At some point, in 3.x versions the TURN permissions check was broken. UDP relay always allows a peer to send a message to the TURN client, even if the peer has no permissions. This is not a big security risk because the client receives the IP address of the peer so it is able to ignore stray messages, but it may be a problem for a "naive" client.

Fixed in 3.2.2.3