Penetration Testing of VoIP and Internet Telephony

solution home >>
pabx & voicemail >>
voip >>
physical audit >>
forensic audit >>
case study >>
telecom guard >>

voip

Voice Over (VoIP) or Internet Telephony refers to the handling of voice calls over a data network such as the office Local Area Network, Virtual Private Network between sites, or via the Internet.

"VoIP reveals security hang-ups" – Australian Financial Review, Oct 2005 – "Voice over Internet Protocol (VoIP) technology has several security flaws, according to an Australian Government report. The report suggested there is potential for electronic eavesdropping, voice spam, voice phishing, internet viruses, denial of service attacks and the threat of power failures threatening the ability of people to contact emergency services. Some organisations, such as the Australian Customs Service, have decided against installing VoIP systems due to security concerns, but uptake, driven by cost cutting desires, remains strong in the government and private sector. The security threats to VoIP have prompted the Australian Labor Party and internet security groups to call on the government to be more proactive in forming a regulatory response to the burgeoning technology."

Most VoIP installations are insecure. For example; no encryption is usually implemented within the office. Free tools can be used in one office to listen in on calls in other offices within the building. These conversations can be recorded for later use.

"... a disgruntled employee of a multinational insurance company who used VoIP to eavesdrop on board meetings." (The Australian, April 2005).

In addition hacking of the VoIP system can provide a doorway into the IT network (and vice versa).

In our experience voicemail is nearly always overlooked as a security issue in VoIP installations and all voicemail threats outlined elsewhere in this site apply to VoIP. Click on the image below to display example:

VoIP is a relatively new technology, with rapidly expanding acceptance. The technical research invested in VoIP in Australia has primarily focussed on Quality of Service (QoS) issues. Security in most cases is an afterthought and is generally “retro fitted” after implementation. As a result, the majority of expertise in Australia is “implementation expertise” ie; ensuring there is a dial tone when the handset is picked up and that the quality of the call is adequate.

A survey by IDC Australia showed that 40 percent of large and medium sized companies do not recognise that VoIP is a security risk.

In our experience when traditional telephony security is outsourced the majority of these systems can be easily penetrated by hackers. A comprehensive risk management approach to VoIP security is required and this is our expertise.

Our project team can provide both theoretical and practical experience on VoIP security. We are at the forefront of VoIP vulnerability testing and can provide a realistic assessment of risks and solutions. We keep abreast daily of techniques employed by the hacking community both overseas and within Australia by monitoring hacker web sites and hacker Internet discussion forums.

Our capabilities include:

Proven VoIP experience in large scale real world projects for significant organisations. We would be pleased to discuss these with you;
While VoIP security standards have yet to be developed we have detailed knowledge of existing relevant international standards including ISO 17799 and draft ISO 18028 (ITU_T X.805) - a new information security standard in the communication space;
Access to key VoIP vendors for both public information and more confidential expertise in security concerns and implementations;
Expertise in vulnerability and threat assessment testing of both IT and telephony environments;
Expertise in assembling, summarising and presenting information security material to provide policy, specification, architecture, monitoring and management, and operations guidelines.

Comprehensive Report

You will receive a comprehensive report with detailed recommendations. The summaries are written for management while more technical detail is provided for technical staff to address the vulnerabilities identified. The report includes a number of security policy recommendations and a Risk / Threat Matrix to identify the greatest threats to your business. Our engineer will conduct a review of the final report with your IT and telecommunications staff. The meeting objective being to agree on an implementation program for the recommendations listed in the report as well as to answer any questions.

This total service is designed to minimise the risks represented by external and internal telephone hackers and provide a total risk management methodology using best practice benchmarks to secure your systems.

Apples with Apples Comparison

When searching for VoIP security experts we have prepared a short list of questions to assist you. Click here.

The diagram above shows the most common points of attack on a VoIP / Internet Telephony system

Download:
VoIP Points of Attack PDF (78Kb)
VoIP Threats PDF (41Kb)