We needed a safe place to test VoIP and WebRTC attacks without breaking production systems or ending up in legal trouble. So we built Damn Vulnerable Real-Time Communications (DVRTC), an intentionally insecure platform using Kamailio, Asterisk, and rtpengine.
This talk focuses on the WebRTC conferencing scenario we've added to DVRTC. I'll cover the vulnerabilities we implemented, how we configured things to be deliberately broken while still being realistic, and demo some of the attacks.
If you run or build WebRTC infrastructure, this is a look at what keeps showing up in our penetration tests.
Speaker
2026 Sponsors
Platinum Sponsors
Gold Sponsors
Silver Sponsors
Community Sponsors
