-NOANSWER,n,Hangup
  exten => _in2000-.,1,Hangup(16)
  
  [pstn-voipms]
  exten => _1NXXNXXXXXX,1,Set(CALLERID(all)=Francois Marier <5551231000>)
  exten => _1NXXNXXXXXX,n,Dial(PJSIP/${EXTEN}@voipms)
  exten => _1NXXNXXXXXX,n,Hangup()
  exten => _NXXNXXXXXX,1,Set(CALLERID(all)=Francois Marier <5551231000>)
  exten => _NXXNXXXXXX,n,Dial(PJSIP/1${EXTEN}@voipms)
  exten => _NXXNXXXXXX,n,Hangup()
  exten => _011X.,1,Set(CALLERID(all)=Francois Marier <5551231000>)
  exten => _011X.,n,Authenticate(1234)
  exten => _011X.,n,Dial(PJSIP/${EXTEN}@voipms)
  exten => _011X.,n,Hangup()
  exten => _00X.,1,Set(CALLERID(all)=Francois Marier <5551231000>)
  exten => _00X.,n,Authenticate(1234)
  exten => _00X.,n,Dial(PJSIP/${EXTEN}@voipms)
  exten => _00X.,n,Hangup()
  

  Note that it's not just replacing SIP/ with PJSIP/, but it was also necessary to use a format supported by pjsip for the channel since SIP/trunkname/extension isn't supported by pjsip.

June 28, 2024

• Enable Security June 2024: WebRTC security specs that need fixing and vulnerable VoIP firmware and WebEx
  Welcome to the June 2024 edition of the RTCSec newsletter, covering VoIP and WebRTC security news and related topics. In this edition, we cover: Our latest publication on our blog about WebRTC vulnerabilities Cisco WebEx’s seemingly obvious vulnerabilities and their effect on military and political entities Security fixes in Chrome, affecting WebRTC Vulnerabilities in Mitel phones, sngrep, and… iTunes? And more! The RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.

June 25, 2024

• Enable Security A Novel DoS Vulnerability affecting WebRTC Media Servers
  Executive summary (TL;DR) A critical denial-of-service (DoS) vulnerability has been identified in media servers that process WebRTC’s DTLS-SRTP, specifically in their handling of ClientHello messages. This vulnerability arises from a race condition between ICE and DTLS traffic and can be exploited to disrupt media sessions, compromising the availability of real-time communication services. Mitigations include filtering packets based on ICE-validated IP and port combinations. The article also indicates safe testing methods and strategies for detecting the attack.

May 31, 2024

• Enable Security May 2024: Presenting on DTLS WebRTC DoS and the latest VoIP vulnerabilities
  It is already the end of May, and we have a packed newsletter this month! In this edition, we cover: Our upcoming presentation about the DTLS ClientHello DoS vulnerability Vulnerabilities fixed in Asterisk, ALU and Cisco phones and more RCS phishing attempts and a Pre-War Reality Check and VoIP resilience New features from Kwanlabs SIP Open Relay tester A talk about STIR/SHAKEN privacy concerns Short news covering fax, physical access control vulnerabilities and honeypots The RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.

May 21, 2024

• Jitsi Connecting anything to everything via SIP

  In the evolving landscape of virtual meetings, seamless connectivity remains paramount. SIP integration enables participants to join meetings from various devices, including hardware phones or softphones such as Bria, video conferencing systems such as Zoom, and traditional telephony systems. This broadens the scope of participants who can connect to Jitsi conferences, making it more inclusive.

  Leveraging SIP for Video and Audio Connectivity

  Prerequisites

  1. JaaS Account: Create a JaaS account
  2. Host this sample code on your server 
  3. Zoom Account: Ensure you have Room System enabled in Zoom

  Note: We are using JaaS here for the purpose of simplicity, but all of this can be deployed using the Open Source components available on GitHub.

  Step-by-Step Guide

  • Join a Jitsi conference on your hosted instance
  • Get the SIP Addresses for Dial-In

  

  • Users can dial into Jitsi conferences from any hard SIP device or Zoom by using the following SIP addresses:
    • For a combined audio and video experience: pinCode@8×8.vc or pinCode@video.8×8.vc
    • For audio only: pinCode@audio.8×8.vc

  Note: Replace pinCode with the specific conference PIN provided for your Jitsi conference

  

  • Join a Zoom conference
    • To connect a Zoom conference to a Jitsi conference, use the Invite via Room System option in Zoom to call out to the provided SIP address

  

  • Testing:
    • Test the configuration by dialing the SIP address. Verify that the call connects to the Jitsi conference and that audio and video is properly routed.

  

  SIP Audio-Only Connectivity: Cost-Effective and Reliable

  SIP audio-only connectivity provides a cost-effective and reliable way for participants to join Jitsi conferences. It reduces bandwidth consumption and costs, making it ideal in scenarios where video isn’t really needed, such as webinars. This option ensures users with limited internet access or slower connections can participate without interruptions.

  Under the Hood: Exploring the Technical Details

  

  Integrating Voximplant with Jitsi Meet involves several key steps:

  1. Setting Up Voximplant Application:
     • Create a Voximplant application and configure it with the necessary call handling logic. This involves setting up a scenario for incoming calls, managing call routing, and defining custom IVRs 
     • Add logic in the scenario to validate the conference, select a SIP-Jibri and then forward the call to it
  2. Configuring SIP Video Gateways:
     • Configure SIP Jibris. Refer to the Jitsi SIP Video Gateway documentation for detailed setup instructions
     • Run a pool of SIP Jibris and use the SIP Jibri selector to select an available SIP Jibri
  3. Setting up a sip domain (Eg. video.8×8.vc):
     • Define a sip domain and ask VoxImplant to map it to your VoxImplant application
  4. Testing:
     • One easy way to test the integration is using a softphone to dial in

  Note: Voximplant can be replaced with a programmable SIP server such as Kamailio or OpenSIPS.

  

  Wrapping up

  While SIP is these days referred to as legacy, it remains the most used protocol for VoIP and acts as the common denominator across many vendors in the industry. Thus it’s a great candiate for connecting anything to everything

  Your personal meetings team.

  The post Connecting anything to everything via SIP appeared first on Jitsi.

May 14, 2024

• Digium Delivering a One-two Punch to NEC’s Departure from the On-premises PBX Market

   

  The Risks of Sticking with Unsupported On-Premises PBX Systems and Why Switching to Sangoma’s Switchvox is Essential Now

   

  You’ve found yourself in a tough spot – change is not just coming; it’s here. NEC has announced its departure from the on-premises PBX market, shifting its focus towards cloud-based solutions. So where does that leave you?

  Whether due to regulatory compliance, data security concerns, or simply the massive overhaul required, the cloud is not a one-size-fits-all solution. The end result? Companies relying on NEC’s on-premises systems must navigate the complexities of a market in transition without falling behind or, worse, getting stranded.

  Sticking with an unsupported on-premises PBX system is a gamble that no business can afford to take—not in today’s fast-evolving technological landscape. Transitioning to Sangoma’s Switchvox is the one-two punch you need to leave NEC. It offers not just a safer bet but a smarter one, enhancing your communications capabilities while keeping you firmly in control of your data and systems.

  Understanding the Landscape

  As NEC winds down its on-premises operations, it’s crucial to grasp what this means for businesses stuck in this outdated framework:

  • No Future Support: The cessation of support means no more updates or troubleshooting help from NEC
  • Stagnant Technology: Expect no new features or improvements; what you have now is what you’re stuck with
  • Complicated Costs: NEC’s licensing model—complex and often costly—will only become more burdensome
  • Scalability Stumbles: Expansion isn’t just difficult; it often requires significant additional investment in hardware and licenses
  • Rising Costs: Overall, the total cost of ownership is climbing, driven by maintenance fees and the need to potentially pay premiums for dwindling hardware parts

  The Imminent Risks

  Operating on unsupported on-premises systems isn’t just inconvenient—it’s fraught with risks:

  • Security Vulnerabilities: Without regular updates, systems are vulnerable to new threats, leaving business data and operations at risk
  • Compliance Challenges: Falling out of compliance with industry standards could mean fines or worse, operational shutdowns
  • Operational Inefficiencies: Expect more frequent breakdowns and longer downtimes, with diminishing resources for fixes
  • Cost Inefficiencies: The hidden costs of maintaining aging technology will invariably lead to higher operational expenses and lost business opportunities

  Why Act Now?

  The clock isn’t just ticking; it’s running out. The availability of compatible parts and knowledgeable technicians is dwindling rapidly. Holding off on making a decision can hamper your operational efficiency and leave you lagging behind competitors who adapt more swiftly to technological advancements. It’s about being proactive, not reactive—planning your transition now, rather than scrambling when disaster strikes.

  Sangoma’s Switchvox: A Seamless Solution

  Here’s why Sangoma’s Switchvox system stands out as the ideal replacement:

  • Robust On-Premises Solution: Perfect for businesses not ready to migrate to the cloud, offering stability and control
  • Comprehensive Features: Unlike NEC, every Switchvox user accesses a full suite of features without extra charges
  • User-Friendly: The system is designed for ease of use, ensuring you don’t need IT experts to manage daily operations
  • Flexible Deployment: Choose between on-premises or virtual setups, whichever fits your business model
  • Transparent Pricing: With Switchvox, what you see is what you get. No hidden fees, no extra licensing costs
  • Scalability: As your business grows, Switchvox scales with you effortlessly, without the need for additional expensive licenses or hardware

  

  Planning Your Transition

  Moving to a new system sounds daunting, but it doesn’t have to be:

  1. Evaluate Your Needs: Take stock of what your current system provides and what your needs are moving forward.
  2. Set a Timeline: Plan the transition with clear milestones and minimal disruption to operations.
  3. Use Available Resources: Sangoma offers extensive support to ensure your switch is as smooth as possible.

  Secure and Enhance Your Communications with Sangoma’s Switchvox
  Don’t wait for the inevitable system failure to decide. Take action now, and step confidently into a future where your communications infrastructure is secure, scalable, and supported.

  Ready to make the switch? Learn more about how Sangoma’s Switchvox can transform your business communications today.

  The post Delivering a One-two Punch to NEC’s Departure from the On-premises PBX Market appeared first on Sangoma Technologies.

May 01, 2024

• Digium Why Choose On-Premises Solutions In a Cloud-Dominated Era?

  As of 2023, a significant portion of businesses still rely on on-premises systems. While the specific percentage of businesses using on-premises UC solutions is not detailed in recent reports, it’s evident that both on-premises and cloud solutions continue to coexist, with each offering distinct advantages depending on organizational needs and priorities.

  The unified communications market is significant, with a projected value of USD 145.58 billion in 2024, growing at a compound annual growth rate (CAGR) of 27.80% to potentially reach USD 496.30 billion by 2029. This growth reflects the ongoing evolution and adaptation of UC systems to meet the changing demands of businesses globally, including those that prefer the control and security provided by on-premises solutions​ (Mordor Intel)​.

  For businesses considering UC systems, it’s crucial to weigh the trade-offs between flexibility, scalability, and control.

  Why Stick with On-Premises Solutions?

  On-premises systems offer several distinct advantages that are vital for certain businesses:

  • Cost Efficiency: Many of our clients appreciate the capital expenditure model of on-premises solutions, which often leads to lower operational expenses over time. By amortizing the initial costs, businesses find that on-premises systems can be more economical in the long run compared to recurring cloud service fees.
  • Administrative Control: On-premises systems put your IT staff in the driver’s seat, offering unparalleled control over your unified communications (UC) environment. This autonomy is crucial for businesses that prefer hands-on management of their communications infrastructure.
  • Leverage Existing Infrastructure: Unlike many cloud solutions that require new hardware, on-premises systems like Switchvox allow you to utilize existing telephony equipment. This capability can significantly reduce upfront costs and streamline the transition.
  • Compliance and Security: For organizations with strict regulatory requirements, an on-premises solution can simplify compliance by keeping data management within your control.
  • Optimal Performance: Businesses located in areas with unreliable internet access find that on-premises systems provide more stable and consistent performance, essential for effective communication.

  Switchvox On-Premises

  Switchvox on-premises solutions are not just an alternative to cloud systems; they are a gateway to tapping into a vast market that values reliability, control, and performance. Switchvox offers:

  • Flexible Deployment Options: Whether fully on-premises or virtualized, Switchvox provides the flexibility to choose the best setup for your business needs.
  • Transparent Pricing: With no hidden costs, Switchvox presents a straightforward and predictable pricing model.
  • Customizable Solutions: Tailor your UC system with a suite of customizable options to meet your specific business requirements.
  • Integrated Hardware: Enjoy a seamless experience with fully integrated phones and headsets, designed for peak performance and ease of use.
  • End-to-End Support: Benefit from comprehensive support covering everything from installation to ongoing maintenance, all provided by a single trusted vendor.

  

  Building Lifetime Customer Relationships

  Choosing Switchvox means more than just purchasing a phone system—it’s about building a partnership that grows with your business. Our solutions are designed not only to meet today’s needs but also to anticipate future requirements, ensuring that you remain at the forefront of a cloud-first world.

  Discover why Switchvox is the preferred choice for businesses that demand robust, flexible, and cost-effective on-premises communications solutions. Learn more about Switchvox today!

  The post Why Choose On-Premises Solutions In a Cloud-Dominated Era? appeared first on Sangoma Technologies.

April 30, 2024

• Enable Security April 2024: Kamailio security, Mitel, sngrep and Grandstream vulnerabilities and more
  Welcome to the April edition of the VoIP and WebRTC security monthly newsletter. In this edition, we cover: Kamailio World 2024 review Our short and longer presentation on insecure Kamailio configuration patterns Changes to the newsletter Updates to T-Pot honeypot, sngrep security fixes, Mitel IP Phone vulnerabilities New security course on WebRTC by BlogGeek.me And some more! RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.

April 23, 2024

• Jitsi Improving performance on very large calls: introducing SSRC rewriting

  In the last stable release, Jitsi enabled a new feature called SSRC rewriting that improves the system performance for very large calls. This feature helps reduce the overall load on the system by reducing the number of signaling messages that get exchanged during a large call involving hundreds of endpoints. It also reduces the load on the local endpoint drastically by restricting the number of audio and video decoders created by the WebRTC engine thereby offering a better user experience for large calls.

  When this feature is enabled, only a fixed set (let’s say up to 50) of SSRCs are signaled to the downstream endpoints in the call irrespective of the call size. An SSRC is nothing but a unique ID used for identifying a stream of RTP packets that belong to an audio or a video source. When additional media sources are requested by the receiver, the Jitsi Videobridge (JVB) overwrites the SSRCs of the newly requested media streams with that of the ones that were already signaled to the client before and are no longer needed. Therefore, no more than 50 SSRCs need to be signaled to the endpoints even if the number of media sources that will be routed in total far exceeds the set limit.

  

  Moving on to the why – what is the problem that we were trying to solve by implementing SSRC rewriting?

  The challenges that we faced when adding support for very large calls with respect to source signaling with the existing approach of signaling every new source to every other participant in the call were two fold.

  At the client level, the number of m-lines in the SDP grew linearly with every remote source that got added to the call irrespective of whether media for that particular source gets routed to the endpoint or not. When a new m-line with SSRC is added to the remote SDP, the libwebrtc engine creates a transceiver and does all the plumbing necessary to decode a media stream with the given SSRC if and when it starts receiving it from the JVB. This tied up resources on the local endpoint unnecessarily and introduced delays in renegotiation cycles which resulted in unpleasant user experience. The client can also hit transceiver and SDP parser limits imposed by the browser resulting in unexpected behaviors. These performance issues are more pronounced on mobile endpoints which have fewer resources to begin with compared to the endpoints running on desktops.

  On the backend, as the number of participants grew, so did the number of audio and video sources that needed to be signaled to every other participant in the call. This made the signaling traffic from prosody (XMPP communication server) to the endpoints grow quadratically. This was a problem, because Prosody, which is single-threaded, was already the bottleneck when scaling calls. Previously we had to introduce artificial delays in signaling in order to reduce the load. This caused long delays for the media to be established across participants when they unmuted their audio or video for the first time and was very disruptive to large meetings.

  The solution to both of these problems was to switch to a demand based signaling mechanism where only a limited number of remote audio and video tracks are signaled to the endpoints depending on what is being needed or requested by them in real time instead of signaling all the known media sources in the call as and when they get added to the call.

  Implementation in Jitsi Videobridge

  Jitsi Videobridge (JVB) uses a slightly different approach for audio and for video when determining what sources to forward. Forwarding decisions for audio are based simply on the “loudness” of the streams determined from the audio level RTP extension.

  With SSRC rewriting, JVB uses a separate SSRC space for each receiver. It maintains a map from an SSRC number to the name of a source. Changes to the map are signaled to the receiver over the direct signaling channel (a WebRTC DataChannel over SCTP), using partial updates:

  [modules/RTC/BridgeChannel.js] <e.onmessage>:  Received AudioSourcesMap: [{"source":"fc63db0f-a0","owner":"fc63db0f","ssrc":2602882473},{"source":"449360a0-a0","owner":"449360a0","ssrc":1358697798}]
  [modules/RTC/BridgeChannel.js] <e.onmessage>:  Received VideoSourcesMap: [{"source":"e01f2103-v0","owner":"e01f2103","ssrc":3129389873,"rtx":3219602897,"videoType":"CAMERA"},{"source":"9ac8fef2-v0","owner":"9ac8fef2","ssrc":1542056973,"rtx":1571329554,"videoType":"CAMERA"},{"source":"ed6b60f5-v0","owner":"ed6b60f5","ssrc":550523896,"rtx":2808127984,"videoType":"CAMERA"}]

  When a new stream needs to be forwarded, it is allocated an SSRC. Before the limit is reached, JVB simply generates a new SSRC number, and when the limit has been reached the oldest entry is reused. Let’s look at an example to make this more clear. Assume the limit is set to just 3, and the available sources are A, B, C, D, E. Initially the map is empty. When A starts sending packets, we allocate SSRC 101 to it and signal it to the receiver like this:

  AudioSourcesMap: [{"source":"A","owner":"endpoint-A","ssrc":101}]

  Similarly when B and C start to speak we allocate SSRCs 102 and 103 for them:

  AudioSourcesMap: [{"source":"B","owner":"endpoint-B","ssrc":102}]

  AudioSourcesMap: [{"source":"C","owner":"endpoint-C","ssrc":103}]

  Now we have reached the limit of 3 SSRCs. When D starts to speak, we’ll find the source in the map that has been active least recently (let’s say that’s B) and re-use its SSRC for D. We’ll signal an update (“SSRC 102 now belongs to D”):

  AudioSourcesMap: [{"source":"D","owner":"endpoint-D","ssrc":102}]

  The scheme is identical for video, except the forwarding decisions are made in a different way. Receivers explicitly signal their preferences using video constraints. The source names and their mute status are published in presence when an endpoint signals its source information to the Jitsi Conference Focus (Jicofo) and therefore this information is already available with all the other endpoints in the call. Based on the current layout in the UI and the user’s preferences, the client sends the updated receiver video constraints over the bridge channel.

  A bandwidth allocation algorithm in the JVB then decides which streams to forward to a particular receiver, based on its constraints and current network conditions:

  [modules/RTC/BridgeChannel.js] <Fa.sendReceiverVideoConstraintsMessage>:  Sending ReceiverVideoConstraints with {"constraints":{"ed6b60f5-v0":{"maxHeight":360},"e01f2103-v0":{"maxHeight":360},"9ac8fef2-v0":{"maxHeight":360}},"defaultConstraints":{"maxHeight":0},"lastN":-1,"onStageSources":[],"selectedSources":[]}

  Implementation on the receiver side in the client

  On receiving an update to one of the maps (audio or video), the client adds the signaled SSRCs to the remote description on the peerconnection. The browser then fires a track event for each of the SSRCs, the corresponding remote tracks are then added to the HTMLElements associated with the remote user.

  So when the audio packets with this SSRC arrive, the browser starts decoding the media and plays it through the selected audio output device. If the SSRC is already in use (i.e. the limit on the bridge has been reached) the client updates the owner of the associated track so that it gets attached to the corresponding HTMLAudioElement and the audio switches over to the new speaker seamlessly.

  The video track creation process is the same as that of the audio tracks as described above. The client application needs to update the track’s owner whenever there is an updated source map involving the SSRC that is assigned to the track and re-attach it to the corresponding HTMLVideoElement so that the correct video stream is rendered in the remote participant’s viewport.

  Challenges

  But wait, re-using an SSRC like this is okay for audio because the streams simply get mixed before playback, but what about video, how do we avoid video content being rendered in the wrong viewport when signaling and media race? That’s the elegance of this approach, we simply use a large enough limit (larger than the maximum number of streams forwarded at any one time) and the occurrence becomes extremely unlikely. If the limit is larger by K, then K new forwarding decisions must be made before the signaling arrives at the receiver for the problem to happen.

  So how do we choose the limits? We have the constraint just mentioned, but also an interesting trade-off. If the limit is too high we’re using unnecessary resources at the receivers. But if the limit is too low, we’ll be signaling updates more often. We have chosen to set the limits to 50 by default. That’s 50 for audio and 50 for video, which is well above the maximum of 25 tiles that we display at any time.

  When SSRC rewriting is enabled, the number of source signaling messages can increase drastically based on the SSRC limits set for the conference and the total number of participants in the call. Imagine a call with 100 participants where everyone has their video on; UI shows a grid of 25 participants and the SSRC limit is set to 25. Whenever the user scrolls to the next grid of 25 participants, existing SSRCs get remapped. This happens everytime the user scrolls back and forth. This results in a lot of signaling messages over the bridge channel. What if the websocket connection for the bridge channel is down at this time? This would result in videos not being rendered or audio from new dominant speakers not being heard which can be very disruptive to meetings. All the sources are signaled immediately after the websocket connection reforms but even minimal disruptions to audio can be very annoying.

  To mitigate these issues, Jitsi client switches to using WebRTC’s SCTP data channel for establishing the bridge channel instead of using a websocket. This ensures that the bridge channel is up and running all the time as long as the media connection between the client and the JVB is up. This results in minimal or no disruptions to the signaling messages from the JVB to the downstream endpoints.

  Current status of the feature

  This feature has been well tested and has been running on meet.jit.si for the past few months now, with limits set to 50. We also enabled it by default in our last stable release of the Debian packages and Docker images. We will be releasing it soon to all our production deployments in the next few releases pending investigation into some SCTP crashes that we are seeing in the JVB .

  Your personal meetings team.

  The post Improving performance on very large calls: introducing SSRC rewriting appeared first on Jitsi.

April 19, 2024

• Digium Navigating the Future with Confidence: The Strategic Imperative of On-Premises UC Solutions

  In a digital age where the Unified Communications (UC) landscape is rapidly expanding, On-Premises UC solutions stand out as the bedrock for businesses aiming to secure, customize, and control their communication infrastructures. With the UC market projected to swell to USD 145.58 billion by 2024 and further grow to an impressive USD 496.30 billion by 2029​ (Mordor Intelli)​, it’s clear that businesses are investing heavily in communication technologies that not only meet their current needs but also future-proof their operations.

  Enhanced Security with On-Premises UC

  In the quest for ironclad security, On-Premises UC solutions emerge as the champions. The ability to manage data on local servers provides businesses with direct oversight of their security measures. This is especially critical in industries where the margin for error is non-existent. By opting for On-Premises solutions, organizations can tailor their security protocols to their specific needs, ensuring that their communications are shielded against external threats.

  Compliance Without Compromise

  Navigating the labyrinth of regulatory compliance is a formidable challenge for any business. On-Premises UC solutions offer a framework that ensures data management and storage practices are in strict alignment with industry standards. This not only offers peace of mind but also fortifies legal protection, ensuring that businesses stay on the right side of regulations.

  The Need for Speed: Performance Advantages

  In a world where time is of the essence, the performance advantages of On-Premises UC solutions cannot be overstated. With the global UC market set to reach USD 167.1 billion by 2025​​, it’s evident that businesses are seeking solutions that promise not just functionality but also high-speed data processing with minimal latency. On-Premises servers deliver on this front, offering the agility and efficiency that businesses require to stay ahead.

  Check out how this customer benefits from Sangoma’s Switchvox On-Premises UC solution

  Supremacy Over Data: Complete Control

  The control that comes with On-Premises UC solutions is unparalleled. Businesses not only decide where their data resides but also who has access to it. This level of autonomy is crucial in today’s environment, where data is both a valuable asset and a potential liability. On-Premises solutions offer the traceability and governance needed to manage data with precision.

  Tailored for Success: Customization and Flexibility

  The one-size-fits-all approach is a relic of the past. Today, businesses demand solutions that can be customized to fit their unique needs. On-Premises UC solutions provide this flexibility, allowing companies to create a communication ecosystem that aligns with their operational goals. This level of customization ensures that businesses aren’t just communicating; they’re doing so in a way that enhances their operational efficiency and market competitiveness.

  Looking Ahead: The Road to 2029

  The trajectory of the UC market suggests a landscape ripe with opportunities and challenges. The substantial growth forecasted for the UC market indicates a surge in demand for robust communication solutions​ (Mordor Intelli)​. On-Premises UC solutions, with their unique blend of security, control, and customization, are well-positioned to meet these demands.

  If you are in the market to include or upgrade your On-Premises solution, Sangoma’s Switchvox delivers an all-in-one solution – all features included and easily customized for your business needs. It comes in various appliance platforms and virtual machine options for VMware and Hyper-V.

  Learn more about our all-in-one, fully featured On-Premises UC!

  The post Navigating the Future with Confidence: The Strategic Imperative of On-Premises UC Solutions appeared first on Sangoma Technologies.

April 02, 2024

• Digium Switchvox On-Premises: Alive & Well

  The rumor mill started churning when cloud-based solutions began gaining prominence. These solutions offer scalable, flexible alternatives to traditional on-premises setups. As more companies migrated to the cloud, a narrative emerged suggesting that on-premises solutions like Switchvox were becoming obsolete. Though popular, this view only captures part of the picture.

  The Reality of Switchvox On-Premises

  Switchvox On-Premises remains a robust, feature-rich Unified Communications (UC) solution designed to meet businesses’ diverse needs. Far from dead, it continues receiving updates, support, and enhancements, ensuring its competitiveness and relevance.

  Sangoma Technologies, known for its commitment to cloud and on-premises communication solutions, continues to invest in Switchvox On-Premises.

  The Benefits of On-Premises Solutions

  While cloud-based systems offer benefits like ease of scalability and reduced physical infrastructure, on-premises solutions have their own set of advantages that make them indispensable for certain businesses:

  • Control and Customization: On-premises systems allow organizations to completely control and customize their UC environment to meet specific operational requirements.
  • Security and Compliance: For industries subject to stringent data protection regulations, on-premises solutions offer enhanced security and compliance capabilities, as sensitive information remains within the company’s controlled infrastructure.
  • Performance and Reliability: Businesses with demanding performance needs or those in areas with unreliable internet access find on-premises solutions more reliable, as they don’t rely on external networks for critical communications.

  The Role of Switchvox On-Premises in Hybrid Environments

  As businesses seek to balance the benefits of cloud and on-premises solutions, hybrid models have emerged as a compelling option. Switchvox On-Premises plays a crucial role in these environments, offering a bridge that allows companies to leverage the strengths of both approaches. Integrating with cloud services is beneficial while maintaining core systems on-premises, allowing businesses to achieve optimal flexibility and efficiency.

  The Differentiation of Switchvox On-Premise

  Switchvox is a fully-featured VoIP phone system deployed on-premises that the Sangoma endpoint devices can complement.

  • Save Money: Includes all features, offering flexible deployment options, fewer add-on fees, and simplified pricing, making it the best value in UC.
  • Enhances Your Customer’s Experience: Includes fully-featured call center tools, such as customizable call-flows, agent and supervisor controls, call recording and analytics, improving efficiency, productivity, and customer and agent experience.
  • Easy to Manage: Managed from anywhere via its intuitive point-and-click interface, reducing the need for extensive training.

  Switchvox Functionality

  • Integration with Sangoma SIP trunking services
  • Customizable Call Control
  • Voicemail/Messaging
  • Desktop and mobile soft-client Collaboration, including voice, messaging, video conferencing, and screen sharing
  • Up to 1000 phones and 200 concurrent calls
  • Sangoma branded Desk phones, headsets, DECT phones
  • CRM Integration

  While the telecommunications sector increasingly embraces cloud technologies, this doesn’t equate to the extinction of on-premises solutions. Instead, we’re witnessing an evolution of the market where different deployment models coexist, each serving the unique needs of diverse business landscapes.

  On-premises systems have a distinct and enduring role in a world that prizes customization, security, control, and flexibility to adapt to changing needs. Far from fading into obsolescence, Switchvox On-Premises is evolving, ready to meet the challenges of the modern business environment head-on.

  Get started with Switchvox today and request a demo!

  The post Switchvox On-Premises: Alive & Well appeared first on Sangoma Technologies.

March 28, 2024

• Enable Security March 2024: Webex leak, WhatsApp and Apple WebRTC vulnerabilities
  Welcome to the end of March, and this month’s edition of the RTCSec Newsletter. This one’s a short one. In this edition, we cover: German military phone call leak and Webex WhatsApp’s past VoIP stack vulnerabilities and preventing future exploits Security fixes in Apple’s WebRTC framework and baresip WebRTC podcast covers security with Tsahi Levent-Levi RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.
• Jitsi Jitsi + Moodle, with a dash of JaaS

  So you want to have live meetings in Moodle courses. Well, as it turns out, this is quite an easy feat. Thanks to the wonderful work done by UDIMA (Universidad a Distancia de Madrid), you can use their Jitsi Moodle Plugin.

  If your use-case doesn’t go beyond 25 monthly individual endpoints, you might want to opt for the JaaS Dev offering which is completely free. For users requiring more than 25 monthly endpoints or desiring premium features like transcriptions, dial-in, recordings or RTMP streaming, there are two options:

  1. Add a credit card for overages, paying extra costs as needed, without any discounts.

  2. Sign up for alternative plans offering an initial discount of 80% off for the first three months of JaaS usage.

  To benefit of the 80% discount you need to use the MOODLE23 JaaS Coupon. The coupon expires on September 2024.

  Setting up the Jitsi Moodle Plugin

  Before starting the configuration process, you need to download and install the latest Jitsi Moodle Plugin in your Moodle instance and create a JaaS account.

  Right off the bat, the plugin tries to use the freely accessible meet.jit.si instance as the backend. This is only going to work for the first five minutes due to the changes announced here. This should be more than enough if you only want to give it a try.

  Once you have created your JaaS Account, here are the steps to configure the plugin:

  Go to the JaaS API Keys section and create a new key pair. Name it something meaningful. Download the private key and store it somewhere safe.

  

  Open the Moodle Jitsi plugin settings and change the values as follows:

  – Domain: `8×8.vc`

  – Server type: pick `8×8 Servers`

  – App_ID: copy it from the JaaS Console API Keys page, i.e. `vpaas-magic-cookie-xxxxx`

  – Api Key ID: copy it from the keys table in the same page, it should be something like `vpaas-magic-cookie-xxxxx/somehex`

  – Private key: the contents of the private key you just downloaded from JaaS Console

  – Make sure to leave the ID User (jitsi_id) dropdown to Username, the default

  

   

  With just a few steps, you’ll now have a complete communication solution right within Moodle!

  Your personal meetings team.

  The post Jitsi + Moodle, with a dash of JaaS appeared first on Jitsi.

March 26, 2024

• Digium PCI Compliance: How the Sangoma P-Series Business Phone System Can Keep You Out of Jail

  There was a time when cash was king. Today, however, not so much.

  Paying over the phone for everything from fast food to a holiday abroad has become the norm for millions of consumers who prioritise modern convenience over traditional transacting.

  Protection from fraud is, of course, paramount, which is why strict rules exist. Phones used by businesses to take payments must be Payment Card Industry-compliant. They must feature ‘pause-and-resume’ functionality for use at the critical point that customers provide their payment card details. Also, all transactional calls and call recordings must be encrypted.

  Breaching these rules can lead to seriously big fines capable of dealing a catastrophic blow to profit and reputation. Ultimately, in the most extreme cases, non-compliance can even lead to jail!

  Next year, the rules change: an update to the Payment Card Industry Data Security Standard (PCI DDS) which beefs-up protection, but which also places new obligations on in-scope organisations. In a world in which technology plays a vital part in the way over-the-phone transactions occur, it is the perfect time for businesses and their Managed Service Providers to also change things up – upgrading desk and softphones that support that all-important compliance.

  Choose Sangoma’s award-nominated P-Series Desk and Softphone, and that-all important compliance also comes with a feature set that ensures the wider desk calling experience is rich and rewarding for both callers and agents. High-definition audio, unprecedented plug-and-play deployment, and advanced IP applications as standard that include voicemail, call log, contacts, phone status, user presence, call parking, and more. Big and bold, yet at the same time stylish and sleek, its ergonomic design leverages the beauty of angles, curves and corners to provide users with brilliant visibility of and access to its bright touchscreen display and lightweight receiver, regardless of where they sit or stand. The audio is crisp and clear, the management and compliance of calls is fast and effective, and overall satisfaction levels are high. For callers, that overall high-quality reflects favourably on the brands or organisations with which they interact.

  Importantly, the P-Series’ versatile compatibility with both PBX and cloud-based voice systems also means it can be deployed on different platforms in different spaces whilst maintaining an organisation’s look-and-feel. In addition, the P-Series is the only Desk Phone designed to be fully-compatible with Sangoma’s wider communications portfolio – further enhancing its value to Sangoma customers and enabling its commercial reseller partners to benefit from the efficiency and simplicity of stocking and supporting just one Sangoma phone product line. The P-Series brings yet more added value too. The rarest of combinations: it appeals to all types of user groups, at a price point that suits all types of budgets.

  For user organisations and their MSPs, we think that makes for a compelling offer all-round.

  The post PCI Compliance: How the Sangoma P-Series Business Phone System Can Keep You Out of Jail appeared first on Sangoma Technologies.

February 29, 2024

• Enable Security February 2024: manipulating audio using LLM, malware using CPaaS and WebRTC security
  Special day today, being a leap year! In other news, this month brought quite a bit of written content of interest to the VoIP and WebRTC security community, which we’re covering here: Generative AI on live audio conversations (sorry!) Vulnerabilities affecting Yealink, WebRTC and OpenScape Hardening WhatsApp’s VoIP library and new mobile malware using CPaaS WebRTC related security content courtesy of Staex, Mozilla and Fonoster FCC rules affecting VoIP providers and telcos RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.

February 21, 2024

• Jitsi Google Summer of Code 2024

  We’re happy to announce that Jitsi will be participating in Google Summer of Code 2024!

  We have some very cool project ideas in the list for this year, and we’re still open to discussing new ones.

  You can also check out the official program website, the list of accepted organizations and the full program timeline.

  The next important date is March 18 when the contributor application period opens. In the meantime, please join me in welcoming the new contributors to our community!

   

  The post Google Summer of Code 2024 appeared first on Jitsi.

• Digium Powering Patient Touchpoints: Sangoma’s Cure for Communication Roadblocks

  In today’s healthcare landscape, the patient experience hinges on seamless communication. This is where Sangoma Technologies makes an indelible mark. With their unified communications as a service (UCaaS) portfolio, end-to-end solutions are crafted that enhance patient care, streamline processes, and reduce costs.

  Sangoma CX stands as a testament to this commitment, magnifying call-handling capabilities and more than doubling call volumes for healthcare providers, as evidenced by the transformation of the Healthcare Physicians Group. The robust reporting suite of Sangoma CX, coupled with its callback features, optimizes patient touchpoints, ensuring no call – and no patient – is left unanswered.

  Furthermore, Sangoma’s integrated suite of value-based Communications as a Service solutions allows care organizations of all sizes to maximize productivity. This means healthcare institutions can focus on what they do best – providing top-notch patient care – while Sangoma takes care of the rest.

  With the help of Sangoma Apps, outreach initiatives are taken to new heights. From online scheduling to automated reminders, every interaction is personalized, enhancing the patient experience at every turn. Video conferencing is a must for telemedicine, and Sangoma delivers a consistent and feature-rich experience for virtual consultations, becoming a partner to deliver exceptional patient care.

  The results speak for themselves. Hospitals, pharmacies, and labs report improved patient care and significant time savings in emergency handling – up to 50% in some cases. The future of healthcare communication is here, and it’s powered by Sangoma.

  Learn more about our solutions in the Sangoma Healthcare eBook.

  The post Powering Patient Touchpoints: Sangoma’s Cure for Communication Roadblocks appeared first on Sangoma Technologies.

February 20, 2024

• Digium More AI Features for Your Contact Center With Sangoma CX 7.5

  Building on the new, powerful AI features introduced to Sangoma CX already in 2024, our cloud contact center solution now expands its automation capabilities and adds other significant enhancements with our 7.5 release. The new version is even more capable, empowering agents, supervisors, and administrators in their day-to-day operations.

  New Features in CX 7.5

   

  • AI Assist: Agents can now leverage the amazing powers of OpenAI for generating content effortlessly in Digital Channels. Boost response times and improve overall customer service by getting reply suggestions, spelling and grammar fixes, changing message length or tone, and simplifying what you want to tell your customer.

  

  • Speech Analytics: Available as a queue configuration setting for CX Premium Users, the novel Speech Analytics feature processes audio recordings to automatically generate call transcriptions, summaries, and sentiment analysis. Call sentiment, which can be positive, negative, or neutral, is provided for both individual call parties and for the overall conversation. The analytics capabilities will help supervisors easily gather valuable insights from audio data to audit agent-customer interactions.

  

  • Queue Status Viewer: Agents can now view the status of all queues they are assigned to at a glance, regardless of whether they are logged in to that queue or not. Accessible directly from the Agent Panel, this feature allows agents to easily identify which queues require their attention based on caller volume, and to provide help where their presence is most needed at any given time.

  

  • Phone Book Import: Seamlessly add Contacts in bulk to the embedded Phone Book in CX by importing a CSV file in a predefined template format.

  

  • Stop call recording on transfers: By default, if call recording is enabled, audio conversations continue to be recorded even after being transferred. However, in certain cases you may need to stop recording, such as when sensitive information is involved, for instance, in the case of a transfer to a doctor’s office. Now, you have the option to halt call recording during transfers for compliance purposes.

   

  Release 7.5 also brings several other minor improvements, like the capability to export the Queue Annual report to a spreadsheet format, and a new simplified implementation for logging agent call flow for phone-only Agents, in simple call center setups. These improvements enhance the overall functionality and user experience for contact center administrators.

  If you have any questions, need a quote, or require assistance with these new features, please reach out to us.

  Stay tuned for updates on upcoming enhancements and exciting new features in Sangoma CX!

   

  Sincerely,

  The Sangoma Product Team

   

   

  Learn More

   

  Sangoma CX Release Notes

  Sangoma CX Knowledge Base

  Partner Release Kit

  The post More AI Features for Your Contact Center With Sangoma CX 7.5 appeared first on Sangoma Technologies.

February 15, 2024

• Digium 25 Years of Asterisk

  It’s hard to believe that Asterisk has been around for 25 years. It started in humble beginnings as a phone system for a fledgling company, only to grow and expand to become the purpose of that company itself eventually. While I was not there from the beginning, I was there from the fairly early days.

  Back then, it was the wild west. VoIP was still new. SIP was still new, and its problems had yet to be discovered. STIR/SHAKEN was in the minds of no one. The cost of calling people was still high (in comparison to what we pay today). Asterisk swiftly emerged onto the scene and became THE open source phone system. It disrupted the traditional phone system market and gave the power back to the users and deployers to do things the way they wanted at a price they could handle.

  As the industry evolved and expanded, Asterisk continued to do so as well. Thanks to the numerous contributions and the community around the project, it expanded in functionality and scope beyond what anyone could have envisioned. Its usage grew and grew in more clever and interesting ways. Every week, by helping individuals and talking to them, I find new ways that Asterisk is used. The flexibility of Asterisk means you are always surprised by what people are doing.

  This evolution and expansion continue to happen to this day. While Asterisk started as a phone system, it has also become a telephony toolkit. This has given users even more power and control, especially developers, allowing them to manifest ideas more rapidly in the communications space by providing easy-to-use and understandable interfaces. This is where a lot of the power in Asterisk is these days. This aspect is filled with endless possibilities and untapped potential.

  I want to thank everyone who has helped Asterisk get to this point. Those who have contributed code or ideas, filed issues, helped others on forums and other places, and spread the word of Asterisk itself. It’s been a wild 25 years, and we still have more to go. It’s not too late to join me and others on the journey through participating in the Asterisk project and community. You can find us on GitHub or the Community Forums. All help is welcome!

  As always, I enjoy sharing extra resources. If you’re intrigued by the history of Asterisk and other related topics, I invite you to check out the webinar I gave on the fascinating “Evolution of Asterisk”.

  The post 25 Years of Asterisk appeared first on Sangoma Technologies.

January 31, 2024

• Enable Security January 2024: Critical WebRTC, CUCM and SIP ALG security fixes - fuzz it all and disable stuff
  Fresh new year, fresh VoIP and WebRTC security news! Welcome to this newsletter, write back if you find it useful. In this edition, we cover: TLS key logs, Kamailio and security tools Chromium’s WebRTC vulnerability CVE-2023-7024 The usual warning about SIP ALG Critical vulnerabilities fixed in Cisco’s Unified Communications products RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.

January 25, 2024

• Digium The Pulse Behind Modern Healthcare Communication

  The healthcare industry is characterized by a relentless pursuit for excellence. The quality of care service directly translates into a substantial impact in people’s lives. In the quest to deliver superior patient experiences, Sangoma solutions are at the forefront of this goal.

  For IT Professionals

  Connectivity, the lifeblood of seamless operations, is the top priority for the IT team. No more dropped calls or network reach loss. Instead, budget-friendly 5G broadband and satellite options can handle your internet connections, no matter when or where. Sangoma offers SD-WAN too, which boosts your network’s performance by tying together all your connections, making sure they’re always up and running, and offering top-notch security against threats. Make your backbone embody reliability and efficiency thanks to a fully-monitored network infrastructure that meets PCI compliance standards.

  For Care Staff

  Sangoma’s UCaaS features elevate this connectivity to embrace diversity and dynamism. Video conferencing, instant messaging, mobile applications, and team collaboration tools ensure that communication is not just continuous, but also multifaceted and hybrid-work friendly.

  For Patients

  The integrated contact center features of Sangoma serve as a catalyst for change. With true omnichannel features, you can deliver an exceptional customer experience and hear out your patients from their preferred method of speaking to you. Every interaction will help your patients feel valued and cared for.

  For Administrators

  HIPAA compliance is vital to preserve the sanctity of patient data. Trust in the safety of information is no longer a hope, but a guarantee.

  For Financial Officers

  Sangoma’s Managed Internet Services and Mobility Solutions offer superior communications at lower costs while expanding the talent pool. Secure internal collaboration, compliant documentation, cost-effective operations, and flexible solutions are no longer exceptions, but the norm.

  Keep the pulse of your healthcare institution steady and healthy with Sangoma, your one-stop-shop for modern technology solutions. Learn more in our Healthcare eBook.

  The post The Pulse Behind Modern Healthcare Communication appeared first on Sangoma Technologies.

January 12, 2024

• Digium Exciting Updates for Your Contact Center with Sangoma CX 7.4

   

  We are thrilled to share the latest improvements to our Sangoma CX platform in its newly released version 7.4. Focusing on customer service and reporting capabilities enhancements, these updates will make your contact center experience more efficient, intelligent, and data-driven. Let’s dive in!

   

  Omnichannel

  • Social Channel Support – We have widened our omnichannel support to incorporate additional social messaging channels – WhatsApp and Telegram – so your customers can connect to you directly, using the world’s most popular messaging applications.

  

  Telegram interaction – Agent side

  

  Telegram interaction – End-user side

  AI

  • Virtual Agent Assistant – Integrate a Google DialogFlow FAQ chatbot directly into your Agent Panel, allowing agents to quickly find the best answers to questions, without leaving their interface.
  • WebChat Chatbot – Easily connect with the Google DialogFlow Chatbot to automate WebChat conversations, helping you to provide a smoother and more efficient customer experience.

  

  Reports

  • In-Service Rework Detail – Keep track of customer interactions more effectively and conduct root cause analysis per caller ID with a comprehensive list of reworked phone numbers.
  • Call History – Improved access to specific call data is now available with a new Call History DID filter.

  • Normalize Report Filters – We have standardized filter options across reports and added an Active Queues Filter for consistency.
  • Smart Alerts – Be informed about critical pauses with Smart Alerts for Pause Codes.

  

  Automated Data Export

  The Automated Data Export now includes detailed information on Agent Hold times, Blind Transfer times and destinations, and an extended Queue Details container with a “Max Wait Time” setting for each queue.

  Agent

  • Enhanced Extension Selection Tool – The extension selection tool now matches the TeamHub look and feel, providing a consistent and user-friendly experience.
  • Queue Status Banner – Agents can now see call waiting times per queue, with the Queue Status banner displaying the waiting time of the longest-waiting call.

  

   

  We are committed to continually improving your experience with Sangoma CX, and we know you will find these latest enhancements invaluable to your business operations.

  For quotes, questions, or assistance with these new features, please reach out to us.

  Thank you again for choosing Sangoma CX for your Contact Center needs!

  Sincerely,

  The Sangoma Product Team

  References

  Sangoma CX Release Notes

  Sangoma CX and Google Dialogflow Configuration Guide

  Sangoma CX and WhatsApp Channel Configuration Guide

  Sangoma CX and Telegram Channel Configuration Guide

  Sangoma CX Agent User Guide

  Partners Only: CX 7.4 Release Kit

  The post Exciting Updates for Your Contact Center with Sangoma CX 7.4 appeared first on Sangoma Technologies.

December 22, 2023

• Enable Security December 2023: Round-up of this year's VoIP and WebRTC security news, and DTLS hello race flaw
  It’s the end of the year and if you are still reading your emails, make sure to read this one! Wish you all restful holidays and a happy New Year! In this edition, we cover: our community contributions for 2023 and our new security advisories the best and the worst of 2023 Asterisk and 3CX vulnerabilities and a few more news items but not that much this time! RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.

December 21, 2023

• Jitsi Custom meeting controls with Elgato Stream Deck and WebHID

  With the holidays just around the corner we thought it would be a cool to show a perhaps non-conventional use of the Elgato StreamDeck, a gadget I recently acquired that would make a great gift!

  The Elgato Stream Deck is a programmable hardware device that allows users to automate virtually any task with the press of a button. It has been around for a while but not too long ago I was at the RTC.ON conference chatting with my buddy Dan Jenkins when he told me there was a library to control these devices using WebHID. I instantly bought one (no, this is not a sponsored post).

  The idea here is to use the Jitsi iframe API (you can start using it right away with a free JaaS account!) to map custom meeting controls on your own Stream Deck. Our iframe API provides a bunch of events and commands to interact with the meeting  and the WebHID library allows us to program each key individually, inluding the icon on each of the buttons, which is actually a tiny display!

  

  Here is a video demonstrating the integration:

  Cool, right! The potential for contextual controls for specific applications right from your browser is virtually boundless, what a time to be working on the Web Platform.

  The source code can be found here. It works with 6 buttons by default (the Stream Deck Mini) but it’s easy to adapt to other models.

  Have fun and happy holidays!

  Your personal meetings team.

  The post Custom meeting controls with Elgato Stream Deck and WebHID appeared first on Jitsi.

November 30, 2023

• Enable Security November 2023: Advisories for VoIP systems and devices, WebRTC privacy and spying on your calls
  Welcome to the November edition of your favorite IP Communications Security Newsletter! In this edition, we cover: Asterisk fixing a PPE in their Github Cyber-criminals listening on telecommunications systems to learn how they were caught ARM’s MTE is going to protect your smartphones - Google Project Zero’s blog post about it Privacy and security of video conferencing on WebRTC LIVE And much more! RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.

October 26, 2023

• Enable Security October 2023: security theatre and PBX hacking, plus last month's advisories
  It’s the moment you’ve eagerly anticipated, that special time of the month. Yes, end of the month means salary time for many, and Halloween - but also - your favorite newsletter is out and about! In this edition, we cover: A presentation by good pseudonym at DEF CON about PBX and UC hacking The drama that ensued with regards to FreePBX vulnerabilities How our customers are enjoying access to the Attack Platform Security fixes in WebRTC and Skype for business Short news including MiTM attacks on XMPP, monthly vulnerability fixes and much more!

October 01, 2023

• François Marier Connecting a VoIP phone directly to an Asterisk server

  On my Asterisk server, I happen to have two on-board ethernet boards. Since I only used one of these, I decided to move my VoIP phone from the local network switch to being connected directly to the Asterisk server.

  The main advantage is that this phone, running proprietary software of unknown quality, is no longer available on my general home network. Most importantly though, it no longer has access to the Internet, without my having to firewall it manually.

  Here's how I configured everything.

  Private network configuration

  On the server, I started by giving the second network interface a static IP address in /etc/network/interfaces:

  auto eth1
  iface eth1 inet static
      address 192.168.2.2
      netmask 255.255.255.0
  

  On the VoIP phone itself, I set the static IP address to 192.168.2.3 and the DNS server to 192.168.2.2. I then updated the SIP registrar IP address to 192.168.2.2.

  The DNS server actually refers to an unbound daemon running on the Asterisk server. The only configuration change I had to make was to listen on the second interface and allow the VoIP phone in:

  server:
      interface: 127.0.0.1
      interface: 192.168.2.2
      access-control: 0.0.0.0/0 refuse
      access-control: 127.0.0.1/32 allow
      access-control: 192.168.2.3/32 allow
  

  Finally, I opened the right ports on the server's firewall in /etc/network/iptables.up.rules:

  -A INPUT -s 192.168.2.3/32 -p udp --dport 5060 -j ACCEPT
  -A INPUT -s 192.168.2.3/32 -p tcp --dport 5060 -j ACCEPT
  -A INPUT -s 192.168.2.3/32 -p udp --dport 10000:20000 -j ACCEPT
  

  Network time synchronization

  In order for the phone to update its clock automatically using NTP, I installed chrony on the Asterisk server:

  apt install chrony
  

  then I configured it to listen on the private network interface and allow access from the VoIP phone by adding the following to /etc/chrony/conf.d/asterisk-local.conf:

  bindaddress 192.168.2.2
  allow 192.168.2.3
  

  Finally, I opened the right firewall port by adding a new rule to /etc/network/iptables.up.rules:

  -A INPUT -s 192.168.2.3 -p udp --dport 123 -j ACCEPT
  

  Accessing the admin page

  Now that the VoIP phone is no longer available on the local network, it's not possible to access its admin page. That's a good thing from a security point of view, but it's somewhat inconvenient.

  Therefore I put the following in my ~/.ssh/config to make the admin page available on http://localhost:8081 after I connect to the Asterisk server via ssh:

  Host asterisk
      LocalForward localhost:8081 192.168.2.3:80
  

  Allowing calls between local SIP devices

  Because this local device is not connected to the local network (192.168.1.0/24), it's unable to negotiate a direct media connection to any other local (i.e. one connected to the same Asterisk server) SIP device. What this means is that while calls might get connected successfully, by default, there will not be any audio in a call.

  In order for the two local SIP devices to be able to hear one another, we must enforce that all media be routed via Asterisk instead of going directly from one device to the other. This can be done using the directmedia directive (formerly canreinvite) in sip.conf:

  [1234]
  directmedia=no
  

  where 1234 is the extension of the phone.

September 29, 2023

• Enable Security September 2023: Security advisories, SIP & DTLS-SRTP interoperability and 5G infra attacks
  Welcome to the September edition of the VoIP and WebRTC security newsletter, RTCSec news! In this edition, we cover: our news, including the WebRTC & Video Delivery presentation we gave at CommCon, OpenSIPIt and our Attack Platform security fixes in FreeSWITCH, OpenScape, Stormshield and DLINK phones GPRS Tunneling Protocol user-plane (GTP-U) abuse, Signal upgraded for quantum computing and SBOMs RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.

August 31, 2023

• Enable Security August 2023: Join OpenSIPit, learn about Zoom, Skype vulnerabilities, and more
  Hope you had some lovely holidays in August! And if not, what are you waiting for? This month we’re keeping the short news section and inviting people to participate in the upcoming edition of OpenSIPit! In this edition, we cover: our latest news and how to keep us in business Android security - 2G and VoLTE Zoom and AudioCodes vulnerabilities revealed at Blackhat Skype IP leak and how this is more common in RTC than assumed Memory corruption in Qualcomm chipsets handling VoLTE EVS audio (CVE-2022-40510) RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.

August 22, 2023

• Jitsi Authentication on meet.jit.si

  What’s going on?

  Starting on August 24th, we will no longer support the anonymous creation of rooms on meet.jit.si, and will require the use of an account (we will be supporting Google, GitHub and Facebook for starters but may modify the list later on). This is a first for us, so users may encounter a few bumps here and there as we are tweaking the experience to make sure there is as little friction as possible on the way into a meeting. 

  Why make a change?

  When we started the service back in 2013, our goal was to offer a meeting experience with as little friction and as much privacy as possible. We felt and still feel that both of these goals are very important and one of the main reasons that justified the existence of “yet another meeting service.” We wanted people to be able to converse easily and freely, without fear of expressing their views and opinions.

  Our “one tap and you’re in” experience was a big part of our strategy to eliminate friction. We didn’t want people to have to worry about “creating” meetings in advance, remembering passwords, codes or long complicated sequences of numbers for a meeting ID. We wanted users to be able to think of a name and just go there. Through the years we’ve had to compromise on this a little bit. We ended up introducing a pre-meeting device check screen. We felt that checking your camera and microphone before you entered a room could save everyone some hassle so it was worth the pause. 

  As for privacy, we previously made sure all communication was always encrypted and we retained no data beyond what is necessary to actually provide a decent meeting service. 

  Offering the possibility to anonymously use the service felt like a good way to help with both its privacy and the usability.

  Our commitment to both goals remains as strong as ever but anonymity is no longer going to be one of the tools we use to achieve them.

  Earlier this year we saw an increase in the number of reports we received about some people using our service in ways that we cannot tolerate. To be more clear, this was not about some people merely saying things that others disliked. 

  Over the past several months we tried multiple strategies in order to end the violations of our terms of service. However in the end, we determined that requiring authentication was a necessary step to continue operating meet.jit.si.

  How does this impact user privacy on meet.jit.si? 

  It is a good time to have a look at our privacy terms. 8×8 will now store the account responsible for creating rooms. Aside from the changes to our privacy terms referenced above, there is no other change to our meetings. We are still very much committed to holding user privacy in the highest regard and we still have no tools that would allow us to compromise the privacy of the actual audio or video content of a meeting, nor do we intend to create any.

  That said, it is completely understandable that some users may feel uncomfortable using an account to access the service. For such cases we strongly recommend hosting your own deployment of Jitsi Meet. We spend a lot of effort to keep that a very simple process and this has always been the mode of use that gives people the highest degree of privacy.

  If you see content that violates the jit.si terms of service you can always report it.

  That’s all we’ve got for now!

  The Jitsi Team

  The post Authentication on meet.jit.si appeared first on Jitsi.

August 03, 2023

• Jitsi Introducing the Jitsi Meet Flutter SDK

  Flutter‘s initial release occurred in 2017, the same year as the introduction of our mobile apps and mobile SDKs. For those who are unfamiliar with it, Flutter is one of the most popular frameworks for developing cross-platform applications.

  Now a few years after their first release, we are thrilled to announce that our mobile SDKs and Flutter cross paths as the Jitsi Meet Flutter SDK. Yes that’s right, after multiple requests, an official Jitsi Meet Plugin for Flutter is now available.

  As of now, our family of mobile SDKs is more complete than ever.

  Android and iOS are supported, of course. The plugin serves as a wrapper for the iOS and Android SDKs, on top of which a Flutter API was created with functionality similar to those found in native APIs.

  Add Jitsi Meet to your Flutter app

  The plugin is available on pub.dev under the jitsi_meet_flutter_sdk name. Discover it there, follow the instructions, and you’ll be able to utilize the API to the fullest extent.

  Here is a sneak peek of how simple it is to add a meeting to a fresh page.

  

  Here is how that looks like:

  

  In your own Flutter app, you’ll have the same view as the one from the Jitsi Meet mobile apps, with just a few additional lines of code, amazing, right?

  Have a look at the sample apps

  We developed two apps using the Jitsi Meet Flutter SDK, one of which is the example app in the plugin repository and primarily acts as a tester app by displaying the majority of the plugin’s features in the user interface, and the other of which is an official sample app in the repository that contains all of our samples for all mobile SDKs and is just a straightforward example of integrating Jitsi Meet.

  Flutter is new to us, and we hope this new SDK will make it easier for our users and JaaS customers to embed video meetings into their existing Flutter apps we agerly await your feedback!

  Your personal meetings team.

  ---

  Author: Gabriel Borlea

  The post Introducing the Jitsi Meet Flutter SDK appeared first on Jitsi.

July 28, 2023

• Enable Security July 2023: VoIP and WebRTC attack surface, pentesting for 2023 and VoIP DDoS attacks
  Welcome to the July edition of the RTC security newsletter! For this month, we brought back the short news section making this edition a bit shorter than usual. Do you prefer the longer form or is this more to your liking? In this edition, we cover: Our own recent presentation about the VoIP and WebRTC application attack surface Booking us for your pentest this year and our involvement with the upcoming OpenSIPIt DDoS threat report and VoIP SentryPeer news, STIR/SHAKEN problems and malware using RTC!

July 20, 2023

• Jitsi Introducing the Jitsi Meet React Native SDK

  Ever since we introduced our mobile apps to the world back in 2017 they have been backed by React Native.

  Using React Native allowed us to reach feature parity quickly since all logic is shared between our web and mobile codebases, because they are not 2 different things, it’s a single codebase

  Later that year, we released our native mobile SDKs to the world. These SDKs werer a thin wrapper over our React Native application, so our users could embed the entire meeting experience into their own mobile apps, with little effort.

  This has been our guiding priciple since the inception of the iframe API: to privide a high-level and fully-featured component that can be integrated into other apps.

  Today we are taking another step in our mobile jouney by releasing a React Native SDK.

  What does this mean? Before today if you had a React Native application we provided you with no way for embedding Jitsi Meet. Now we do!

  As mentioned above, our mobile apps are built using React Native and over time we received a number of requests from our community and customers to have an actual React Native SDK. We finally managed to expose it as a React Native library. It’s not that we didn’t have it in the back of our minds, but we focused on native first to cater the needs of our internal consumers.

  Exposing a React Native app as a component seems easy on the surface, but being so complex and having so many dependencies made it a lot harder han we had thought. Fortunately, this all changed thanks to Google Summer of Code. We were fortunate to have Filip Rejmus take on the project and kickstart it. After his amazing work, we took over and added the final touches and now it’s available on npm.

  How can I start using it?

  First go and grab our package from npm and follow the setup instructions.

  In the screenshot below you can see how easy it is to integrate and enable different meeting options into your app, by simply importing the JitsiMeeting component and adding it to your code:

  

  You will have access to the same features as the Jitsi Meet app.

  

  Test the sample app!

  We created a sample app which integrates our brand new SDK together with react-native-navigation, check it out!

  This new SDK will make it easier for our users and JaaS customers to embed video meetings into their existing React Native apps, we agerly await your feedback!

  Your personal meetings team.

  ---

  Author: Calin Chitu

  The post Introducing the Jitsi Meet React Native SDK appeared first on Jitsi.

June 30, 2023

• Enable Security June 2023: Talks on VoIP security, WebRTC server-side attacks and WISH/WHIP
  It is finally conference season and so this newsletter covers 3 different events focused on RTC and opensource communications as well as the latest and greatest security fixes related to VoIP and WebRTC. In this edition, we cover: Kamailio World, CommCon and OpenSIPS summit presentations of interest Our own work especially on WebRTC and WISH (WHIP) security More open SIP relay attacks in the wild DDoS, botnets and VoIP RTC vulnerabilities and fixes in MacOS, iOS, WebRTC and more RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.

May 31, 2023

• Enable Security May 2023: RTC conferences, advisories for Cisco, Mitel, sofia-sip
  Welcome to the May edition of the monthly VoIP and WebRTC security newsletter! In this edition, we cover: Kamailio World in Berlin and CommCon in the UK Open Source Telecom Software Survey 2023 Asterisk PBX and ASAN compilation SIP-based vulnerabilities in Shannon Baseband vulnerabilities many more RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.

April 28, 2023

• Enable Security April 2023: 3CX incident updates, WebRTC security and H264
  April brings with it conference announcements, updates to the 3CX incident and a very interesting paper about the most popular video codec. In this edition, we cover: New fuzzing of RTP codecs with SIPVicious PRO Details about our WebRTC security presentation for CommCon News about the 3CX compromise and much much more! RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.

March 31, 2023

• Enable Security March 2023: Trojan 3CX Client, CRA talk, OpenSIPS audit report and much more
  Welcome to the end of March, and this month’s edition of the RTCSec Newsletter. A lot has accumulated in March on the VoIP and IP Communication security front. In fact, this one is packed! In this edition, we cover: Our news, involving CI/CD automation of VoIP security testing with SIPVicious PRO More news from us, including the OpenSIPS security audit report and a chat about the Cyber Resilience Act 3CX Phone Client turned into a trojan Critical vulnerabilities affecting Samsung and Pixel phones via VoLTE and 5G Silent fix in Kamailio gets a CVE, vulnerable door phones and various other security reports RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.

March 17, 2023

• Enable Security OpenSIPS Security Audit Report is fully disclosed and out there
  It’s almost a year since the OpenSIPS project published a minimized version of our security audit report from 2022. Now, the full version has been published, with all the information intact on how to reproduce the vulnerabilities and extra details in an 80+ page report. The OpenSIPS security audit report can be found here. What is the OpenSIPS security audit? OpenSIPS is a SIP server that often has a critical security function within an IP communications system.

March 07, 2023

• Enable Security SIPVicious PRO incremental update - and Gitlab CI/CD examples
  We just pushed out a new SIPVicious PRO update to our subscribing members! This version does not include any new major features. Instead, it fixes various bugs and brings missing but necessary features to various SIPVicious PRO tools. We have the following highlights in this update: Documentation now includes realistic Gitlab CI/CD examples The RTP fuzzer in the experimental version now supports SRTP Support for new SIP DoS flood request methods The RTP inject tool can now specify the RTP’s SSRC and payload ID The SIP password cracking tool now supports closing the connection upon each attempt The SIP ping utility supports INVITE For the boring details, including a list of bug fixes, do read the release notes for v6.

March 02, 2023

• Tox Redesign of Tox’s Cryptographic Handshake

  In 2017, Jason A. Donenfeld (known for WireGuard®) reported an issue in Tox’s handshake [1]. This issue is called “Key Compromise Impersonation” (KCI). I will try to explain the issue as simple as possible:

  In Tox you don’t register an account (e.g. with username and password), but instead your identity is solely based on (asymmetric) cryptographic information, a so-called asymmetric key pair. Such a key pair consists of a public part (public key) and a private part (private key). The public part, as the naming suggests, is public and contained in your ToxID which you share with your contacts to be able to communicate with them via Tox. The private part, again as the name suggests, needs to stay private! If someone gets in possession of your private key, they stole your Tox identity. This could, for example, be the case if someone got physical access to your computer or successfully installed malware on your system, e.g. a so-called trojan horse, to be able to extract data from it. If this happens, you will most likely have multiple problems and your Tox identity may be just one of them. The password you enter when you create your Tox profile, e.g. when you first start qTox client, is used to encrypt your profile and also your private key on your disk. If you start qTox, you need to enter your password to decrypt your private key, to be able to communicate via Tox. Your private key is then stored unencrypted in memory (i.e. RAM) while qTox is running. This means an attacker either needs to get access to your password (steal or crack it) or to read your Tox private key from memory while your Tox chat client is running.

  If someone successfully stole your Tox identity (i.e. this private key), they are you – at least in the context of Tox. So they can successfully impersonate you in Tox. Now in this case the KCI vulnerability leads to “interesting” behavior. It is clear that someone who stole your identity is able to impersonate you. But because of the KCI vulnerability, they may also be able to impersonate others to you. This means, to exploit this vulnerability in practice, someone not only needs to successfully steal your private key, but additionally:

  • Know the ToxIDs of your Tox friends to be able to impersonate them to you.
  • Control the network connection between you and your friend. This could be the case e.g. if they are in the same (public) WiFi as you, or via the Internet – which is way harder and is most likely only possible for state actors (e.g. the NSA).
  • Implement their own version of toxcore because it’s not possible to exploit this issue with the current implementation. There is no public exploit available which can just be used.

  In summary, KCI is exploitable, but with a huge effort.

  Anyway, this is a real vulnerability and it should be fixed. The current Tox handshake implementation is not state-of-the-art in cryptography and it also breaks the “do not roll your own crypto” principle. As a solution, there is a framework called Noise Protocol Framework (Noise, [2]) which can be used to create a new handshake for Tox. More precisely, the application of Noise will only change a part of Tox handshake — the so-called Authenticated Key Exchange (AKE). Noise-based protocols are already in use in e.g. WhatsApp, which uses it for encrypted client-to-server communication, and WireGuard®, which uses it for establishing Virtual Private Network (VPN) connections. Noise protocols can be used to implement End-to-End Encryption (E2EE) with (perfect) forward secrecy (which is also the case with the current Tox implementation), but further adds KCI-resilience to Tox.

  Tobi (goldroom on GitHub) wrote his master’s thesis (“Adopting the Noise Key Exchange in Tox“) on the KCI issue in Tox, designed a new Handshake for Tox based on NoiseIK and implemented a proof-of-concept (PoC) for this new NoiseIK-based handshake by using Noise-C [3]. This PoC has a few drawbacks, which is why it should not be used in practice (see Appendix). If you want to know more about his master’s thesis, see the update in the initial KCI GitHub issue [4].

  He applied for funding at NLnet foundation and their NGI Assure fund to continue his work on Tox and to be able to implement a production-ready Noise-based handshake for toxcore. Fortunately, this application was successful [5]. NGI Assure is made possible with financial support from the European Commission’s Next Generation Internet programme (https://ngi.eu/).

  The objective of this project is to implement a new KCI-resistant handshake based on NoiseIK in c-toxcore, which is backwards compatible to the current KCI-vulnerable handshake to enable interoperability and smooth transition. The main part of this project is to implement NoiseIK directly in c-toxcore to remove Noise-C as a dependency (as the only other dependency for c-toxcore is NaCl/libsodium) which was used in the PoC and therefore improve maintainability of c-toxcore (see Appendix).

  The tasks in this project are:

  • Implementation of a Noise-based AKE for the use in Tox’s handshake in c-toxcore
    • This task is to implement and test an AKE for the Tox handshake based on a Noise protocol (most likely Noise_IK_25519_ChaChaPoly_SHA512, but it may change due to new insights in c-toxcore).
  • Implementation of a symmetric transport phase encryption based on a Noise-based AKE/handshake
    • This task includes the implementation of a symmetric transport phase encryption based on the secret key(s) generated during the Noise-based AKE during the Tox handshake and evaluation of Noise’s rekey feature.
    • Subtasks:
      • Decision of which symmetric cipher to use for the Tox transport phase encryption (e.g. ChaCha20-Poly1305 or XSalsa20-Poly1305)
      • Evaluation of Noise’s rekey feature to allow for session rekeying to reduce the volume of data encrypted under a single cipher key (cf. section 11.3 of Noise specification, revision 34). This may not be applicable to be implemented in c-toxcore (e.g. changing keys may be expensive). Also, it may not be necessary for ChaCha20 / XSalsa20. Further, it’s dependent on how the transport phase encryption will be implemented.
  • Support for the Noise-based AKE and the KCI-vulnerable AKE for backwards compatibility
    • This task includes the implementation of a mechanism to fall back to the KCI-vulnerable handshake if one of both peers uses a legacy c-toxcore version to provide backwards compatibility for the handshake transition phase (e.g. via cookie phase (request and response) of Tox’s handshake).
  • Error handling and testing, Documentation, Blog posts

  The plan is to implement this new handshake until July 2023. Since it’s not a trivial task, there are still some obstacles:

  1. In Noise it is necessary to differentiate between the initiator and responder of a handshake. Due to the architecture of Tox it is possible that both peers initiate and respond to a handshake at the same time.
  2. Tox is P2P and UDP-based. Therefore packets can be received out-of-order or be lost altogether. In the Noise specification this is only considered for transport messages (cf. [6]).

     • “Note that lossy and out-of-order message delivery introduces many other concerns (including out-of-order handshake messages and denial of service risks) which are outside the scope of this document.” (cf. [6])

  Both points are not ideal for a handshake based on NoiseIK (i.e. it would be way easier to implement it in a client-server model using TCP), but it should be possible to work this out.

  Tobi is available in #toktok (libera.chat) as tobi/@tobi_fh:matrix.org and ready for any input, questions, remarks, discussions or complaints.

  ---

  Appendix

  The PoC shouldn’t be used in practice/in production because it should be improved in the following aspects (for details see chapter five of Tobi’s thesis [4]):

  • The PoC was implemented by using the Noise-C library [3]. Instead of using the library, NoiseIK or more specifically the Noise_IK_25519_ChaChaPoly_SHA512 protocol will be implemented directly in c-toxcore. This will remove Noise-C as a dependency for toxcore (i.e. the only other dependency is NaCl/libsodium) and therefore improve maintainability. Additionally this will reduce the number of possibly vulnerable source lines of code.
    • Notes on maintainability: Noise-C has a lot of code/functionality which is not necessary for c-toxcore. Also Noise-C is currently (?) not actively maintained. If NoiseIK is implemented directly in c-toxcore it is only necessary to maintain the c-toxcore codebase and it is not necessary to care about Noise-C.
  • The PoC implementation uses the ChaCha20-Poly1305 AEAD cipher during the AKE/handshake and XSalsa20-Poly1305 during the transport phase. In this project it should be evaluated if it’s possible to also use ChaCha20 during the transport phase to only use one cipher instead of two different ones (XSalsa20 is not supported by the Noise framework). For details see chapter four of Tobi’s thesis.
  • Further testing of NoiseIK handshake behavior and improved error handling.
  • The PoC implementation is not backwards compatible with the current KCI-vulnerable Tox handshake. In this project a mechanism should be added to enable interoperability with clients based on an old c-toxcore version.

  ---

  References:

  • [1] Tox Handshake Vulnerable to KCI #426: https://github.com/TokTok/c-toxcore/issues/426
  • [2] Noise Protocol Framework: https://noiseprotocol.org/
  • [3] Noise-C Library: https://github.com/rweather/noise-c
    • https://rweather.github.io/noise-c/index.html
  • [4] More information on Tobi/goldroom’s master’s thesis: https://github.com/TokTok/c-toxcore/issues/426#issuecomment-759511593
  • [5] “Adopting the Noise Key Exchange in Tox” project description/information: https://nlnet.nl/project/Noise-Tox/
  • [6] Noise specification, 11.4. Out-of-order transport messages: https://noiseprotocol.org/noise.html#out-of-order-transport-messages

  ---

  “WireGuard” is a registered trademark of Jason A. Donenfeld.

February 28, 2023

• Enable Security WebRTC attacks, FOSDEM'23 and security fixes
  Welcome to the February 2023 edition of RTCSec newsletter. If you are reading this on your email client, you might notice slight formatting changes - the red color of the Communication Breakdown blog and the mascot on the side. Hope that this makes it more distinguishable. Do let me know if you have feedback, by replying to this email. In this edition, we cover: A chat with Arin Sime of WebRTC.

January 31, 2023

• Enable Security Kamailio's exec module, SIPVicious still ringing phones and many vulnerabilities
  This new year starts off with a number of RTC security related news and we have some original content to share with you too! In this edition, we cover: Our news: The dangers of using the Kamailio exec module and our pentesting schedule Our news: Updates to the awesome RTC hacking list The Threema weaknesses paper from ETH Zurich Presentations of interest from Blackhat and Nullcon Berlin Receiving calls on your deskphone from SIPVicious - still happening!

January 26, 2023

• Enable Security Kamailio's exec module considered harmful
  Executive summary (TL;DR) The combination of pseudo-variables and Kamailio’s exec can be risky and may result in code injection. By using special SIP headers and environment variables, it becomes effortless to exploit a vulnerable configuration. We have created a Docker environment to assist readers in reproducing this vulnerability and testing solutions. Protection is tricky and the official documentation may have previously misled developers - we aim to fix that by updating the module’s official documentation.

December 22, 2022

• Enable Security Highlights from the past year and various security fixes
  Welcome to the last RTCSec newsletter of 2022! In this edition, we cover: Looking back at the past year and best wishes for the New Year Jitsi gets verification for E2EE OSS-Fuzz now testing PJSIP Vulnerabilities fixed in Drachtio, BigBlueButton, Cisco IP Phones and more RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security. We cover both defensive and offensive security as they relate to Real-time Communications.

December 16, 2022

• Jitsi Self-hosting a fully-featured Jitsi Meet instance just got as easy as pie

  Hey there Fellow Jitsters!

  Have you ever considered adding telephony to your Jitsi Meet self-hosted instance?

  Up until now you only had the option to run Jigasi and deal with telephony yourself. Many of our users do this every day, but when we asked we learned that there was interest in offloading that part. Could someone else host it?

  

  Today we’re launching a new way to quickly connect to the public telephone network and offer dial-in capabilities to your users without the need for hosting and managing the entire telephony infrastructure: JaaS components. You can give it a try today!

  Are you running Jitsi Meet on a Debian instance or are you using Docker? Either way, you can opt-in for this feature and it will be automatically set up. A new JaaS account will be created for you and you’re good to… call.

  If you’re running Jitsi Meet on Debian all you need to do is to answer ‘Yes’ to this question and you will have dial-in capability on your Jitsi instance.

  

  Note: A Let’s Encrypt certificate is required and the email address used to generate the certificate will be used also for creating your new JaaS account.

  If you’re running Jitsi Meet on Docker you’ll need to set the following variables on your .env file:

  • PUBLIC_URL: the domain were Jitsi Meet runs
  • ENABLE_JAAS_COMPONENTS=1
  • A Let’s Encrypt certificate is required so do enable it too

  

  Now you can restart your setup with `docker-compose up –force-recreate`

   

  An email will be sent to you, asking you to set up a password for the JaaS admin account:

  

  From the JaaS admin console you can manage your account, see the overall activity and upgrade to another plan if needed.

  

  You’re all set up now! Let’s make a phone call! Join a call on your Jitsi Meet instance and notice how the dial-in option becomes available when trying to invite participants. You can now dial-in to one of the phone numbers provided in the list and you’ll be connected to the meeting.

  

  Get started today, a free trial is available! Please check the JaaS components website for details on pricing.

  Jigasi is the first Jitsi component offered as a service, with more to come. Stay tuned!

   

  Your personal meetings team.

  ---

  Author: Oana Emilia Ianc

   

  The post Self-hosting a fully-featured Jitsi Meet instance just got as easy as pie appeared first on Jitsi.

December 06, 2022

• Jitsi Trust, but verify: introducing user verification

  It’s been a while since we introduced End-to-End Encryption (E2EE) over two years ago. Back then we started with a simple model consisting of a passphrase everyone needed to type and later migrated to a model with randomly generated keys per participant. Each have different characteristic and we ultimately chose to stick with the latter. Today we are introducing a missing piece in the E2EE puzzle: user verification.

  User verification was not previously possible in Jitsi Meet. Just like our core E2EE we are basing our implementation on the Matrix protocol. Matrix’s libolm / vodozemac provide a Short Authentication String (SAS) mechanism implementation which developers can use. They even have great documentation on how it works, thanks Matrix!

  So, how does it work?

  First, you’d gather in a meeting and turn E2EE on.

  

  Now you’ll see a new option for each participant in their tile menu that allows you to verify them:

  

  After choosing to verify a user a dialog will open with a list of emojis:

  .

  Wait what? Emoji? These emojis conform the SAS. They have been carefully chosen to avoid ambiguity and make the process more user friendly than comparing random numbers. You can find more information in the Matrix spec.  You must verbally compare them with the other participant and if they match, mark it as verified.

  Once a user is verified this will be reflected in the user information tooltip:

  

  At this point you can be sure that not only your data is encrypted end-to-end, but also that there is no man-in-the-middle (MITM) attach happening.

  Availability

  User verification is currently available in Jitsi Meet master and deployed in beta. It will be part of the next stable release, but expect more improvements specially in the UX front.

  Thanks

  We’d like to thank Robertas Maleckas (ETH Zurich), Prof. Kenny Paterson (ETH Zurich) and Prof. Martin Albrecht (Royal Holloway, University of London) for their work researching Jitsi Meet’s E2EE and encouragement, and Matrix for their tools, which make implementing E2EE a much better experience.

   

  ---

  Please note that we still consider our E2EE experimental and are still working on improvements. Please make sure you check out our post on how end-to-end encryption in general does NOT offer a meaningful level of trust and protection when it comes to modern meetings services.

  Your personal meetings team.

  The post Trust, but verify: introducing user verification appeared first on Jitsi.

December 01, 2022

• Jitsi Introducing whiteboards in Jitsi Meet

  Trying to explain something to someone and they just don’t get it? If an image is worth a thousand words how about a diagram? Today we’re excited to announce the availability of whiteboards in Jitsi Meet – the missing piece for all those seeking an educational meeting solution and not only!

  

  We decided to stand in the shoulders of giants on this one. The core implementation comes from Excalidraw, an excellent whiteboarding piece of software, which is Open Source, of course. We made some tweaks and adjustments to have it fit in with our vision. We seek to provide an easy to use feature that enables participants to share ideas and brainstorm without having to seek a third party solution. From now on, meeting moderators can open a whiteboard and have everyone in the call sketch away.

  

  The interface supports a number of tools and settings that keep the collaboration interesting and effective. During a meeting, changes that a participant makes locally via the whiteboard are sent to a server to then distribute those updates only to devices of other participants in the meeting. The whiteboard content can be exported as a png or svg at any time during the meeting, so all that hard work doesn’t go to waste.

  

  If you’re using meet.jit.si, you can go ahead and play with the whiteboard in your meetings right away! For those self-hosting, it can be enabled from the config file, and you’ll need to deploy this simple backend.

  As you might already know, we’re firm believers in the power of Open Source, we seek to collaborate with other communities to build solutions everyone can use and we’re excited to bring more to this feature in the future!

  Your personal meetings team.

  ---

  Author: Mihaela Dumitru

  The post Introducing whiteboards in Jitsi Meet appeared first on Jitsi.

November 30, 2022

• Enable Security DDoS simulation tutorial, WebRTC IP leak and vulnerable RTC libraries
  It is the end of November and with it, we bring some of our own publications and coverage of various advisories, papers and news items in the VoIP and WebRTC security world. In this edition, we cover: How to simulate DDoS attacks on your own Details about the new WebRTC IP leak issue Coverage of interesting talks at Blackhat and TADSummit Advisories concerning Sofia-SIP, Drachtio, PJSIP and more RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.

November 29, 2022

• Enable Security How to perform a DDoS attack simulation
  TL;DR A DDoS simulation is a practical exercise that various organisations are capable of doing. Understand the reasons why you would want to do this, then combine custom with off-the-shelf attack tools. Follow the best practices, apply solutions and mitigation; and you can finally answer: what if we got attacked? Introduction In this post, we give an overview of how you too can perform your own distributed denial of service (DDoS) simulation exercises.

November 10, 2022

• Jitsi Low-latency conference streaming to very large audiences

  Jitsi today supports life-streaming conferences to large audiences through our Jibri tool – this tool renders all the media from the conference, and forwards it to a streaming service such as YouTube.

  This approach works, but it has limitations.  In addition to being computationally expensive, it also introduces substantial latency to the media.  This can be a problem when interaction is needed between the participants in the conference and the audience, for example for a text-based question-and-answer session.

  This article will describe a new approach to live-streaming media, which uses Jitsi’s builtin functionality, without transcoding, to reach potentially very large audiences with latency comparable to that of a live conference.

  Overview

  The basic approach to media distribution for this solution is straightforward – simply forward media to all the audience members in the same way that they are forwarded today to conference participants – i.e. as individual RTP streams over WebRTC.  This can re-use Jitsi’s existing well-tested technology to distribute the media and have it arrive at receivers and be played out to viewers.

  The challenge, of course, is to scale Jitsi’s back-end services so they can support sending media to very large numbers of viewers, potentially in the hundreds of thousands or more.  The rest of this article will discuss some of the architectural enhancements we need to make to Jitsi to support this.

  The first insight that will make this possible is to realize that in a streaming scenario, while the conference’s active participants need to know that they are being watched by an audience, they don’t need to know all the audience members’ identities or presence in real-time; nor do the audience members need to know about each other.  Thus, the system can be modified such that presence information about individual audience members is not sent to other conference participants, or to unnecessary parts of the backend; this reduces the amount of signaling traffic substantially.

  The second substantial change that we are making to the backend is to be able to have more sophisticated topologies for the Jitsi Videobridges to relay media among them.  Currently, when more than one Jitsi Videobridge is used in a conference (in Jitsi’s Octo/Relay technology), the bridges are connected to each other in a full mesh.  This topology minimizes the latency for media, but would not scale to very large conferences, where e.g. hundreds of thousands of participants might need several hundred bridges.  If every bridge in such a conference were connected to every other one, the bridges could be overloaded just sending media out.

  Instead, we are developing technology that can arrange bridges into more elaborate topologies.  In particular, our plan for very large conferences is to still have the conference’s active participants be connected to bridges which are arranged in a mesh; but the audience members would then be connected to bridges whose interconnection forms a tree extending from various nodes of the core mesh, so that the core media servers would only need to send media out to a limited number of connections to the audience’s bridges, which would then be forwarded out to the audience, possibly relaying through multiple bridges on the way.

  

  Finally, changes need to be made for the signaling servers used by the Jitsi back-end.  While information about audience members only needs to be propagated to selected back-end infrastructure servers, information about a conference’s active participants needs to be forwarded to the entire audience.  The existing XMPP servers that the Jitsi back-end uses aren’t designed for this level of load.  Thus, we are developing solutions such that this participant information can be mirrored from one XMPP server to another, allowing each server to handle only a manageable number of client connections while still getting the information to the entire audience quickly.

  Stay tuned!

  Your personal meetings team.

  ---

  Author: Jonathan Lennox

  The post Low-latency conference streaming to very large audiences appeared first on Jitsi.

October 31, 2022

• Enable Security Celebrations, presentations and new VoIP security tools
  Welcome to a jam-packed edition of RTCSec newsletter for October. What have we this month? In this edition, we cover: This very newsletter is one year old! We’re looking for freelance pentesters to join us This time, 12 years ago in VoIP security incidents (Sality botnet scanning) Upcoming and past presentations of interest at TADSummit, CTI-Summit, Blackhat & ClueCon WebRTC security news: the “most secure VoIP” award and censorship busting New VoIP security tools and workshop by Jose Luis Verdeguer (Pepelux) And various security advisories, and other reports of concern RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.

October 26, 2022

• Enable Security RTCSec newsletter is one year old!
  Roughly a year ago, we sent out the first RTCSec newsletter and have been doing so every month. Each time, we have covered more and more of our favourite topics, VoIP and WebRTC security. And now, it has become our primary way of keep up to date with what is happening, and our most regular publication too. If you are not yet subscribed, do so at https://rtcsec.com/subscribe. The next one is out in a few days!

September 30, 2022

• Enable Security DDoS workshop at TADSummit, toll fraud via MS Teams Direct Routing and WebRTC news
  This month brings us yet another crammed newsletter all about real-time communications security. So without further ado, welcome to the RTCSec newsletter for September 2022! In this edition, we cover: An upcoming open position at Enable Security and what we’re brewing for 2023 Our talk at TADSummit 2022 and the DDoS workshop Commentary about OpenSIPS Summit and Kamailio World Details about how MS Teams Direct Routing may lead to toll fraud Abuse of the exec modules in Kamailio and OpenSIPS WebRTC related news, about CVE-2022-2294, coturn, Scanbox malware and Cloudflare And much much more RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.
• François Marier Setting up a JMP SIP account on Asterisk

  JMP offers VoIP calling via XMPP, but it's also possibly to use the VoIP using SIP.

  The underlying VoIP calling functionality in JMP is provided by Bandwidth, but their old Asterisk instructions didn't quite work for me. Here's how I set it up in my Asterisk server.

  Get your SIP credentials

  After signing up for JMP and setting it up in your favourite XMPP client, send the following message to the cheogram.com gateway contact:

  reset sip account
  

  In response, you will receive a message containing:

  • a numerical username
  • a password (e.g. three lowercase words separated by spaces)

  Add SIP account to your Asterisk config

  First of all, I added the following to my /etc/asterisk/pjsip.conf:

  [transport-udp]
  type = transport
  protocol = udp
  bind = 0.0.0.0
  external_media_address = myasterisk.dyn.example.com
  external_signaling_address = myasterisk.dyn.example.com
  local_net = 192.168.0.0/255.255.0.0
  
  [jmp]
  type = registration
  contact_user = 5554561000
  transport = transport-udp
  outbound_auth = jmp
  client_uri = sip:5554561000@jmp.cbcbc7.auth.bandwidth.com:5008
  server_uri = sip:jmp.cbcbc7.auth.bandwidth.com:5008
  
  [jmp]
  type = auth
  password = three secret words
  username = 5554561000
  
  [jmp]
  type = aor
  contact = sip:5554561000@jmp.cbcbc7.auth.bandwidth.com:5008
  
  [jmp]
  type = identify
  endpoint = jmp
  match = jmp.cbcbc7.auth.bandwidth.com
  
  [jmp]
  type = endpoint
  context = from-jmp
  dtmf_mode = rfc4733
  disallow = all
  allow = ulaw
  allow = g729
  auth = jmp
  outbound_auth = jmp
  aors = jmp
  rtp_symmetric = yes
  rewrite_contact = yes
  send_rpid = yes
  timers = no
  

  and for reference, here's the blurb for my Snom 300 SIP phone:

  [2000]
  type = aor
  max_contacts = 1
  
  [2000]
  type = auth
  username = 2000
  password = password123
  
  [2000]
  type = endpoint
  context = full
  dtmf_mode = rfc4733
  disallow = all
  allow = g722
  allow = ulaw
  mailboxes = 10@internal
  auth = 2000
  outbound_auth = 2000
  aors = 2000
  

  I checked that the registration was successful by running asterisk -r and then typing:

  pjsip set logger on
  

  before reloading the configuration using:

  reload
  

  Create Asterisk extensions to send and receive calls

  Once I got registration to work, I hooked this up with my other extensions so that I could send and receive calls using my JMP number.

  In /etc/asterisk/extensions.conf, I added the following:

  [from-jmp]
  include => home
  exten => s,1,Goto(2000,1)
  

  where home is the context which includes my local SIP devices and 2000 is the extension I want to ring.

  Then I added the following to enable calls to any destination within the North American Numbering Plan:

  [pstn-jmp]
  exten => _1NXXNXXXXXX,1,Set(CALLERID(all)=Francois Marier <username>)
  exten => _1NXXNXXXXXX,n,Dial(PJSIP/${EXTEN}@jmp)
  exten => _1NXXNXXXXXX,n,Hangup()
  exten => _NXXNXXXXXX,1,Set(CALLERID(all)=Francois Marier <username>)
  exten => _NXXNXXXXXX,n,Dial(PJSIP/1${EXTEN}@jmp)
  exten => _NXXNXXXXXX,n,Hangup()
  

  Here username is my bwsip numerical username. When calls are placed, this gets automatically swapped in by my real JMP phone number, but Bandwidth appears to require its users to use their username in there caller ID string.

  For reference, here's the rest of my dialplan in /etc/asterisk/extensions.conf:

  [general]
  static=yes
  writeprotect=no
  clearglobalvars=no
  
  [public]
  exten => _X.,1,Hangup(3)
  
  [sipdefault]
  exten => _X.,1,Hangup(3)
  
  [default]
  exten => _X.,1,Hangup(3)
  
  [internal]
  include => home
  
  [full]
  include => internal
  include => pstn-jmp
  exten => 707,1,VoiceMailMain(10@internal)
  
  [home]
  exten => 2000,1,Dial(PJSIP/2000,20)
  exten => 2000,n,Goto(in2000-${DIALSTATUS},1)
  exten => 2000,n,Hangup
  exten => in2000-BUSY,1,VoiceMail(10@internal,su)
  exten => in2000-BUSY,n,Hangup
  exten => in2000-CONGESTION,1,VoiceMail(10@internal,su)
  exten => in2000-CONGESTION,n,Hangup
  exten => in2000-CHANUNAVAIL,1,VoiceMail(10@internal,su)
  exten => in2000-CHANUNAVAIL,n,Hangup
  exten => in2000-NOANSWER,1,VoiceMail(10@internal,su)
  exten => in2000-NOANSWER,n,Hangup
  exten => _in2000-.,1,Hangup(16)
  

  Firewall

  Finally, I opened a few ports in my firewall by putting the following in /etc/network/iptables.up.rules:

  # SIP and RTP on UDP (jmp.cbcbc7.auth.bandwidth.com)
  -A INPUT -s 67.231.2.13/32 -p udp --dport 5008 -j ACCEPT
  -A INPUT -s 216.82.238.135/32 -p udp --dport 5008 -j ACCEPT
  -A INPUT -s 67.231.2.13/32 -p udp --sport 5004:5005 --dport 10001:20000 -j ACCEPT
  -A INPUT -s 216.82.238.135/32 -p udp --sport 5004:5005 --dport 10001:20000 -j ACCEPT
  

September 25, 2022

• François Marier Using a Let's Encrypt TLS certificate with Asterisk 16.2

  In order to fix the following error after setting up SIP TLS in Asterisk 16.2:

  asterisk[8691]: ERROR[8691]: tcptls.c:966 in __ssl_setup: TLS/SSL error loading cert file. <asterisk.pem>
  

  I created a Let's Encrypt certificate using certbot:

  apt install certbot
  certbot certonly --standalone -d hostname.example.com
  

  To enable the asterisk user to load the certificate successfuly (it doesn't have permission to access the certificates under /etc/letsencrypt/), I copied it to the right directory:

  cp /etc/letsencrypt/live/hostname.example.com/privkey.pem /etc/asterisk/asterisk.key
  cp /etc/letsencrypt/live/hostname.example.com/fullchain.pem /etc/asterisk/asterisk.cert
  chown asterisk:asterisk /etc/asterisk/asterisk.cert /etc/asterisk/asterisk.key
  chmod go-rwx /etc/asterisk/asterisk.cert /etc/asterisk/asterisk.key
  

  Then I set the following variables in /etc/asterisk/sip.conf:

  tlscertfile=/etc/asterisk/asterisk.cert
  tlsprivatekey=/etc/asterisk/asterisk.key
  

  Automatic renewal

  The machine on which I run asterisk has a tricky Apache setup:

  • a webserver is running on port 80
  • port 80 is restricted to the local network

  This meant that the certbot domain ownership checks would get blocked by the firewall, and I couldn't open that port without exposing the private webserver to the Internet.

  So I ended up disabling the built-in certbot renewal mechanism:

  systemctl disable certbot.timer certbot.service
  systemctl stop certbot.timer certbot.service
  

  and then writing my own script in /etc/cron.daily/certbot-francois:

  #!/bin/bash
  TEMPFILE=`mktemp`
  
  # Stop Apache and backup firewall.
  /bin/systemctl stop apache2.service
  /usr/sbin/iptables-save > $TEMPFILE
  
  # Open up port 80 to the whole world.
  /usr/sbin/iptables -D INPUT -j LOGDROP
  /usr/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
  /usr/sbin/iptables -A INPUT -j LOGDROP
  
  # Renew all certs.
  /usr/bin/certbot renew --quiet
  
  # Restore firewall and restart Apache.
  /usr/sbin/iptables -D INPUT -p tcp --dport 80 -j ACCEPT
  /usr/sbin/iptables-restore < $TEMPFILE
  /bin/systemctl start apache2.service
  
  # Copy certificate into asterisk.
  cp /etc/letsencrypt/live/hostname.example.com/privkey.pem /etc/asterisk/asterisk.key
  cp /etc/letsencrypt/live/hostname.example.com/fullchain.pem /etc/asterisk/asterisk.cert
  chown asterisk:asterisk /etc/asterisk/asterisk.cert /etc/asterisk/asterisk.key
  chmod go-rwx /etc/asterisk/asterisk.cert /etc/asterisk/asterisk.key
  
  # Commit changes to etckeeper and restart asterisk.
  pushd /etc/ > /dev/null
  /usr/bin/git add letsencrypt asterisk
  DIFFSTAT="$(/usr/bin/git diff --cached --stat)"
  if [ -n "$DIFFSTAT" ] ; then
      /usr/bin/git commit --quiet -m "Renewed letsencrypt certs." letsencrypt asterisk
      echo "$DIFFSTAT"
      /bin/systemctl restart asterisk.service
  fi
  popd > /dev/null
  

September 23, 2022

• François Marier Encrypted connection between SIP phones using Asterisk

  Here is the setup I put together to have two SIP phones connect together over an encrypted channel. Since the two phones do not support encryption, I used Asterisk to provide the encrypted channel over the Internet.

  Installing Asterisk

  First of all, each VoIP phone is in a different physical location and so I installed an Asterisk server in each house.

  One of the server is a Debian stretch machine and the other runs Ubuntu bionic 18.04. Regardless, I used a fairly standard configuration and simply installed the asterisk package on both machines:

  apt install asterisk
  

  SIP phones

  The two phones, both Snom 300, connect to their local asterisk server on its local IP address and use the same details as I have put in /etc/asterisk/sip.conf:

  [1000]
  type=friend
  qualify=yes
  secret=password1
  encryption=no
  context=internal
  host=dynamic
  nat=no
  canreinvite=yes
  mailbox=1000@internal
  vmexten=707
  dtmfmode=rfc2833
  call-limit=2
  disallow=all
  allow=g722
  allow=ulaw
  

  Dialplan and voicemail

  The extension number above (1000) maps to the following configuration blurb in /etc/asterisk/extensions.conf:

  [home]
  exten => 1000,1,Dial(SIP/1000,20)
  exten => 1000,n,Goto(in1000-${DIALSTATUS},1)
  exten => 1000,n,Hangup
  exten => in1000-BUSY,1,VoiceMail(1000@mailboxes,su)
  exten => in1000-BUSY,n,Hangup
  exten => in1000-CONGESTION,1,VoiceMail(1000@mailboxes,su)
  exten => in1000-CONGESTION,n,Hangup
  exten => in1000-CHANUNAVAIL,1,VoiceMail(1000@mailboxes,su)
  exten => in1000-CHANUNAVAIL,n,Hangup
  exten => in1000-NOANSWER,1,VoiceMail(1000@mailboxes,su)
  exten => in1000-NOANSWER,n,Hangup
  exten => _in1000-.,1,Hangup(16)
  

  the internal context maps to the following blurb in /etc/asterisk/extensions.conf:

  [internal]
  include => home
  include => iax2users
  exten => 707,1,VoiceMailMain(1000@mailboxes)
  

  and 1000@mailboxes maps to the following entry in /etc/asterisk/voicemail.conf:

  [mailboxes]
  1000 => 1234,home,person@email.com
  

  (with 1234 being the voicemail PIN).

  Encrypted IAX links

  In order to create a virtual link between the two servers using the IAX protocol, I created user credentials on each server in /etc/asterisk/iax.conf:

  [iaxuser]
  type=user
  auth=md5
  secret=password2
  context=iax2users
  allow=g722
  allow=speex
  encryption=aes128
  trunk=no
  

  then I created an entry for the other server in the same file:

  [server2]
  type=peer
  host=server2.dyn.fmarier.org
  auth=md5
  secret=password2
  username=iaxuser
  allow=g722
  allow=speex
  encryption=yes
  forceencrypt=yes
  trunk=no
  qualify=yes
  

  The second machine contains the same configuration with the exception of the server name (server1 instead of server2) and hostname (server1.dyn.fmarier.org instead of server2.dyn.fmarier.org).

  Speed dial for the other phone

  Finally, to allow each phone to ring one another by dialing 2000, I put the following in /etc/asterisk/extensions.conf:

  [iax2users]
  include => home
  exten => 2000,1,Set(CALLERID(all)=Francois Marier <2000>)
  exten => 2000,2,Dial(IAX2/server1/1000)
  

  and of course a similar blurb on the other machine:

  [iax2users]
  include => home
  exten => 2000,1,Set(CALLERID(all)=Other Person <2000>)
  exten => 2000,2,Dial(IAX2/server2/1000)
  

  Firewall rules

  Since we are using the IAX protocol instead of SIP, there is only one port to open in /etc/network/iptables.up.rules for the remote server:

  # IAX2 protocol
  -A INPUT -s x.x.x.x/y -p udp --dport 4569 -j ACCEPT
  

  where x.x.x.x/y is the IP range allocated to the ISP that the other machine is behind.

  If you want to restrict traffic on the local network as well, then these ports need to be open for the SIP phone to be able to connect to its local server:

  # VoIP phones (internal)
  -A INPUT -s 192.168.1.3/32 -p udp --dport 5060 -j ACCEPT
  -A INPUT -s 192.168.1.3/32 -p udp --dport 10000:20000 -j ACCEPT
  

  where 192.168.1.3 is the static IP address allocated to the SIP phone.

August 31, 2022

• Enable Security SIP ALG exploit hits Realtek SDK, our Attack Platform and holidays
  In the summer time, the weather is hot … August is usually a slow month in our part of the world and a good time to take a holiday and relax a bit. We tried that for ourselves and found out that the rumors are true, holidays are not overrated. But, we didn’t stop for too long because, actually, we have news! In this edition, we cover: Our news about the Enable Security Attack Platform and Gasoline v2 Buffer overflow in Realtek’s SIP ALG affecting many many routers (CVE-2022-27255) More router exploitation leading to SIP credentials leakage (Arris / CVE-2022-31793) TLS ALPN identifier for SIP SELinux policies and Kamailio/OpenSIPS And more RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.

July 29, 2022

• Enable Security WebRTC 0day, FreePBX not Asterisk attacks and talks at MCH2022
  It is the end of the week as well as July and the RTCSec newsletter is in your inbox eagerly waiting to give you all the educational entertainment you need throughout the weekend! In this edition, we cover: Our TADSummit talk and SIPVicious PRO details FreePBX exploitation and confusing reports Remote coverage of the talks at the Dutch hacker camp CVE-2022-2294 - the vulnerability in the WebRTC project Vulnerabilities in Matrix, BigBlueButton, JunOS and more Tweet of the month on VoIP phone hardware hacking RTCSec newsletter is a free periodic newsletter bringing you commentary and news around VoIP and WebRTC security.

July 28, 2022

• Jitsi Enhanced noise suppression in Jitsi Meet

  For a while now Jitsi Meet has been using the RNNoise library to calculate voice audio detection scores for audio input tracks and leveraging those to implement functionality such as “talk while muted” and “noisy mic detection”. However, RNnoise also has the capability to denoise audio.

  In this article we’ll briefly go through the steps taken to implement noise suppression using RNnoise in Jitsi Meet.

  What’s RNNoise anyway?

  RNNoise, as the authors describe it, “​​combines classic signal processing with deep learning, but it’s small and fast”, this makes it perfect for real time audio and does a good job at denoising.

  It’s written in C which allows us to (relatively) easily use it on the Web by compiling it as a WASM module, that combined with a couple of optimizations gets us noise suppression functionality with very little added latency.

  Working with Audio Worklets

  Previously Jitsi Meet processed audio using ScriptProcessorNode which handles audio samples on the main UI thread. Because the audio track wasn’t altered and we simply extracted some information from a copy of the track, performance issues weren’t apparent. With noise suppression the track gets modified, so latency is noticeable, not to mention that any interference on the main UI thread will impact the audio quality, so we switched to audio worklets.

  Audio worklets run in a separate thread from the main UI thread, so samples can be processed without interference. We won’t go into the specifics of implementing one as there are plenty of awesome resources on the web such as: this and this. Our worklet implementation can be found here.

  Webpack integration

  Even though using an audio worklet looks fairly straightforward there were a couple of bumps along the road.

  First off, and probably the most frustrating part was making them work with webpack’s dev server.

  Long story short, the dev server has some neat features such as hot module replacement and live reloading, these rely on some bootstrap code added to the output JavaScript bundle. The issue here is that audio worklet code runs under the AudioWorkletGlobalScope’s context which doesn’t know anything about constructs like window, this or self, however the aforementioned boilerplate code makes ample use of them and there doesn’t seem to be a way to tell it that the context in which it’s running is a worklet.

  We tried several approaches but the solution that worked for us was to ignore the dev server bootstrap code altogether for the worklet’s entry point, which can be configured in webpack config as follows:

  module: { rules: [ ...config.module.rules,
              { test: resolve(__dirname, 'node_modules/webpack-dev-server/client'),
                loader: 'null-loader' } ] }

  That took care of the dev server, however production webpack bundling also introduced boilerplate which made use of the “forbidden” worklet objects, but in this case it’s easily configurable by specifying the following output options:

  output: { ...config.output, globalObject: 'AudioWorkletGlobalScope' }

  At this point we had a working worklet (pun intended) that didn’t break our development environment.

  WASM in audio worklets.

  Next came adding in the RNnoise WASM module. Jitisi uses RNnoise compiled with emscripten (more details in the project: https://github.com/jitsi/rnnoise-wasm). With the default settings the WASM module will load and compile asynchronously, however because the worklet loads without waiting for the resolution of promises we need to make everything synchronous, so we inline the WASM file by passing in  -s SINGLE_FILE=1 to emscripten and we also tell it to synchronously compile it with -s WASM_ASYNC_COMPILATION=0. With that in place everything will be loaded and ready to go when audio samples start coming in.

  Efficient audio processing.

  Audio processing in worklets happens on the process() callback method in the AudioWorkletProcessor implementation at a fixed rate of 128 samples (this can’t be configured as with ScriptProcessorNodes), however RNnoise expects 480 samples for each call to it’s denoise method rnnoise_process_frame.

  To make this work we implemented a circular buffer that minimizes copy operations for optimal performance. It works by having both the buffered samples and the ones that have already been denoised on the same Float32Array with a roll over policy. The full implementation can be found here.

  To summarize, we keep track of how many audio samples we have buffered, once we have enough of them (480 to be precise) we send a view of that data to RNnoise where it gets denoised in-place (i.e. no additional copies are required). At this point the circular buffer has a denoised part and possibly some residue samples that didn’t fit in the initial 480, which will get processed in the next iteration. The process repeats until we reach the end of the circular buffer at which point we simply start from the beginning and overwrite “stale” samples; we consider them stale because at this point they have already been denoised and sent.

  The worklet code gets compiled as a separate .js bundle and lazy loaded as needed.

  Use it in JaaS / using the iframe API
  

  If you are a JaaS customer (or are using Jitsi Meet through the iframe API) we have added an API command to turn this on programmatically too! Check it out.

  Check it out!

  In Jitsi Meet this feature can be activated by simply clicking on the Noise Suppression button.

  

  Since in this case a sound file is probably worth more than 1000 words, here is an audio sample  demonstrating the denoising:

  Original audio:

  
  

  Denoised audio:

  ---

    Your personal meetings team.

  Author: Andrei Gavrilescu

  The post Enhanced noise suppression in Jitsi Meet appeared first on Jitsi.

July 06, 2022

• Enable Security SIPVicious PRO experimental now supports STIR/SHAKEN and 5 new tools
  We just made two builds available to our SIPVicious PRO members. One is called the stable build, while the other is the experimental build. The v6.0.0-beta.5 stable build includes a large number of fixes, much better (or sane) defaults and full coverage of SRTP throughout the toolset. The experimental version is where the excitement is. Our members now have access to 5 new tools that we find useful in our work: